W3C home > Mailing lists > Public > public-credentials@w3.org > September 2020

Surveying names for trust states above and below a single VC or DID.

From: Christopher Allen <ChristopherA@lifewithalacrity.com>
Date: Mon, 14 Sep 2020 14:25:14 -0700
Message-ID: <CACrqygC+2hnfbqsrW6rGr3pDQ1K++7__ReWGev+yhnVkFUOZyQ@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>, Credentials Community Group <public-credentials@w3.org>
On Mon, Sep 14, 2020 at 12:56 PM Orie Steele wrote on a github DID-WG issue
"Re: [w3c/did-core] need to clarify revocation vs. rotation (#386)

>    1. "verification" is not just does the signatures match.... its what
>    is the trust context for this... how old is this, how good is the opsec of
>    the issuer, etc....
> This raises a problem for me which is that we don't have good language for
DIDs and VCs in their intermediate states, above and below, and in
particular between conforming to the data model and "verifiable" and then
continuing onward toward satisfying a complex trust context.

* Clearly one desirable state is "Verifiable" — but doesn't that mean it is
not verified yet? Clearly in VCs that is true if nothing more than that the
spec has no required trust model. So lets set that as the middle
—"Verifiable" is some level of conformity where you have sufficient data
and proofs such that you can say the VC (or DID) can be verified later.

* What are states below this level, including both error states (invalid,
revoked, missing information), but also intermediate states which include
that the data is valid but you don't understand the proof (or one of the
proofs)?  Or things like understanding or not understanding all the
context, but you have enough to know you have what you need? What are these
"pre-verifiable" states called?

* What are states above the "verifiable" level, including needed other DIDs
or VCs referred to that also need to be fetched before the DID or VC can be
fully passed to a trust model for final approval? What is actually called
when you've confirmed everything (all the linked data outside of the DID
VC) is verified, but you've not checked things like out-of-band revocation?
What is it called when you've not passed it through a trust model? What is
the ultimate result called, when you've done all the work, and the trust
model at the end says "Ok"?

I'd really like to see some clarity here, as when I'm working with others
who don't have 5+ years of socializing on VC and DID issues get very
confused because our current major platforms use different language for
these states. And the insiders that do have that socialization are making
assumptions about similar words of others that may not be correct.

For now, can we start with a survey? Please share what YOU call these
intermediate states above and below a "Verifiable Claim" specifically, and
also if they are different from the same states above and below a DID?

In particular, I'd love Sam to say what they are for KERI, someone from
Sovrin, someone from DIF, and someone from Digital Bazarr.


— Christopher Allen
Received on Monday, 14 September 2020 21:26:08 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:03 UTC