There are three slightly divergent issues brought up in this discussion that I'd like to make clear my thoughts on: * There is nothing that stops an organization from reproducing a certificate authority style models or other centralized models using self-sovereign technologies. However, I will fight against that style being mandated in open standards in any form — I didn't object strongly enough against the risks of X.509, certificate authority models, and browser control of root certificates when I co-authored SSL/TLS, and I don't want us to make that same mistake again. * Many of these scenarios do not adequately allow parties at the edges to choose who they trust. Again, in the DID/VC architecture all parties are peers and can offer any role. I'm fine someone chooses to only trust parties trusted by someone else, but again, it should not be mandated. I worry that some solutions offered will not allow the edges to choose. I also worry that many of the scenarios shared so far do not adequately separate identity assurance, claim verification, authorization, etc. * Be aware that the future will be moving toward multisignature scenarios. I may use a 3 of 5 collaborative control set under my personal authority to demonstrate control of my self-sovereign DID, and I may also have a 4 of 9 set of keys give people that are authorized to revoke my control or 5 of 9 that have authority to give it to a new party (ideally me in case of a catastrophe, buy maybe my heirs.) Many of these scenarios may be better addressed by multisig threshold scenarios as well. For instance, presenting an aggregation signature of 3 of 5 verifiable claims from different issuers could be used to authorize something greater, without having to "phone home" to the issuers for the greater authority. — Christopher AllenReceived on Saturday, 1 August 2020 00:43:50 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 1 August 2020 00:43:51 UTC