PaySwarm and Trust Agility (was: PaySwarm and illegal sales? CCN) from Manu Sporny on 2011-08-27 (public-webpayments@w3.org from August 2011)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 27 Aug 2011 14:17:47 -0400
To: Web Payments <public-webpayments@w3.org>
Message-ID: <4E5934CB.7090305@digitalbazaar.com>

On 8/20/11 9:02 PM, Steven Rowat wrote:
> However, your architecture of PaySwarm Authorities, in which there
> are competing authorities that the user chooses among, much like,
> say, a "Certified Organic" label from different certifying
> organizations, might work well, possibly better. To maintain the
> analogy: there's also a U.S. Federal single "organic" definition, but
> that lends itself to pressure and interference from large
> corporations, so sometimes the smaller more independent "Certified
> Organic" labels indicate superior products.

Yes, this along the current line of thinking we have at Digital Bazaar. 
Ultimately, it is up to the website giving you access based on a 
Certificate of Authenticity to figure out if it trusts the person that 
digitally signed your Certificate of Authenticity.

We could depend on the Certificate Authorities that are out there today 
to provide digital signatures as a boot strap mechanism. We may want to 
bootstrap /toward/ Trust Agility, but take advantage of the current 
setup to take us there:

http://blog.thoughtcrime.org/ssl-and-the-future-of-authenticity

For example, if an asset is listed here:

https://www.foofighters.com/songs/walk#asset
https://www.foofighters.com/songs/walk#listing

The digital signature for the Asset and Listing could be generated by 
the same private key that is used to establish the authenticity of the 
website.

So, for example, if the Foo Fighters would like to offer you a special 
discount on a concert ticket based on the previous purchase of the song 
above the could do the following:

1. Request the digital contract of the sale of "Walk" from your
    PaySwarm Authority.
2. Verify that it is their digital signature on the Asset and the
    Listing.
3. Verify that the digital contract was processed by a Trusted
    PaySwarm Authority.
4. Proceed with the purchase of the concert ticket at the discounted
    rate if all signatures are verified.

That is not to say that the digital signature needs to be tied to the 
website, but to demonstrate one way that we could bootstrap off of 
pre-existing CA infrastructure and move toward Trust Agility.

Ultimately, it is up to the content websites to determine who they trust 
when granting access to other resources - there does not need to be a 
centralized solution. Who we trust is context-sensitive.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Uber Comparison of RDFa, Microformats and Microdata
http://manu.sporny.org/2011/uber-comparison-rdfa-md-uf/

Received on Saturday, 27 August 2011 18:18:23 UTC