W3C home > Mailing lists > Public > public-credentials@w3.org > June 2016

Re: Proof of possession

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Wed, 15 Jun 2016 16:02:20 +0100
To: public-credentials@w3.org
Message-ID: <55e8e7a8-f643-c3e6-6196-b4f13113fd3a@kent.ac.uk>


On 15/06/2016 14:14, Manu Sporny wrote:
> On 06/15/2016 06:00 AM, David Chadwick wrote:
>>> Surely the community college had a data propagation strategy! Not 
>>> all of them do, and even if they do, some of them still let 
>>> students slip through the cracks.
>>
>> Point taken, but one would hope that in the intervening period 
>> between getting a qualification and the college going out of 
>> business, the student would have gained some practical skills that 
>> would trump the certificate.
> 
> That is not guaranteed to happen, especially for people of limited
> economic means. Sometimes a community college degree is all you have to
> prove that you're capable of doing advanced secretarial work,
> maintenance work, or other such activities. Given the choice between
> someone that has a questionable past, and someone that doesn't, all
> things being more or less equal employers will probably go with the set
> of people whose background checks panned out.
> 
>> Here is another example. I get a 10 year guarantee for some building 
>> work I have done on my house, and then next year the builder goes
>> out of business. My guarantee is now worthless. This happens all the
>> time in the UK unfortunately.
> 
> That's not the issue we were discussing.

Actually it was, as you were discussing the issue of what happens when
the Issuer goes out of business. But no matter, let's leave this one for
the more important one below.

> The issue was "what happens
> when someone loses their private key"... not "the issuer of the
> certificate issued a useless piece of paper".
> 
>>> ... and we can avoid all of this by using identifiers that are not
>>>  cryptographic in nature (e.g. DIDs).
>>
>> But one still has to prove possession of the DID. Sure, it can be 
>> shown that the DID was created at some point in the past, but
> 
> A set of one or more public keys under your control that are associated
> with the DID entry. See "publicKey" in the following for an example:
> 
> https://authorization.io/dids/did:76d0cdb7-9c75-4be5-8e5a-e2d7a35ce907
> 
>> what proves that it was you who created it, and not some imposter 
>> saying that they created it?
> 
> DIDs are first-come, first-serve. Entries are created by signing the DID
> object (the thing at the URL above). The signature proves you have
> control of the private key. Claims are tied to the DID, not the key
> fingerprint. It's a simple, but important distinction.

It rather sounds to me like another example of who guards the guards.

YOu dont like public keys as IDs as they can get lost, but you like IDs
that are registered with public keys that can get lost ????

Sorry if I have misrepresented you, but I don't see a significant or
important distinction between them. In both cases I have to prove that
the subject/owner/holder is me, and the private key was the means of
doing it. When that is lost, what is the fallback? And why cannot the
same fallback be used in both cases?

Regards

David



> 
> -- manu
> 
Received on Wednesday, 15 June 2016 15:02:54 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:29 UTC