W3C home > Mailing lists > Public > public-credentials@w3.org > August 2020

Re: A question on best practices for dependent claims

From: steve capell <steve.capell@gmail.com>
Date: Sun, 2 Aug 2020 08:13:11 +1000
Message-ID: <CAEMprt+DXCoYqtnqGL=oMoRC1fc6x5=R+ZfMd6+ZMu9WW6AsLg@mail.gmail.com>
To: David Chadwick <D.W.Chadwick@kent.ac.uk>
Cc: W3C Credentials CG <public-credentials@w3.org>
ah I see what Chris etc means now (i think).

Yes, absolutely - the software that interacts with the user for certificate
verification will make the trust root very obvious - usually some
government domain like abf.gov.au.  Or if it's a straight through machine
processor then I'd expect the client code to verify that trust root is a
.gov.[country tld] domain where the country is the exporting jurisdiction.



On Sat, 1 Aug 2020 at 23:09, David Chadwick <D.W.Chadwick@kent.ac.uk> wrote:

>
> On 01/08/2020 01:43, Christopher Allen wrote:
> > There are three slightly divergent issues brought up in this
> > discussion that I'd like to make clear my thoughts on:
> >
> > * There is nothing that stops an organization from reproducing a
> > certificate authority style models or other centralized models using
> > self-sovereign technologies. However, I will fight against that style
> > being mandated in open standards in any form — I didn't object
> > strongly enough against the risks of X.509, certificate authority
> > models, and browser control of root certificates when I co-authored
> > SSL/TLS, and I don't want us to make that same mistake again.
>
> There are actually two separate issues in the above: certificate trust
> chains, and who controls the root of trust. One way that X.509/TLS went
> wrong, as you say, was making the browser control the roots of trust
> without the user having much knowledge or say about the issue (even
> though in practice these trust lists are configurable, few users know
> how to do this.) On the other hand, I suggest that certificate trust
> chains will be part of most (possibly all) VC ecosystems, and there is
> nothing wrong with these. Steve's use case is a good example of where
> they admirably solve a problem. Controlling the roots of trust must be
> done by the verifier, and any software that tries to build these in
> without giving the verifier much control (aka the browser and TLS) is
> bad software that verifiers should refuse to install. So I think we are
> in agreement that the verifier is king, and must be in control of the
> roots of trust
>
> kind regards
>
> David
>
> >
> > * Many of these scenarios do not adequately allow parties at the edges
> > to choose who they trust. Again, in the DID/VC architecture all
> > parties are peers and can offer any role. I'm fine someone chooses to
> > only trust parties trusted by someone else, but again, it should not
> > be mandated. I worry that some solutions offered will not allow
> > the edges to choose. I also worry that many of the scenarios shared so
> > far do not adequately separate identity assurance, claim verification,
> > authorization, etc.
> >
> > * Be aware that the future will be moving toward multisignature
> > scenarios. I may use a 3 of 5 collaborative control set under my
> > personal authority to demonstrate control of my self-sovereign DID,
> > and I may also have a 4 of 9 set of keys give people that are
> > authorized to revoke my control or 5 of 9 that have authority to give
> > it to a new party (ideally me in case of a catastrophe, buy maybe my
> > heirs.) Many of these scenarios may be better addressed by multisig
> > threshold scenarios as well. For instance, presenting an aggregation
> > signature of 3 of 5 verifiable claims from different issuers could be
> > used to authorize something greater, without having to "phone home" to
> > the issuers for the greater authority.
> >
> > — Christopher Allen
> >
> >
> >
>
>

-- 
Steve Capell
Received on Saturday, 1 August 2020 22:13:36 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 1 August 2020 22:13:37 UTC