W3C home > Mailing lists > Public > public-credentials@w3.org > November 2017

Re: Room for government DIDs?

From: Markus Sabadello <markus@danubetech.com>
Date: Tue, 28 Nov 2017 22:38:54 +0100
To: public-credentials@w3.org
Message-ID: <eb649f96-7b66-f702-a5a4-8670dde37895@danubetech.com>
I was made aware of a potential problem by someone who is very
knowledgeable in E.U. national eID systems.

There's a question of liability when you create you own key pair.
If a government creates keys for you through a process they control,
then they can guarantee that the key is created in a secure way.
(At least that's the theory, the recently discovered weakness in 750,000
Estonian identity cards is a different story).

If you create your own key (for your DID), then perhaps you're using a
bad random number generator.
You may receive a few verifiable claims for your "bad" DID, but later
your private key is broken and your identity stolen.

Who is liable now? You, because you created a bad DID, or the issuer of
the verifiable claim?

A government would want to reduce potential liability as much as
possible, and may not be willing to actually issue a verifiable claim
for a DID that may be insecure.


On 11/28/2017 08:06 PM, Steven Rowat wrote:
> On 2017-11-28 9:23 AM, Markus Sabadello wrote:
>> So you would model your natural, "self-sovereign" identity by creating
>> DIDs, and you would model "legal identity" not by issuing new DIDs, but
>> by issuing verifiable claims that make assertions about your DID.
>> E.g. the government could issue claims for you about citizenship, date
>> of birth, national identifier (such as the Peruvian DNI you mentioned),
>> driver's license, and everything else that constitutes the "legal self"
>> you are talking about.
> +1 This seems so straightforward that I'd hope it can work everywhere.
> But in case there are technical/political reasons why governments
> might want to issue their own DID, could it be set up to be optional
> -- so that both systems would work together?
> I.e., some governments could set up their own, while others could
> merely issue verifiable claims as you suggest?
> Steven
>> I think this topic on "legal ID" and "self-sovereign ID" is a great
>> example where we can align our technological tools with "how identity
>> works in the real world".
>> Markus
>> On 11/28/2017 02:52 AM, David E. Ammouial wrote:
>>> Hello,
>>> I recently joined the few identity-related workgroups, out of interest
>>> for the general subject of decentralised digital identity. I like the
>>> idea of DIDs a lot because I find it refreshingly realistic to
>>> acknowledge the existence of multiple identity "worlds" rather than
>>> trying to create one meant to be the only one. I'm using the world
>>> "refreshingly" because it really brings back the original spirit of an
>>> internet that is diverse at all levels.
>>> Back to the subject of this email. Governments' attempted monopoly of
>>> the concept of people's identity is something I personally dislike.
>>> You are not defined by what a government accepts or says about you,
>>> but by what you say and accept about yourself, and maybe by what the
>>> people you care about say and accept about you. However, in some
>>> situations those "people you care about" do include governmental
>>> entities, for practical definitions of "caring". :)
>>> To give a concrete example, you might want to allow your "legal self"
>>> to act upon your Sovrin/uPort/V1/X identity through an institution or
>>> a company. For example if a government entity provides a facial
>>> recognition API to authenticate people, that would correspond in
>>> practice to a service of a "did:gov" method. Proving that you are who
>>> you say you are (in legal terms) can be something desirable.
>>> What would be the practical steps of introducing a "did:gov" method?
>>> I'm thinking of a schema like:
>>>      did:gov:XX:xxxxxxx
>>> Such an identity would be issued by the government of country XX (e.g.
>>> US, FR, PE, etc.). The last bit would depend on the rules of each
>>> particular country. For example Peru has different types of identity
>>> documents: DNI (documento nacional de identidad) for nationals, CE
>>> (carné de extranjería) for residents that are not nationals, and a few
>>> others. In that context, Peru would perhaps define DIDs around the
>>> lines of "did:gov:pe:dni:1234345", but that would obviously be up to
>>> the Peruvian government to define those rules.
>>> What do you think? There are probably technical aspects, legal
>>> aspects, practical aspects... I apologise if this topic has already be
>>> brought up in the past and I didn't read about it before posting. I
>>> did some basic research on the list's archive and couldn't find
>>> anything.
Received on Tuesday, 28 November 2017 21:39:25 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:42 UTC