Agency First

This is a fork of the Data Hubs / Aries / DIF Thread asking for a dedicated
call in CCG to discuss whether agent endpoints should be specified _before_
data storage endpoints.

Here's the use case and logic:

   - Alice is on the dating scene and wants an anonymous HIV test.
   - Anonymous HIV tests are good public health and often free from
   government or non-profits.
   - Alice has her choice of where to get the HIV test. Since cost is not
   an issue, she will pick the one that is most private.
   - Some of the HIV test labs will support Alice's pairwise pseudonymous
   DID. She picks that one.
   - Alice can pick the dating service too. Other things being equal, she
   will pick the one that is most privacy-preserving.
   - Alice picks a dating service that supports pairwise pseudonymous DIDs.
   - Alice does not have a personal data store or a credential wallet.
   - Alice's test result is available directly from the lab that does the
   test to anyone with a suitable access token. The format of the result is
   irrelevant as long as the recipient can understand the difference between
   Positive and Negative and a Date.
   - Alice operates an agent that decides semi-autonomously whether Bob
   should see her test result. The agent could be proprietary to the dating
   service or self-sovereign to Alice. However it's implemented, the agent
   must issue a token that the lab will accept to Bob
   - Although Alice has separate DIDs with the lab and the dating service,
   she could be correlated if the two DIDs point to the same agent. This is a
   concern that would need to be mitigated for an agent or a h.ub or a
   personal data store as endpoint in her DIDs.
   - From Alice’s agent, Bob's client gets a pointer to the lab and the DID
   that Alice used at the lab.
   - Bob's client comes to the lab bearing Alice’s DID. The lab points
   Bob’s client back to Alice’s agent to get an access token.
   - If Bob is evil and leaks Alice’s lab and lab DID to Carol, then
   Carol’s client will likely not be able to get an access token from Alice’s
   agent so Alice’s HIV status will remain confidential.
   - If Bob is evil and leaks Alice’s HIV status, it will not be direct
   from the lab and could have been forged by Bob.

This use-case is important because:

   - It gives Alice market power to choose privacy-preserving service
   providers (lab, dating service). This will drive adoption. Any service
   provider can decide to accept a DID regardless of any other service
   provider as long as the DID resolves to Alice's agent.
   - Alice does not have to trust the dating service or a personal data
   store intermediary.
   - Alice may not need a wallet or Holder at all because no VC is issued.
   - The data model and protocol for presenting the test result is more or
   less irrelevant. In practice, it is not totally irrelevant because most
   labs and services are multi-purpose and the access token will have to be
   scoped and that implies some data model schema shared between the service
   provider and the agent.

I'm calling this "Agency First" because:

   - If Alice does choose to control a personal data store, then she can
   choose a personal data store that respects her agent. Again, the market
   power is in Alice's hands, or
   - If Alice chooses to control a Holder then she needs to find a lab
   that's willing to issue a VC and a Verifier that trusts the DID method, VP,
   etc...

Adrian

Received on Wednesday, 3 July 2019 01:33:38 UTC