Surveying names for trust states above and below a single VC or DID. from Christopher Allen on 2020-09-14 (public-credentials@w3.org from September 2020)

From: Christopher Allen <ChristopherA@lifewithalacrity.com>
Date: Mon, 14 Sep 2020 14:25:14 -0700
To: Orie Steele <orie@transmute.industries>, Credentials Community Group <public-credentials@w3.org>
Message-ID: <CACrqygC+2hnfbqsrW6rGr3pDQ1K++7__ReWGev+yhnVkFUOZyQ@mail.gmail.com>

On Mon, Sep 14, 2020 at 12:56 PM Orie Steele wrote on a github DID-WG issue
"Re: [w3c/did-core] need to clarify revocation vs. rotation (#386)
<https://github.com/w3c/did-core/issues/386#issuecomment-692279254>":

>
>    1. "verification" is not just does the signatures match.... its what
>    is the trust context for this... how old is this, how good is the opsec of
>    the issuer, etc....
>
> This raises a problem for me which is that we don't have good language for
DIDs and VCs in their intermediate states, above and below, and in
particular between conforming to the data model and "verifiable" and then
continuing onward toward satisfying a complex trust context.

* Clearly one desirable state is "Verifiable" — but doesn't that mean it is
not verified yet? Clearly in VCs that is true if nothing more than that the
spec has no required trust model. So lets set that as the middle
—"Verifiable" is some level of conformity where you have sufficient data
and proofs such that you can say the VC (or DID) can be verified later.

* What are states below this level, including both error states (invalid,
revoked, missing information), but also intermediate states which include
that the data is valid but you don't understand the proof (or one of the
proofs)?  Or things like understanding or not understanding all the
context, but you have enough to know you have what you need? What are these
"pre-verifiable" states called?

* What are states above the "verifiable" level, including needed other DIDs
or VCs referred to that also need to be fetched before the DID or VC can be
fully passed to a trust model for final approval? What is actually called
when you've confirmed everything (all the linked data outside of the DID
VC) is verified, but you've not checked things like out-of-band revocation?
What is it called when you've not passed it through a trust model? What is
the ultimate result called, when you've done all the work, and the trust
model at the end says "Ok"?

I'd really like to see some clarity here, as when I'm working with others
who don't have 5+ years of socializing on VC and DID issues get very
confused because our current major platforms use different language for
these states. And the insiders that do have that socialization are making
assumptions about similar words of others that may not be correct.

For now, can we start with a survey? Please share what YOU call these
intermediate states above and below a "Verifiable Claim" specifically, and
also if they are different from the same states above and below a DID?

In particular, I'd love Sam to say what they are for KERI, someone from
Sovrin, someone from DIF, and someone from Digital Bazarr.

Thanks!

— Christopher Allen

Received on Monday, 14 September 2020 21:26:08 UTC