- From: =Drummond Reed <drummond.reed@evernym.com>
- Date: Fri, 10 Aug 2018 22:08:15 -0700
- To: Adrian Gropper <agropper@healthurl.com>
- Cc: Stephen Curran <swcurran@cloudcompass.ca>, heather vescent <heathervescent@gmail.com>, Christopher Lemmer Webber <cwebber@dustycloud.org>, Markus Sabadello <markus@danubetech.com>, W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CAAjunnYzUVSsLmn5zWTdRa9GB==PSgSoqGfk8kR=SFjFywe95Q@mail.gmail.com>
On Fri, Aug 10, 2018 at 7:20 PM, Adrian Gropper <agropper@healthurl.com> wrote: > On Fri, Aug 10, 2018 at 9:57 PM, Stephen Curran <swcurran@cloudcompass.ca> > wrote: > >> The model we've been talking about in the Indy/Sovrin Agent Working Group >> is to recommend (although at this early point, that might be too strong a >> word) that each pairwise DID have an endpoint in each pairwise DIDDoc that >> is assumed to be for an Agency (e.g. "www.AgentsRUs.com") and that the >> endpoint be in the form of a DID (which is of course a URI) for the >> Agency. For example: service_endpoint: "did:sov:23efeda45693deb5". That >> "endpoint DID" is owned by the Agency, not by the Identity. >> >> To send a message to an Identity: >> >> - Get and resolve the endpoint DID from the pairwise DIDDoc >> - Send the message as a "Forward" and encrypted to that shared >> endpoint. >> - The Agency endpoint would decrypt the message to get one additional >> piece of information - the destination DID for the message (the actual >> message is encrypted only for the ultimate recipient). >> - From that, the Agency would use something like a mapping table to >> know the Identity to which the message needs to go (but nothing about the >> message itself). >> - It's implementation specific how the Agency handles this. >> - At that point - the message is in the hands of an Agent controlled >> by the recipient Identity and is assumed will "Do the Right Thing" for that >> Identity. >> >> By having the endpoint URI as a DID, the Agency has control over it's >> DIDDoc (which is published on a Public Ledger) and can rotate keys, change >> the endpoint URL, etc. That means the pairwise DIDDocs don't have to worry >> when the Agency changes it's keys. The Identity would only change the >> endpoint in the pairwise DIDDocs when it changes Agencies - a much rarer >> event. >> >> This model implies one other thing. When an Identity shares a pairwise >> DID with another identity, it must tell the Agency "Hey, when you see this >> DID - send it to my Agent". That is part of the Agency implementation - up >> the Agency code to handled that. >> > > *I agree that the Agency adds valuable privacy but it seems to reduce > self-sovereignty. The Agency will be prone to compromise and censorship by > a government entity and a single point of failure. Wouldn't Tor routing to > the Agent endpoint be more private?* > Yes, Tor-style routing would make it even more private. And that of course could take place between cooperating Agencies. > > >> The goal is to make it "assumed" (and hence, interoperable) that there is >> a shared Agency endpoint that services many Identities, each with many >> pairwise DIDs. That hides the Identity-to-Identity interactions in a crowd. >> >> The recommendation is to enable interoperability, Senders should assume >> ALL identities are structured that way. As such, an Identity that does >> something different should still structure it's DIDDoc to look like that, >> so that the Sender knows how to send the Identity a message. >> >> A bit in the weeds, but hopefully that helps. >> >> >> On Fri, Aug 10, 2018 at 5:52 PM, Adrian Gropper <agropper@healthurl.com> >> wrote: >> >>> Drummond, >>> >>> I'm on the same wavelength with you (as usual) but I'm unclear about the >>> next level: the endpoints. A DID document has two principal functions >>> (other than housekeeping like key rotation) - to provide public key(s) and >>> service endpoint(s). The public keys do have some stand-alone uses for >>> signing, but the endpoint is the key to self-sovereign agency and a risk >>> for correlation. >>> >>> Pairwise DIDs can be arbitrarily cheap and scalable but, as soon as my >>> identifier needs to be associated with some private claims, I need to >>> control those private claims and tokens through a service endpoint. >>> Ideally, my service endpoint should be self-sovereign and as correlation >>> resistant as the pairwise DID. Which suggests a need to have a separate >>> service endpoint for each pairwise DID. >>> >>> For convenience, a service endpoint should ideally aggregate my various >>> policies across hundreds of pairwise DIDs (the number of logins in my >>> 1Password file). This could be achieved by tumbling through an Agency that >>> I trust with loss of self-sovereignty. >>> >>> What is the recommended way for me to operate an off-chain >>> self-sovereign agent / identity hub? >>> >>> Adrian >>> >>> >>> On Fri, Aug 10, 2018 at 8:21 PM, =Drummond Reed < >>> drummond.reed@evernym.com> wrote: >>> >>>> On Fri, Aug 10, 2018 at 3:12 PM, heather vescent < >>>> heathervescent@gmail.com> wrote: >>>> >>>>> >>>>> On Fri, Aug 10, 2018 at 12:21 PM, Stephen Curran < >>>>> swcurran@cloudcompass.ca> wrote: >>>>> >>>>>> I think the model that some networks are moving to is for most DID >>>>>> Docs to be held between the communicating parties, and not pushed out to a >>>>>> public ledger. >>>>>> >>>>> >>>>> Is this really the case? Which of the ledgers are moving in this >>>>> direction? >>>>> >>>> >>>> The Sovrin ledger is "moving in this direction". So is >>>> uPort's architecture (as I understand it). >>>> >>>> >>>>> And if so, I'm curious why? >>>>> >>>> >>>> Two reasons: privacy and scalability. In summary: >>>> >>>> 1. Some DIDs and DID documents need to be public so that anyone can >>>> search