- From: Luca Boldrin <luca.boldrin@infocert.it>
- Date: Tue, 15 Sep 2020 06:25:15 +0000
- To: Christopher Allen <ChristopherA@lifewithalacrity.com>, Orie Steele <orie@transmute.industries>, Credentials Community Group <public-credentials@w3.org>
- CC: Luca Boldrin <luca.boldrin@infocert.it>
- Message-ID: <DB6P190MB035868BF0D01AC32040D35CD82200@DB6P190MB0358.EURP190.PROD.OUTLOOK.COM>
Dear all, if that may help as an input, https://www.etsi.org/deliver/etsi_ts/119100_119199/11910201/01.02.01_60/ts_11910201v010201p.pdf (par. 5) has an elaborate model of what “validation” means in the context of advanced digital signature. Obviously, it only partly match with VC verification process. Best, --luca Da: Christopher Allen <ChristopherA@lifewithalacrity.com> Inviato: lunedì 14 settembre 2020 23:25 A: Orie Steele <orie@transmute.industries>; Credentials Community Group <public-credentials@w3.org> Oggetto: Surveying names for trust states above and below a single VC or DID. On Mon, Sep 14, 2020 at 12:56 PM Orie Steele wrote on a github DID-WG issue "Re: [w3c/did-core] need to clarify revocation vs. rotation (#386)<https://github.com/w3c/did-core/issues/386#issuecomment-692279254>": 1. "verification" is not just does the signatures match.... its what is the trust context for this... how old is this, how good is the opsec of the issuer, etc.... This raises a problem for me which is that we don't have good language for DIDs and VCs in their intermediate states, above and below, and in particular between conforming to the data model and "verifiable" and then continuing onward toward satisfying a complex trust context. * Clearly one desirable state is "Verifiable" — but doesn't that mean it is not verified yet? Clearly in VCs that is true if nothing more than that the spec has no required trust model. So lets set that as the middle —"Verifiable" is some level of conformity where you have sufficient data and proofs such that you can say the VC (or DID) can be verified later. * What are states below this level, including both error states (invalid, revoked, missing information), but also intermediate states which include that the data is valid but you don't understand the proof (or one of the proofs)? Or things like understanding or not understanding all the context, but you have enough to know you have what you need? What are these "pre-verifiable" states called? * What are states above the "verifiable" level, including needed other DIDs or VCs referred to that also need to be fetched before the DID or VC can be fully passed to a trust model for final approval? What is actually called when you've confirmed everything (all the linked data outside of the DID VC) is verified, but you've not checked things like out-of-band revocation? What is it called when you've not passed it through a trust model? What is the ultimate result called, when you've done all the work, and the trust model at the end says "Ok"? I'd really like to see some clarity here, as when I'm working with others who don't have 5+ years of socializing on VC and DID issues get very confused because our current major platforms use different language for these states. And the insiders that do have that socialization are making assumptions about similar words of others that may not be correct. For now, can we start with a survey? Please share what YOU call these intermediate states above and below a "Verifiable Claim" specifically, and also if they are different from the same states above and below a DID? In particular, I'd love Sam to say what they are for KERI, someone from Sovrin, someone from DIF, and someone from Digital Bazarr. Thanks! — Christopher Allen
Received on Tuesday, 15 September 2020 06:25:35 UTC