Session Abstract: Decentralization is always and everywhere under threat. We seek to use it to enable automation, efficiency, and autonomy, but aligning incentives to make decentralization work is really hard. In the world of security, best practices and mandates are growing around zero trust architecture and tools like software bills of materials (SBOMs) to increase transparency around the risks of outsourcing, well, anything to anybody. Surely decentralized technologies, including those applied to digital identity, could use something similar.
If an SBOM is “a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships,” what would be a good equivalent? What about using the concept of “subsidiarity” to increase transparency around inter-system relationships when the goal is to devolve agency and accountability to the edge? Subsidiarity is nominally about social and political organization. Most importantly for our purposes, it holds that issues should be dealt with at the most immediate or local level consistent with their resolution.
This session will review the state of the art on risk analysis of insidious re-centralization. We'll discuss opportunities in capturing the “localness” of third-party relationships and propose some ways forward.