Re: [Hyperledger Indy] concerns about personal data hubs, identity hubs, EDV from Markus Sabadello on 2019-11-18 (public-credentials@w3.org from November 2019)

From: Markus Sabadello <markus@danubetech.com>
Date: Mon, 18 Nov 2019 20:16:43 +0100
To: daniel.hardman@evernym.com, Manu Sporny <msporny@digitalbazaar.com>
Cc: Daniel Buchner <daniel.buchner@microsoft.com>, Sam Curren <telegramsam@gmail.com>, "indy@lists.hyperledger.org" <indy@lists.hyperledger.org>, Rouven Heck <rouven.heck@consensys.net>, W3C Credentials CG <public-credentials@w3.org>, Tobias Looker <tobias.looker@mattr.global>, Orie Steele <orie@transmute.industries>, Dmitri Zagidulin <dzagidulin@gmail.com>
Message-ID: <66892c2e-dbbf-7e96-2134-3b779f3527f5@danubetech.com>

I agree that both aspects of SSI are important, and that reliance on
classic CAs breaks SSI principles.

But regarding your first point, I don't think there's a difference
between the agent concept and hub concept in terms of how the respective
communities feel about disintermediation.
I believe the narratives are that hubs and agents can either be
self-hosted, or hosted by third parties, with the same pros and cons in
each case.
At least that's how it should be, maybe I missed something there.

Anyway, also +1 to secure communication with agents/hubs in a way that's
rooted in DIDs (e.g. using DIDComm, but could also be DID-TLS or
something else).

Markus

On 11/18/19 4:46 PM, Daniel Hardman wrote:
> This email is a comment about the architecture that's beginning to
> coalesce around the data hub concept. It is not me trying to derail
> the effort--I think it's good and important--but me trying to raise a
> cautionary flag and trigger some thoughtful dialog.
>
> In our understandable enthusiasm to solve a nagging problem for
> everyone, I am worried that we might end up losing two aspects of SSI
> that matter a lot:
>
> 1. disintermediation
> 2. identity through DIDs
>
> Regarding disintermediation, a core value that I see in SSI is the
> notion that I--not some third party with a paternalistic posture that
> I have to trust to get anything done--am the authority for myself. If
> people want my data, they have to get it from me. If they want to see
> my credentials, they have to ask me for them, not somebody else. If
> they want my consent, they have to ask me for it, not somebody else.
> If I want to audit what's happening, I audit my own records, not
> somebody else's.
>
> To the extent that the posture of a hub is closer to a brokering
> service for my data, configured by me but operated by a third party
> that requires me to trust it, I think this aspect of self-sovereignty
> is seriously weakened. The notion that I am putting the data into the
> hub in encrypted form does not, in and of itself, alleviate this
> concern for me; however, how the encryption is controlled might make
> me more or less concerned. Portability of data out of the hub into a
> different hub or something that's not a hub at all would make a
> difference, too.
>
> Now, I get that not everybody in our decentralized identity circles is
> explicitly pursuing SSI. Some of us will be perfectly content to
> building something that's decentralized but not self-sovereign. And
> that is fine, IMO. But I would like the architecture of hubs not to
> _preclude_ self-sovereign versions of hubs. This means that I would
> like it to be possible for Alice to put a hub interface behind her own
> identity (and her own DID) rather than the identity of a third party
> hub-serving intermediary. If we can design hub interfaces such that
> this is a first-class mode of operation, I will feel cheerful about
> this issue.
>
> Regarding identity through DIDs: it feels ironic to me that we have
> spent vast amounts of energy talking about how to prove control of an
> identifier associated with a particular identity subject, through the
> DID mechanism--and we then throw our wood/energy behind an approach
> that exposes all personal data through intermediaries, where those
> intermediaries interact in both directions through a different
> security mechanism (TLS with certs and logins/API keys). If hubs are
> as important to identity as we think, and they take off, and if they
> are exclusively TLS-centric, we've basically cut the legs out from
> under DIDs.
>
> I get that RESTful, TLS-central interaces are ubiquitous and easy, so
> it's worth exposing them. I am not opposed to a hub mechanism that
> _includes_ that sort of interface; what I am worried about is a hub
> mechanism that doesn't _also_ include a mechanism secured by DIDs and
> their keys, such that builders of hubs don't get limited just to orgs
> with certs and trust derived from CAs (the very trust architecture we
> are hoping to upgrade). Therefore, I am looking for any spec that gets
> written to include the ability to interface with hubs over DIDComm.
> This means that in the non-TLS mode, I ought to be able to
> authenticate the hub itself, plus any party that interacts with a hub,
> using the keys in my DID doc, NOT using certs and logins and API keys.
>
> _._,_._,_
> ------------------------------------------------------------------------
> Links:
>
> You receive all messages sent to this group.
>
> View/Reply Online (#476)
> <https://lists.hyperledger.org/g/indy/message/476> | Reply To Sender
> <mailto:daniel.hardman@evernym.com?subject=Private:%20Re:%20%5BHyperledger%20Indy%5D%20concerns%20about%20personal%20data%20hubs%2C%20identity%20hubs%2C%20EDV>
> | Reply To Group
> <mailto:indy@lists.hyperledger.org?subject=Re:%20%5BHyperledger%20Indy%5D%20concerns%20about%20personal%20data%20hubs%2C%20identity%20hubs%2C%20EDV>
> | Mute This Topic <https://lists.hyperledger.org/mt/60205429/952282> |
> New Topic <https://lists.hyperledger.org/g/indy/post>
>
> Your Subscription
> <https://lists.hyperledger.org/g/indy/editsub/952282> | Contact Group
> Owner <mailto:indy+owner@lists.hyperledger.org> | Unsubscribe
> <https://lists.hyperledger.org/g/indy/unsub> [markus@danubetech.com]
>
> _._,_._,_

Received on Monday, 18 November 2019 19:17:18 UTC