- From: Nate Otto <nate@ottonomy.net>
- Date: Tue, 2 Aug 2016 06:44:58 -0700
- To: David Chadwick <d.w.chadwick@kent.ac.uk>
- Cc: Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CAPk0ugm_RGs3y8E+buFOTqtSv5YrYoENqN1PutQKErNN25BnDg@mail.gmail.com>
Great questions about this idea, Dave. A couple comments inline. On Tue, Jul 26, 2016 at 9:07 AM, David Chadwick <d.w.chadwick@kent.ac.uk> wrote: > > 1. Who determines who should be the recipients: the issuer or subject or > both? Both issuer and subject would have to agree to share one of these credentials. > > 2. Who must trust the recipient: the issuer or subject or both? A > subject should be able to give his/her credentials to a recipient that > the issuer does not trust but that he/she does trust. Conversely, a > subject should also be able to give a credential to a recipient he/she > does not fully trust yet wishes to obtain some sort of service from. > So while the issuer could presumably deny a subject's request to share a badge with a specific inspector, I'd expect the subject to know what the issuer's preferences are in advance of making requests to share. > 3. What is the overall trust model, and how does this impact on the > likelihood that a recipient [holder] will forward a credential without the > express permission of the subject? A fully trusted recipient [holder] > would never > forward a credential without the subject's permission. A fully untrusted > recipient might well forward a credential if there was some benefit in > this. What would a partially trusted recipient do? > I'd expect behavior to vary broadly. Currently, if I shared a credential with five partially-trusted inspectors, and then it got into an advertising database, I wouldn't be able to tell who shared it, and the advertising database, which I might not want to see my credential, could fully verify the claim. In the current environment, I would be more likely to share badges/claims with parties I trust, but because there are no consequences for breaching trust (because it's unlikely that I could learn which inspector breached trust), the model feels weak. > > 4. Should forward sharing be controlled by technical constraints or is > the trust model (when this is defined) sufficient for this? > Good question. It may also be possible to enable both. For example, even if we implement this flavor of verifiable claim (with "forward sharing protection"), I would not expect a majority of claims to be issued with this extra measure of protection. > > 5. How many different flavours of the same credential is it reasonable > to ask the issuer to issue? In the extreme case this would be a > different credential for each recipient [inspector]. > The portability of a verifiable claim is a strong advantage of the tech. I would expect perhaps that if we built an ecosystem around claims with forward sharing protection that there would be a small number of superproviders who would be broadly trusted by the community, and I could share my badges/credentials with them and because these inspectors would be trusted, I could then lean on that trust to use those networks to propagate my badges further. For example, if Facebook was a claim inspector, I would instruct my issuer to share a verifiable badge with Facebook that is only verifiable by Facebook. Facebook would verify it and then share it broadly with my friends on that network. My friends, because they trust Facebook, would not need their own verifiable copy of the claim. I see we have placed this question on today's VCTF call agenda. Looking forward to discussing it briefly in an hour! Nate
Received on Tuesday, 2 August 2016 13:45:35 UTC