- From: David Chadwick <D.W.Chadwick@kent.ac.uk>
- Date: Tue, 16 Apr 2019 09:48:15 +0100
- To: =Drummond Reed <drummond.reed@evernym.com>
- Cc: Credentials Community Group <public-credentials@w3.org>
Thinking some more about how Google et al might migrate towards issuing VCs, they must have a business model for doing this. The current FIM model places the IdP at the centre of the ecosystem, which is ideal for Google tracking users and capturing data. VCs do not do this. However, the current VC data model gives Google a back door for this as follows: i. they issue a VC to the user with an unbelievably long validity time ii. the either do not publish reliable revocation information (check out Google Chrome for X.509 CRLs or OCSP and you will see they dont use them) or they make verifiers come to them for the info (for which they can charge a micro payment each time and track the user) iii. Each VC contains refresh information which makes the verifier come back to Google to verify that this unbelievably long duration VC is still valid (again they can charge for this and track the user). So this would seem to be a relatively painless way for Google and Facebook to migrate to VCs and keep their existing business models. David On 16/04/2019 01:27, =Drummond Reed wrote: > David is correct that with decentralized identity and verifiable > credentials, verifiers are making two levels of trust decisions: > > 1. The DID method > 2. The VC issuer. > > Trust in the DID method only matters insofar as the verifier believes > that the DID & DID document is actually controlled by and authoritative > for the VC issuer. The vast majority of the trust reliance is on the VC > issuer. > > To the extent that a large number of verifiers default to trusting > Google and Facebook as "mega VC issuers", as David calls them, they > indeed could end out with the majority of "trust market power". But > since anyone can issue VCs—by design—it doesn't seem that's a problem we > can solve with the technical specifications alone. As David says, that's > a matter of many others who are source of trust in the economy today > asserting themselves in decentralized identity infrastructure. > > On Mon, Apr 15, 2019 at 3:03 PM David Chadwick <D.W.Chadwick@kent.ac.uk > <mailto:D.W.Chadwick@kent.ac.uk>> wrote: > > > > On 15/04/2019 18:53, =Drummond Reed wrote: > > With DIDs and SSI, we are moving from an IDP model to a digital > > credential model. > > whilst the above is hopefully true > > > Now the root of trust is not an IDP, it is the network > > in which a DID is rooted > > I dont believe the above is. Users of SSI will still need a trusted > issuer, one that the verifier trusts. And if verifiers decide to migrate > towards a mega issuer such as google, then google and facebook could > still corner the VC issuing market. Especially if today's existing > trusted issuers in the physical world don't get their act together and > start to issue VCs in the virtual world. > > David >
Received on Tuesday, 16 April 2019 08:48:40 UTC