Re: Materials from 2019-04-11 combined DID Spec and DID Resolution Spec meeting from =Drummond Reed on 2019-04-16 (public-credentials@w3.org from April 2019)

From: =Drummond Reed <drummond.reed@evernym.com>
Date: Mon, 15 Apr 2019 23:54:44 -0700
To: Luca Boldrin <luca.boldrin@infocert.it>
Cc: David Chadwick <D.W.Chadwick@kent.ac.uk>, Credentials Community Group <public-credentials@w3.org>, Avesta Hojjati <avesta.hojjati@digicert.com>
Message-ID: <CAAjunnbqesk1K_3UoCwesJLDfeJHshDzAfs9AEUygPgSEiUCvA@mail.gmail.com>

Luca, this is especially meaningful coming from a CA whose whole business
is exactly this kind of trust infrastructure.

Since Luca mentioned it, I'm happy to also point out a factor that was
never really involved with the centralized or federated IDP models: in
the decentralized identity model, governance frameworks can actually
specify the authorized issuers. For example, the CULedger governance
framework will authorize credit unions around the world to issue MyCUID
credentials of credit union membership. And that governance framework will
piggyback on top of the KYC that a credit union is required to do today
before accepting a new member.

I don't see the Googles and Facebooks of the world being able to issue that
kind of a credential anytime soon. So the decentralized identity model will
let us move back much closer to the diffuse sources of trust we have in the
offline world rather than the very concentrated sources of trust we
currently have in the digital world.

On Mon, Apr 15, 2019 at 11:07 PM Luca Boldrin <luca.boldrin@infocert.it>
wrote:

> In a recent discussion with Digicert on the role of CAs in this setting,
> we came to a fully overlapping view:
>
>
>
>    1. Trust on the infrastructure, which may be further split into
>       1. Trust on some underlying registry providing a common
>       infrastructure - This is the new element introduced by
>       permissioned/unpermissioned ledgers. (DID method)
>       2. trust on the sw dealing with personal information (wallet,
>       agent) - This is similar to the role of browsers
>    2. trust on the information, which may be further split into
>       1. trust on the identity of VC issuers (is universityX really
>       universityX?)– This is the traditional role for CAs
>       2. trust on the VC issuer himself (given that universityX is
>       universityX, can I trust it?)– this is a personal choice, which may be
>       supported by domain specific agreements.
>
>
>
> The playing field between is “mega VC issuers” and “small distributed VC
> issuers” is probably on 2.b.
>
> We believe that 2.a is functional to trust on small distributed issuers,
> since under some regulatory setting the certainty of the identity (2.a)
> supports the enforcement of liability, which is an essential component of
> trust. Mega VC issuers do not need that, they are well-known…
>
> Best,
>
> --luca
>
>
>
>
>
> *Da:* =Drummond Reed <drummond.reed@evernym.com>
> *Inviato:* martedì 16 aprile 2019 02:28
> *A:* David Chadwick <D.W.Chadwick@kent.ac.uk>
> *Cc:* Credentials Community Group <public-credentials@w3.org>
> *Oggetto:* Re: Materials from 2019-04-11 combined DID Spec and DID
> Resolution Spec meeting
>
>
>
> David is correct that with decentralized identity and verifiable
> credentials, verifiers are making two levels of trust decisions:
>
>    1. The DID method
>    2. The VC issuer.
>
> Trust in the DID method only matters insofar as the verifier believes that
> the DID & DID document is actually controlled by and authoritative for the
> VC issuer. The vast majority of the trust reliance is on the VC issuer.
>
>
>
> To the extent that a large number of verifiers default to trusting Google
> and Facebook as "mega VC issuers", as David calls them, they indeed could
> end out with the majority of "trust market power". But since anyone can
> issue VCs—by design—it doesn't seem that's a problem we can solve with the
> technical specifications alone. As David says, that's a matter of many
> others who are source of trust in the economy today asserting themselves
> in decentralized identity infrastructure.
>
>
>
> On Mon, Apr 15, 2019 at 3:03 PM David Chadwick <D.W.Chadwick@kent.ac.uk>
> wrote:
>
>
>
> On 15/04/2019 18:53, =Drummond Reed wrote:
> > With DIDs and SSI, we are moving from an IDP model to a digital
> > credential model.
>
> whilst the above is hopefully true
>
> > Now the root of trust is not an IDP, it is the network
> > in which a DID is rooted
>
> I dont believe the above is. Users of SSI will still need a trusted
> issuer, one that the verifier trusts. And if verifiers decide to migrate
> towards a mega issuer such as google, then google and facebook could
> still corner the VC issuing market. Especially if today's existing
> trusted issuers in the physical world don't get their act together and
> start to issue VCs in the virtual world.
>
> David
>
>

Received on Tuesday, 16 April 2019 06:55:20 UTC