for and verify them. But other DIDs that are only used as pairwise >>>> pseudonyms do not need to be public—they only need to be shared between the >>>> parties to a private relationship. In Sovrin architecture these DIDs are >>>> shared on what's called a *microledger*. Microledger code has not >>>> been fully implemented in Hyperledger Indy yet, but the same basic >>>> functionality has already been implemented in direct agent-to-agent DID/DID >>>> document exchange. >>>> 2. This also has the advantage of dramatically increasing >>>> scalability. The vast majority of microledger activity takes place >>>> "off-chain" (i.e., off of the public ledger), so it scales the same way >>>> cloud architecture does. It doesn't require the public ledger to have to >>>> scale to enormous amounts of throughput; essentially the public ledger is >>>> only needed to anchor the public DIDs of issuers of credentials that need >>>> to be widely verifiable. >>>> >>>> And also if so, can you please point me to documentation. >>>>> >>>> >>>> The Sovrin Technical Governance Board and Hyperledger Indy have not put >>>> out any official documentation yet because the code is still in >>>> development, but the basic concept is covered in the DKMS Design and >>>> Architecture document <http://bit.ly/dkmsv3> release at IIW last April. >>>> >>>> >>>> >>>>> >>>>> >>>>>> Anyone that needs to resolve the DID -> DIDDoc must be able to in >>>>>> some local manner (implementation specific), and there must be mechanisms >>>>>> to push changes from one party to the other. >>>>>> >>>>> >>>>> But the whole point of putting the DID and DID Doc on the ledger is so >>>>> they are always available. It seems counterintuitive to put the DID but not >>>>> the DID Doc on the ledger. There is no PII in the DID Doc (just a #, the >>>>> public/private key, and any endpoint links).... >>>>> >>>> >>>> A few points: >>>> >>>> 1. DIDs and DID documents that describe people are all >>>> considered personal data under GDPR ("PII" is now longer the test). >>>> 2. Sharing a pairwise pseudonymous DID, public keys, authentication >>>> methods, and endpoints publicly might not appear to have any privacy >>>> implications, but in fact they do. A simple example: if you create >>>> a pairwise pseudonymous DID that originates in your SSI wallet and is >>>> shared with only one other party in the world—and then it later shows up >>>> someplace else—you can be pretty sure who shared it without your >>>> permission. But if all your pairwise pseudonymous DIDs are published on >>>> a public ledger, you have no such assurance. >>>> 3. An agent that you control that maintains a microledger that is >>>> properly backed up can be as persistent as a public ledger without these >>>> privacy issues. >>>> >>>> >>>>> >>>>>> Those same mechanisms are need for updating the DIDDoc when it is on >>>>>> a public ledger. So, that does to some degree help with preventing >>>>>> correlation - there is not an obvious way to get the list of DIDs in active >>>>>> use for indexing and searching. In that model, the DIDs that do go on the >>>>>> public ledger are ones that people want known - e.g a public DID for an >>>>>> Enterprise to be used to start connections. >>>>>> >>>>> >>>>> This seems like making this way more complex than is necessary - in >>>>> response to my question about the black arts of correlation via watching >>>>> data flows vs capturing the actual data. I wasn't saying we have to solve >>>>> for that extremely crazy corner case, I was curious if it maps to that >>>>> similar problem... >>>>> >>>> >>>> Again, with microledgers those public correlation problems simply go >>>> away. This is similar to FIDO architecture—the pairwise pseudonymous public >>>> keys it uses to authenticate you are never stored on a public repository. >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> Net traffic can be monitored going into and out of a "known endpoint" >>>>>> such as an Agency (holding many Agents) or a Hub. The plans I have seen on >>>>>> the HyperLedger Indy side are that data will be encrypted in transit - no >>>>>> plaintext - and that because the endpoint is shared by all Agents (e.g. >>>>>> many identities, each with many DIDs), it will be difficult to learn from >>>>>> just seeing the 'Net traffic. >>>>>> >>>>> >>>>> Yeah, but the endpoint is also stored in the DID Doc, and all the PII >>>>> data is stored in the wallet, or agent, or hub, or whatever cloud thing or >>>>> hardware thing you've decided to use. >>>>> >>>>> So why/how would it make sense to NOT store the DID Doc on the ledger? >>>>> >>>> >>>> I hope the answers above help. Privacy and scalability are the two >>>> driving reasons that pairwise pseudonymous DIDs exchanged "off-ledger" via >>>> private microledgers are now the default in Sovrin architecture. Public >>>> DIDs are absolutely still there because public issuers of verifiable >>>> credentials definitely still need them; they are just the exception rather >>>> than the rule. >>>> >>>> =Drummond >>>> >>> >>> >>> >>> -- >>> >>> Adrian Gropper MD >>> >>> PROTECT YOUR FUTURE - RESTORE Health Privacy! >>> HELP us fight for the right to control personal health data. >>> DONATE: https://patientprivacyrights.org/donate-3/ >>> >> >> >> >> -- >> >> Stephen Curran >> Cloud Compass Computing, Inc. (C3I) >> Technical Governance Board Member - Sovrin Foundation (sovrin.org) >> >> >> *Cell: (250) 857-109Schedule a Meeting: **https://calendly.com/swcurran >> <https://calendly.com/swcurran>* >> > > > > -- > > Adrian Gropper MD > > PROTECT YOUR FUTURE - RESTORE Health Privacy! > HELP us fight for the right to control personal health data. > DONATE: https://patientprivacyrights.org/donate-3/ >
Received on Saturday, 11 August 2018 05:08:44 UTC