- From: Markus Sabadello <markus@danubetech.com>
- Date: Tue, 28 Nov 2017 22:38:54 +0100
- To: public-credentials@w3.org
I was made aware of a potential problem by someone who is very knowledgeable in E.U. national eID systems. There's a question of liability when you create you own key pair. If a government creates keys for you through a process they control, then they can guarantee that the key is created in a secure way. (At least that's the theory, the recently discovered weakness in 750,000 Estonian identity cards is a different story). If you create your own key (for your DID), then perhaps you're using a bad random number generator. You may receive a few verifiable claims for your "bad" DID, but later your private key is broken and your identity stolen. Who is liable now? You, because you created a bad DID, or the issuer of the verifiable claim? A government would want to reduce potential liability as much as possible, and may not be willing to actually issue a verifiable claim for a DID that may be insecure. Markus On 11/28/2017 08:06 PM, Steven Rowat wrote: > On 2017-11-28 9:23 AM, Markus Sabadello wrote: >> So you would model your natural, "self-sovereign" identity by creating >> DIDs, and you would model "legal identity" not by issuing new DIDs, but >> by issuing verifiable claims that make assertions about your DID. >> >> E.g. the government could issue claims for you about citizenship, date >> of birth, national identifier (such as the Peruvian DNI you mentioned), >> driver's license, and everything else that constitutes the "legal self" >> you are talking about. > > +1 This seems so straightforward that I'd hope it can work everywhere. > > But in case there are technical/political reasons why governments > might want to issue their own DID, could it be set up to be optional > -- so that both systems would work together? > > I.e., some governments could set up their own, while others could > merely issue verifiable claims as you suggest? > > Steven > > >> >> I think this topic on "legal ID" and "self-sovereign ID" is a great >> example where we can align our technological tools with "how identity >> works in the real world". >> >> Markus >> >> On 11/28/2017 02:52 AM, David E. Ammouial wrote: >>> Hello, >>> >>> I recently joined the few identity-related workgroups, out of interest >>> for the general subject of decentralised digital identity. I like the >>> idea of DIDs a lot because I find it refreshingly realistic to >>> acknowledge the existence of multiple identity "worlds" rather than >>> trying to create one meant to be the only one. I'm using the world >>> "refreshingly" because it really brings back the original spirit of an >>> internet that is diverse at all levels. >>> >>> Back to the subject of this email. Governments' attempted monopoly of >>> the concept of people's identity is something I personally dislike. >>> You are not defined by what a government accepts or says about you, >>> but by what you say and accept about yourself, and maybe by what the >>> people you care about say and accept about you. However, in some >>> situations those "people you care about" do include governmental >>> entities, for practical definitions of "caring". :) >>> >>> To give a concrete example, you might want to allow your "legal self" >>> to act upon your Sovrin/uPort/V1/X identity through an institution or >>> a company. For example if a government entity provides a facial >>> recognition API to authenticate people, that would correspond in >>> practice to a service of a "did:gov" method. Proving that you are who >>> you say you are (in legal terms) can be something desirable. >>> >>> What would be the practical steps of introducing a "did:gov" method? >>> I'm thinking of a schema like: >>> >>> did:gov:XX:xxxxxxx >>> >>> Such an identity would be issued by the government of country XX (e.g. >>> US, FR, PE, etc.). The last bit would depend on the rules of each >>> particular country. For example Peru has different types of identity >>> documents: DNI (documento nacional de identidad) for nationals, CE >>> (carné de extranjerÃa) for residents that are not nationals, and a few >>> others. In that context, Peru would perhaps define DIDs around the >>> lines of "did:gov:pe:dni:1234345", but that would obviously be up to >>> the Peruvian government to define those rules. >>> >>> What do you think? There are probably technical aspects, legal >>> aspects, practical aspects... I apologise if this topic has already be >>> brought up in the past and I didn't read about it before posting. I >>> did some basic research on the list's archive and couldn't find >>> anything. >>> >> >> >> >> >
Received on Tuesday, 28 November 2017 21:39:25 UTC