W3C home > Mailing lists > Public > public-credentials@w3.org > June 2016

Re: Proof of possession

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Wed, 15 Jun 2016 15:41:43 +0000
Message-ID: <CAM1Sok3o-okJAFD7kV_s_usV6U=+1QZw5gpJC_jJEPAemkii=Q@mail.gmail.com>
To: Dave Longley <dlongley@digitalbazaar.com>, David Chadwick <d.w.chadwick@kent.ac.uk>, public-credentials@w3.org
"self sovereign" or 'human centric' have different business models applied,
on a simplistic layer, to that of alternatives whether paid as a commercial
product/service, provided in relation to KPI's for GOV funding based on
"low risk tolerance" models (particularly within complex global, vertical
industry based ecosystems), advertising supported or indeed by government
for citizens (as distinct to a market based solution for whatever specified
purpose + reuse opportunities) or by a government for humanity (whether or
not their citizens).

We do not know which yields better investment performance over the others
as yet, imho, due to having insufficient data to effectively evaluate the
impacts of various possible alternatives, over an appropriately scaled
lifecycle period.

The combination of data-logs and A.I / applied linked-data systems provides
mind-boggling opportunities for the advancement of humanity and the means
in which we impact our surroundings; including the means to furnish
opportunity to individuals who had previously not been entitled to
particular opportunities due to their inability to fit traditional
anthropological linguistics, such as is the case with "have's" and "have
not's" of many credentials.  Investors, Companies and even Countries look
for identity, economic participation, innovation, talent and capability -
yet perhaps we can improve the language and methodology they use when
seeking/evaluating it, in a significant way for people who can use WWW into
the future.

I think we need to makes choices, which should not necessarily be singular
in modality; and therefore needs to be supported by the linguistics we
use.  This is W3C --> not any one of its members, but rather, TimBL who
set-up via contracts agreements for entities to work together, with an
objective of ideological weighting towards the betterment of mankind;
viewed to be achievable via the specified task of developing W3 (www) via
W3C as a means to produce world-class standards recommendations that may be
implemented free of license (i.e. patent) charges and amongst other things;
therefore compatible with all major web-browsers without necessary changes
for specified support of different venders by the HTML document author.
 truely visionary. started with a poster.

I guess my frustration is a concern that we are not dealing with the
underlying ID/Auth issue (for known reasons) and i'm not sure if we've
flagged a possible solution for this underlying foundation that has a
known, executable agenda and development path.

'service centric' solutions exist and are widespread, if they were not then
it would be a similar issue just one that impacts incorporated entities
more than natural legal entities when looking at the issue in a simple way.
In the interests of an appropriate and proportionate measures for
foresight; Perhaps some sort of enquiry with the crew in the WebID Group
might discover a means to resource some means for a path forward at that
dependency layer.  I appreciate stakeholders here may be very busy and the
additional workload may not be easily resourced without additional
resources...

I believe the SoLiD crew are also testing open ID connect, and may also be
a good candidate to query a level of interest and possible collaboration,
yet, it seems most likely to me that this may occur via the WebID group...

Has any form of official discovery / exploratory conversation occurred with
the WebID or alternative yet similarly chartered W3C CG, IG or WG?  Would
it be beneficial to see what is possible and if so, what would be the terms
embodied within the brief?

Reiterating: I think we have the institutional approach covered, yet i have
known experiences where their solutions haven't worked for me. i'm thankful
i'm not a refugee on a boat from a hostile country, or someone else with
far worse problems than i; yet, we're also trying to get these people
connected to the web. provide ID, bank-account access, the basics. Internet
was principally set-up by kids in Australia, not telco's. their parent told
them to move their business elsewhere when 100 telephone lines got
delivered to the family lounge-room (in at least one situation...).  Other
'institutional' methodologies have taken a much longer-time to become
available...

Given our targeted scope, much like working with odrl[1] - where should the
Web-DHT elements be progressed if their not scoped in payments/creds v1
deliverables?  Without ODRL - i'm not sure where we'd be about privacy.

I'm not sure how we'll be able to fix the linguistics to support the
various position statements put forward by participants (at times, on
behalf of the entity they represent) without defining something that helps
us move forward on this underlying (perceived) problem.

I also note that market-based solutions behave differently when their not
in a monopoly environment, as it become more important to listen to what
their customers want.

I also think, as i've noted elsewhere; other providers may emerge that have
very different business models; and i'd note post organisations to be one
of the various alternatives; US-Post, Royal Mail, AusPost (etc.) have
retail outlets (or agents) dotted across their regions (assumption?) for
easy physical access and in some cases they've got relationships to various
ID / secure document services already + their sovereign + it's not bound to
an Email Identifier necessarily.

these sorts of considerations also impact the way the keys are supported
broadly.

I'm hoping we're not going to be being overly narrow in our thinking...

</rant>.


[1] https://www.w3.org/ns/odrl/2/ODRL21


On Thu, 16 Jun 2016 at 00:32 Dave Longley <dlongley@digitalbazaar.com>
wrote:

> On 06/15/2016 06:00 AM, David Chadwick wrote:
> > [snip]
> >
> > On 15/06/2016 02:25, Manu Sporny wrote:
> >>
> >> The point isn't that something is irreparable - yes, most things can be
> >> fixed. It just takes an enormous amount of time, energy, money, and
> stress.
> >>
> >> ... and we can avoid all of this by using identifiers that are not
> >> cryptographic in nature (e.g. DIDs).
> >
> > But one still has to prove possession of the DID. Sure, it can be shown
> > that the DID was created at some point in the past, but what proves that
> > it was you who created it, and not some imposter saying that they
> > created it?
>
> I think what Manu meant is that a system where an identifier must be a
> fingerprint of a public key *and* the only way to prove
> ownership of it is to possess the matching private key is too brittle.
>
> It would be fine, IMO, to originally generate a DID from the fingerprint
> of a public key, provided that this mechanism was only used to assert
> ownership when registering the identifier with other pieces of
> information that could be later used to also assert ownership should you
> lose the private key or should it become obsolete.
>
> At some point you should be able to essentially treat the DID as opaque
> and prove ownership through some other mechanism.
>
> I think we want *more* than just a public key fingerprint, but using
> that concept to bootstrap the process is perfectly fine.
>
>
> --
> Dave Longley
> CTO
> Digital Bazaar, Inc.
> http://digitalbazaar.com
>
>
Received on Wednesday, 15 June 2016 15:42:22 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:29 UTC