Re: Questions about Linked Data Signatures for Verifiable Claims

Thanks, Manu for adding this topic to the agenda for today's call.

A couple follow up points:

1. This exploration demonstrated that Linked Data Signatures spec is fairly
flexible and can easily be adapted for interesting new purposes.

2. It sounds like the benefits of adapting such a complicated procedure are
not justified in most people's minds by the use cases already discussed.

3. There is some doubt that implementing this procedure would protect claim
subjects from any significant attack on privacy.

Let's narrow the use cases to the following:

   - Steve wishes to share one of his credentials with a job board Service
   that will make it part of his verified profile on the Service. Steve
   assumes many of the viewers of that Service will trust it to only display
   credentials it has verified, but he does not want those viewers to be able
   to take and share the claim with other job board services he has not
   specifically authorized.

The players:

   - Credential issuer
   - Steve
   - Job board Service 1
   - Viewers
   - Other job board Services 2 and 3

What some people have pointed out is that if job board Service 2 trusts
Service 1 to have independently verified the claim, they can interpret the
display of it on Steve's profile as enough evidence that it is valid and do
not need to verify it themselves.

I think there is a significant enough difference between a verifiable claim
and a verifiable-claim-one-trust-link-removed, that Service 2 will be
forced to treat that claim differently than Service 1 did, where there was
a direct verification link. The further removed the trust chain becomes
from the primary inspector, the weaker the verifiable character of the link


Received on Tuesday, 2 August 2016 16:20:41 UTC