Simplified Identity Owner Obligations


#1

The Sovrin Trust Framework Working Group is currently processing feedback on Public Review Draft 01 of the Sovrin Provisional Trust Framework (see this forum post for details) in order to produce Public Review Draft 02 by March 1.

The Sovrin Identity Owner Agreement was one of the areas where we received the most feedback. The #1 request was to simplify and streamline this agreement so it represented the minimum possible friction for new Sovrin Identity Owners while at the same time still providing a solid legal foundation for the Sovrin Network.

To this end, the Trust Framework Working Group agreed on two simplifications:

  1. Click-through consent. No separate off-ledger proof of consent is required. Rather, registration of a Sovrin DID with the Sovrin Ledger will constitute consent.
  2. Simplified obligations. The obligations of a Sovrin Identity Owner will be as simple and direct as possible.

To the second point, we have condensed the Identity Owner obligations down to exactly two sentences—one stating what you agree to do and one stating what you agree not do. The proposed wording is as follows (note that “You” is formally defined in the agreement as the Identity Owner, and all other terms in First Letter Caps are defined terms in Public Review Draft 01):

  1. You agree to the Sovrin Promise—to uphold the purpose, principles, and policies of the Sovrin Trust Framework, including any special policies applying to roles for which You qualify and elect such as Trust Anchor and Guardian—and to abide by all applicable laws and regulations.
  2. You agree not to abuse, attack, spam, or otherwise take any malicious action against the Sovrin Network and not to interfere with the use or enjoyment of the Sovrin Network by other Members.

Is this simple enough? Too simple? Please post any further thoughts or comments on this thread.

Thank you in advance,

=Drummond
Chair, Sovrin Trust Framework Working Group


Trust Anchor Obligations
#2

Perhaps I have missed the definition of the “Sovrin Promise” but beyond that it is nice and simple. Needs legal eyes though.

Where do I find the (marketing level) definition of the Sovrin Promise?


#3

OK. I found it but the term is too ambiguous to me. To understand it we force You to dive into the guts of all of the agreements and parse out your personal, “simple” idea of this “Sovrin Promise”. I could have missed something though.


#4

Looks good to me, still not sure how this is enforceable ie what happens if you don’t comply?

Two further thoughts:
To 1] You agree…

  • We should include the reference permanently updated where the purpose, principles & policies are maintained and / or
  • We should have a place where I as an Identity Owner can go and see any ‘special policies’ that apply to me in my additional roles all in one place. In systems I have worked with this has been architected as a separate T’s and C’s service. Every time these are updated the end customer is notified. A means of notifying changes will certainly be useful for compliance with many regulatory regimes / TFs
  • Are there requirements we should include in TA agreement to support these IOA obligations?

2] I think we should include the word ‘knowingly’ before ‘abuse…’ It’s a network its quite possible that your DID(s) may be part of someone else’s malicious attack and sometimes it is easy to confuse victim and perpetrator, at least initially. In the UK we have had a recent high court ruling on something called ‘joint enterprise’ which has overturned a number of convictions - basically courts were interpreting the law too harshly, so sometimes convicting people who just happened to know a criminal http://www.bbc.co.uk/news/uk-35598896. We need to put some safeguards in here as the baddies are ultra smart


#5

Good point that we need to link to a simple definition of the Sovrin Promise (which is in fact a simple way to refer to the entire set of Sovrin Trust Framework policies that apply to an Identity Owner). I’ll chat with @sblackmer about how best to do that.


#6

I am not a lawyer so we’ll have to ask @sblackmer but I think the answer is simply that you, the Identity Owner, have breached a contract and are liable for damages. Who and how we enforce are open questions, but IMHO the main purpose of the Identity Owner Agreement is to ensure that Identity Owners have this minimal set of duties and that enforcement is possible where needed.

Absolutely—I plan on adding a requirement that the Sovrin Foundation host this permanent reference and all Trust Anchors link to it.

Again, right on. Now here’s a nice thought: as soon as we have Sovrin agents providing secure private comms channels to their Identity Owners, any required notices can be delivered that way. Not just by us, the Sovrin Foundation, but by any organizational agent in the network who needs secure, private delivery of regulatory notices with automatic lifetime change-of-address built in!

I am writing them in there today.

Good point. Agreed and done.