- From: Daniel Hardman <daniel.hardman@evernym.com>
- Date: Tue, 2 Jul 2019 19:41:04 -0600
- To: Adrian Gropper <agropper@healthurl.com>
- Cc: W3C Credentials Community Group <public-credentials@w3.org>, Daniel Buchner <Daniel.Buchner@microsoft.com>
- Message-ID: <CAFBYrUr24zvQhan579C2mJQR1s_qrNnaeY4DYVALDRhQqCp6vQ@mail.gmail.com>
This reasoning makes sense to me. I have always felt like agents are a precondition to data management. I would be supportive of such a dedicated call. On Tue, Jul 2, 2019 at 7:33 PM Adrian Gropper <agropper@healthurl.com> wrote: > This is a fork of the Data Hubs / Aries / DIF Thread asking for a > dedicated call in CCG to discuss whether agent endpoints should be > specified _before_ data storage endpoints. > > Here's the use case and logic: > > - Alice is on the dating scene and wants an anonymous HIV test. > - Anonymous HIV tests are good public health and often free from > government or non-profits. > - Alice has her choice of where to get the HIV test. Since cost is not > an issue, she will pick the one that is most private. > - Some of the HIV test labs will support Alice's pairwise pseudonymous > DID. She picks that one. > - Alice can pick the dating service too. Other things being equal, she > will pick the one that is most privacy-preserving. > - Alice picks a dating service that supports pairwise pseudonymous > DIDs. > - Alice does not have a personal data store or a credential wallet. > - Alice's test result is available directly from the lab that does the > test to anyone with a suitable access token. The format of the result is > irrelevant as long as the recipient can understand the difference between > Positive and Negative and a Date. > - Alice operates an agent that decides semi-autonomously whether Bob > should see her test result. The agent could be proprietary to the dating > service or self-sovereign to Alice. However it's implemented, the agent > must issue a token that the lab will accept to Bob > - Although Alice has separate DIDs with the lab and the dating > service, she could be correlated if the two DIDs point to the same agent. > This is a concern that would need to be mitigated for an agent or a h.ub or > a personal data store as endpoint in her DIDs. > - From Alice’s agent, Bob's client gets a pointer to the lab and the > DID that Alice used at the lab. > - Bob's client comes to the lab bearing Alice’s DID. The lab points > Bob’s client back to Alice’s agent to get an access token. > - If Bob is evil and leaks Alice’s lab and lab DID to Carol, then > Carol’s client will likely not be able to get an access token from Alice’s > agent so Alice’s HIV status will remain confidential. > - If Bob is evil and leaks Alice’s HIV status, it will not be direct > from the lab and could have been forged by Bob. > > This use-case is important because: > > - It gives Alice market power to choose privacy-preserving service > providers (lab, dating service). This will drive adoption. Any service > provider can decide to accept a DID regardless of any other service > provider as long as the DID resolves to Alice's agent. > - Alice does not have to trust the dating service or a personal data > store intermediary. > - Alice may not need a wallet or Holder at all because no VC is issued. > - The data model and protocol for presenting the test result is more > or less irrelevant. In practice, it is not totally irrelevant because most > labs and services are multi-purpose and the access token will have to be > scoped and that implies some data model schema shared between the service > provider and the agent. > > I'm calling this "Agency First" because: > > - If Alice does choose to control a personal data store, then she can > choose a personal data store that respects her agent. Again, the market > power is in Alice's hands, or > - If Alice chooses to control a Holder then she needs to find a lab > that's willing to issue a VC and a Verifier that trusts the DID method, VP, > etc... > > Adrian > >
Received on Wednesday, 3 July 2019 01:41:39 UTC