Theseus Revisited

2006-12-31

Bob Wyman suggests that it's time to update Zooko's triangle by adding a dimension of persistence vs. non-persistence to the existing dimensions of unique vs. non-unique, global vs. local, and memorable vs. non-memorable.

First, it's important to clearly understand the meaning and import of Zooko's triangle (note well: the task is made harder by the fact that the property names at the above-referenced Wikipedia page are seriously confusing). Bob lays it out as follows:

The argument made by Zooko's Triangle is that no naming/identity scheme can provide all three of the attributes Zooko considers essential metrics of identity systems. For instance, while you might be able to build a "Secure and Global" naming system, in doing so, you would undoubtedly need to use identifiers that were not "memorable" -- at least not by mere humans. The importance of these three system attributes and the difficulty of producing systems which provide all three is generally well accepted by those in the naming/identity business.

As I wrote in XEP-0165: Best Practices to Prevent JID Mimicking, my understanding is that no one scheme can provide names that are simultaneously global, unique, and memorable (where a name could be an address, identifier, nickname, handle, etc.). However, certain combinations of names can together provide all three properties. Such combinations are commonly called petname systems. In XEP-0165, I use the following example:

  1. Let's say my JabberID is "stpeter@jabber.org". That ID is unique on the Jabber network ("stpeter" is unique at the domain jabber.org and the jabber.org domain is unique on the network because of DNS). It is also global (again because of our use of DNS). So "stpeter@jabber.org" is both global and unique, but it may or may not be memorable to regular old humans. If the JID were something more complicated like "j.peter.saint-andre@corp.jabber.com" or if we used an even less memorable ID such as "CFFC A717 0EAC 8051 58C4 224F 3CD5 C970 E495 30ED" (the fingerprint of my X.509 certificate) then it would be less memorable. As Meatloaf said, two out of three ain't bad. But it doesn't get us to a petname system.

  2. Let's say I assert to all Jabber users that my nickname is "PSA". That's quite memorable, but it's probably not unique (lots of folks could assert the same nickname). However, I want everyone to use that nickname for me, so in a sense it is global. I guess that's one-and-a-half out of three (two out of three if you're feeling generous).

  3. Let's say when you add me to your contact list, you give me a "handle" of "that Jabber protocol dude" and you never assign the same handle to any other person in your contact list. This handle is quite memorable to you and it is unique within your personal context, but it is purely local. Here again, two out of three.

What happens when we put these three names together? We have a global+unique address, a global+memorable nickname, and a non-global+unique handle. If you talk about me with another person on the network, you can refer to me as stpeter@jabber.org + PSA (but you must never mention that your handle for me is "that Jabber protocol dude"). If you receive a message from stpeter@jabbber.org (note the third "b"), your client will warn you that the sender is not "that Jabber protocol dude". Together this combination of names gets us closer to a system that provides the properties of global, unique, and memorable (GUM?). (Note: It's even better if we associate a cryptographic key, or fingerprint thereof, with the address / nickname / handle, but we'll look at that some other time.)

Now to this "GUM" system, Bob Wyman suggests that we need to add "P" for persistence (GUMP?):

To the three attributes or axes of Zooko's Triangle, we need to add a fourth axis or dimension which is "Persistence" (i.e. that which relates to the difficult and controversial subject of Identity over Time). The result is a pyramid which allows us to better model constraints on the universe of achievable identity systems. For any of the three traditionally recognized attributes, we need to ask the question "For how long?" (e.g. For how long will an identifier be memorable? For how long will an identity system be secure? What determines the period of time during which a globally unique identifier can be considered "global?")

When Snow White met the dwarfs, the names "Sneezy," "Sleepy", and "Dopey" were highly memorable because those names were highly descriptive of the individuals identified by those names and because those individuals were constantly reinforcing the appropriateness of their names through very visible patterns of behavior. But, had Sneezy recovered from his allergies before meeting Snow White and had Sleepy previously learned to go to bed earlier, Snow White might have found their once memorable names to be less than memorable. (The memorability of the drawf's names was limited to a specific period of time.) Similarly, we are all well aware that we simply don't have the algorithms needed to build systems whose security is everlasting. Security is a temporal quality. No matter how "secure" you may intend your system to be, it is simply a matter of time and effort that is needed to break it.

It's true that all of the names I mention in my example could be non-persistent. Jer might forget to renew his registration for jabber.org and the domain might fall into the hands of someone who pulls the plug on the XMPP service there. I might decide to change my nickname from PSA to MaineBoy. You might decide to change your handle for me to "the guy who blogs at one small voice". My X.509 certificate might be revoked and I might generate a new one through a provider other than StartCom. I might get hit by a bus tomorrow and die on the way to the hospital, in which case my identity will become of only historical interest. Etc.

Well, sure -- everything is temporal (at least until the heat-death of the universe). I do think Bob's right that we do need to take better account of persistence -- or, more precisely, the lack of persistence -- in our identity systems. But I'm not yet sure if we need to expand Zooko's Triangle into Zooko's Pyramid in order to do that. We seem to function OK in Internet-space without persistent identifiers, since we use social norms to solve the problem of non-persistence ("sorry, changed my email address again"; "I'm no longer blogging here, go there for my latest posts"; "my old cert expired, here's my new cert"; "don't call me PSA anymore, call me MaineBoy"). That said, most people do have a persistent identifer in meatspace (in America we call it a Social Security Number). Do we need such a persistent identifier on the Internet? (I have an i-name, but do I really need an i-number?) I'm not yet convinced, but I haven't followed the argument very closely.

If anything, I tend to think that identity persistence is an emergent property of a combination of names. My email address changes but my JabberID and domain name stay the same during the transition; then I get a new cert but my (new) email address, JabberID, and domain name persist through that transition. Etc. As long as I don't change everything at once, we have as much identity persistence as the ship of Theseus did, which has enough persistence to provide a useful concept of identity for most people. Perfection (in this case, guaranteed persistence to the end of time) is not an option...


Peter Saint-Andre > Journal