Re: Proof of possession from Manu Sporny on 2016-06-15 (public-credentials@w3.org from June 2016)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 15 Jun 2016 09:14:44 -0400
To: public-credentials@w3.org
Message-ID: <576154C4.8030807@digitalbazaar.com>

On 06/15/2016 06:00 AM, David Chadwick wrote:
>> Surely the community college had a data propagation strategy! Not 
>> all of them do, and even if they do, some of them still let 
>> students slip through the cracks.
> 
> Point taken, but one would hope that in the intervening period 
> between getting a qualification and the college going out of 
> business, the student would have gained some practical skills that 
> would trump the certificate.

That is not guaranteed to happen, especially for people of limited
economic means. Sometimes a community college degree is all you have to
prove that you're capable of doing advanced secretarial work,
maintenance work, or other such activities. Given the choice between
someone that has a questionable past, and someone that doesn't, all
things being more or less equal employers will probably go with the set
of people whose background checks panned out.

> Here is another example. I get a 10 year guarantee for some building 
> work I have done on my house, and then next year the builder goes
> out of business. My guarantee is now worthless. This happens all the
> time in the UK unfortunately.

That's not the issue we were discussing. The issue was "what happens
when someone loses their private key"... not "the issuer of the
certificate issued a useless piece of paper".

>> ... and we can avoid all of this by using identifiers that are not
>>  cryptographic in nature (e.g. DIDs).
> 
> But one still has to prove possession of the DID. Sure, it can be 
> shown that the DID was created at some point in the past, but

A set of one or more public keys under your control that are associated
with the DID entry. See "publicKey" in the following for an example:

https://authorization.io/dids/did:76d0cdb7-9c75-4be5-8e5a-e2d7a35ce907

> what proves that it was you who created it, and not some imposter 
> saying that they created it?

DIDs are first-come, first-serve. Entries are created by signing the DID
object (the thing at the URL above). The signature proves you have
control of the private key. Claims are tied to the DID, not the key
fingerprint. It's a simple, but important distinction.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Web Browser API Incubation Anti-Pattern
http://manu.sporny.org/2016/browser-api-incubation-antipattern/

Received on Wednesday, 15 June 2016 13:15:09 UTC