I do thank you for the support and attentive response - well spoken, measured, and presented as always.
I still find myself troubled by the niggly bits of the IOA and consent propagation - and wish I had more time than Tuesday nights to really sift through this. Please bear with my misunderstandings and help me get to the bottom of that nagging feeling that one or two stitches are still out of place.
Current Language / IO Obligations
The current language is:
Identity Owner Obligations
The Identity Owner shall conform to all policies set forth in the PTF and STF that apply to:
1. Identity Owners.
2. Any additional role for which the Identity Owner qualifies and elects, including Trust Anchor and Guardian.
The Identity Owner shall not:
1. Abuse, spam, or otherwise take malicious action against the Sovrin Network.
2. Interfere with the use or enjoyment of the Sovrin Network by other Members.
3. Use a Sovrin Identity to impersonate another Identity Owner or otherwise misrepresent the Identity Owner’s identity or relationships.
4. Otherwise break their Sovrin Promise.
I don't see the need for #2, except as a some pre-emptive statement - an IO who also has the "woodworking merit badge" is still an IO. The clause seems redundant - and if there is some intent whereby this might not be redundant, that intent ought be more clearly visible. I'm just wondering about a simpler statement of this obligation:
The IO shall conform to all policies set forth in the PTF and STF, in all engagements with the Sovrin Network, by virtue of being an IO and without further qualification.
In other words, IO is entire and complete - there can be no division, such as "IOs whose names are like %Bob%" and "IOs who act as TAs"
Of most concern to me, however, is item #3 in the second set. #1 and #2 are pretty generic - it identifies Abuse, Spam, Malicious Action, and Inteference - those are pretty broad, and subject to the whims or precedence and social decision (the record of decision and action taken by the Sovrin Court, or Sovrin Council of Elders, or Respected Sovrinic Council, etc.) - no worries there. #4, likewise (through substitution of definition), basically says the same thing - it says "agrees to play by the rules of the STF and PTF - and is, ultimately, redundant with the first section.
Item #3 however - is a problem. It extends outside of the relationship of the IO to the SN (Sovrin Network). It is about the use to which the DIDs on the SN are put - and that opens up a huge can of worms, and one that seems to me to show up again in the edge cases of the Verinym/Anonym/Pseudonym triad.
Very specifically, I think that item #3 should simply be dropped. The appropriate vehicle for the policing and management of item #3 are reputation systems and the mechanics of trust flow through the network. With the absence of PII on the ledger, the determination of impersonation is exceptionally vague, and in the case of anonyms, requires the claim that the PII linked to third party accounts bound to anonym X is the same as the PII linked to third party accounts bound to anonym Y, but furthermore, that the verinyms associated with the genesis of anonyms X and Y correspond to third-party linked PII such that verinym-which-authored-X has claim on the PII, while verinym-which-authored-Y does not. This, sadly, is probably one of the simplest contortions of such a case.
The Trust Anchor mechanism is appropriate for #3, the IOA is not.
I might counter with a term that says "IOs agree to support, enforce, and enhance the neutrality of the Sovrin Network as a means of establishing and maintaining the authenticity of identity" - but clearly the wording would need some smithing.
Thank you for pointing out the spec - the issue of guardianship and the 'claiming of an ID' - via update of the DDO, is clear there. Also, the IOA is clear - the Guardian owns the responsibility and liability for the IOA until transferred. I did not see (although I was perhaps too rapidly going through the spec) a specific means of Rejecting the Guardianship of a DID/DDO. Presumably this is executed by "accepting the DID" and then "publishing a null DDO" - perhaps this needs to be trinary. The state change being from Guarded Identity -> (Owned Identity, Terminated Identity)?
This is an absolutely beautiful bit of wizardry, and I am very excited to learn more about it. It does indicate that DIDs can be easily partitioned into verinyms and anonyms - much in the way they can be quickly partitioned into Independent and Dependent. I think that this means we can update the taxonomy diagram.
Propagation of IOA consent
I expressed a concern that a verinym could author anonyms that did not correspond to IOs, but you countered
I think that is true, but only if the following statement is also true
Anonyms are always Pseudonyms of the generating Verinym
I do not see the above claim formally documented anywhere. It may have been implied by the 'anti-impersonation' clause of the IOA, but (cutting out a long winded analysis) I think I could argue my way out of that. If the condition of pseudonymity is upheld, then IOA consent propagation is clear, with the following lemma:
Guardians may only create Verinyms
which is a rule that could be enforced by validator nodes, since the status of a DID/DDO as guarded/owned and as verinym/anonym are easily determined. This would be a tweak for the TGB, reifying the concepts of verinym and anonym.
My gut tells me that there are two issues here - at core, just two minor refinements:
1 - the Identity Owner obligations, item #B,3 - the "impersonation clause" - because this breaks out of the network and relies upon claims about the use to which the data pinned to the network was put. This is as thorny as the grammar required to express it.
2 - explicit recognition of verinyms and anonyms as entities within the technical taxonomy of both the sovrin network and the governing trust framework - rendering the rules of anonym generation and processing, and the differences between verinym processing, and in particular how verinyms participate within the TA-based web of trust while anonyms represent nodes on potentially (completely) isolated subgraphs, while simultaneously demonstrating that the existing of anonyms implies that there exists a corresponding connected verinym node which has demonstrably consented to the IOA.
Point #2 here is particularly subtle and important to get right - because, at first glance, it makes absolutely no sense.
What comes to mind, when I think about #2, is the current fracas over the legal status of the "Facebook/React.js patent clause" - a moment of quick googling will reveal enormous discussion about a silly clause in the licensing of React.js (and other libraries) from Facebook. The discussion itself has given rise to "alternative facts" - otherwise known (outside of the Trump administration) as "vapid fantasy". The alternative fact in this case is the idea that Facebook can shut down your product line if your product line uses React and if they have a beef with you. That's not the case, but it is the result of overly subtle legal considerations making their way into the limelight through mass publication.
The parallel with Sovrin is the concept that an anonymous identity can somehow be held accountable to a legal framework when there is no way, even in mathematical principle, for the owner of that identity to be identified. The subtlety rests on an existence-proof vs. solution-proof - we know, by virtue of the fact of the existence of the DID, that there once was an IO who consented to the IOA, and with the refinements of IOA consent propagation, we know that the ultimate owner of that DID did consent to the IOA, even though we can not, as a matter of mathematical reality determine who that is.
It is such an obtuse statement, that one has to wonder, "Why on earth does it matter and wouldn't it be simpler to call Anonymity, simply Anonymous?" - the fact that such a fine distinction was made, as a legal matter, must mean that "Something is rotten in the state of Sovrin".
Perhaps it is better to simply accept certain simple freedoms be awarded to anonymity, with a throttling component ensuring that anonymity can not be a vehicle for network abuse.
What this means is that "Verinyms accept the IOA, Anonyms do not" - but, since Verinyms can only mint a limited number of Anonyms, then there is a throttling which can mitigate the risk of antagonistic Verinyms bent on intense disregard of the IOA and interested in attacking the SN.
The win is that the logic and expression is simple - the very fine grained analysis of "complete coverage of IOA consent" is a bit winded, and with the removal of item #B,3 from the IO obligations, the pinning to PII external to the network is removed. If #B,3 is retained, then the IOA consent includes conventions which could potentially mandate the compulsion of 3rd parties to reveal PII data - I know that such a situation would surely never happen in a civilized world, but, well.... let me tell you the story of a boy named Ed.....