W3C home > Mailing lists > Public > public-credentials@w3.org > August 2021

RE: WoN Re: Public consultation on EU digital principles

From: <steve.e.magennis@gmail.com>
Date: Wed, 4 Aug 2021 14:46:54 -0700
To: "'Henry Story'" <henry.story@gmail.com>
Cc: "'David Chadwick'" <d.w.chadwick@verifiablecredentials.info>, "'W3C Credentials CG \(Public List\)'" <public-credentials@w3.org>
Message-ID: <026501d7897a$3e389530$baa9bf90$@gmail.com>
Conflation Alert!!!

Identifying, or even binding a legal jurisdiction to a VC is very different from, and has a different primary goal from surfacing information that a verifier can use to evaluate the risk of accepting claims as presented within said VC. 

IMHO, the former, while complicated is far less complicated than the later because the later is always context specific and often temporal. Paraphrasing Alan Karp: I trust my bank and I trust my brother, but I don't trust the bank with my kids and I don't trust my brother with my money. Things just get more complex from there. Do I trust my bank with my money in every situation? Will others trust that my bank has performed adequate due diligence to proof my identity if I share it with them? What about this year, next year? The temptation is to throw up our hands and just push as much detail as possible onto the verifier to figure out on their own, or worse create a meta language that attempts to codify arbitrary context, authority, permissions, etc. ... and then push that onto the verifier to figure out. Personally, I think the sweet spot is focusing on getting to the shortest possible path between recipient of a claim and a single 'authority' that the recipient *already recognizes and trusts in the context of the transaction*. I get this will not always be possible and would often require trusted organizations to step up and perhaps take on additional liability when making claims. 

...and I still like the idea of binding a legal jurisdiction - independent from the larger question of evaluating the claims themselves.

-S

-----Original Message-----
From: Henry Story <henry.story@gmail.com> 
Sent: Wednesday, August 4, 2021 2:05 PM
To: steve.e.magennis@gmail.com
Cc: David Chadwick <d.w.chadwick@verifiablecredentials.info>; W3C Credentials CG (Public List) <public-credentials@w3.org>
Subject: Re: WoN Re: Public consultation on EU digital principles



> On 4. Aug 2021, at 19:02, <steve.e.magennis@gmail.com> <steve.e.magennis@gmail.com> wrote:
> 
> I think this is an important topic and I like the general concept of cryptographically binding VCs to a legal jurisdiction, or be noticeably NOT bound to a legal jurisdiction. I’m hoping to see more discussion around this.
>  
> Some thoughts:
>  
> Legal actions are (should be) a backstop of last resort as a way to prevent people from using rocks and sticks to settle disputes. In the majority of cases the legal framework should be there to provide guidance and encourage participants to 'do the right thing' but otherwise remain dormant. From this perspective, simply and clearly communicating the rules by which any issuer/holder/verifier transaction is subject I see as a good thing.
>  
> …However, from a practical standpoint there are a number of sticky issues that would need to be managed:
> 	• Under what authority would a VC be bound to a legal jurisdiction? 
> 	• Could an individual issuer/holder/verifier unilaterally commit themselves to a legal jurisdiction?
> 	• Would binding be imposed by a government based on the legal residency of the participant or something else?
> 	• Would a government be able or willing to be the authority to bind jurisdictions to a large number of VCs? In the non-VC world, contracts typically assert a legal jurisdiction under which they operate and only if/when legal proceedings begin will the assertion of jurisdiction be validated. In the VC world, presumably a government authority would pre-emptively assert a jurisdiction(?)
> 	• In complex cases there would likely be issues of overlapping / 
> conflicting jurisdictions and rules that might only be resolvable 
> during legal proceedings

yes, those are difficult legal/technical questions that would require focused cross-disciplinary work guided by well defined use cases to answer. Something for a W3C Workshop to look into?

https://lists.w3.org/Archives/Public/www-tag/2020Sep/0000.html

It may be interesting take a simple case such as age based VCs.

For those to work, one would need an agreed upon way to describe an institution that is able to give out age credentials. Then there has to be a way for a registrar to publish data about that institution using that vocabulary. Perhaps something like:

<https://www.accscheme.com/> a gov:AgeCheckService .

Or the state (e.g. https://gov.uk/ ) could point to a list of such institutions. 
Just like the state should point to the major registrars on its territory, with some description of what type of registrars they are.

Then we need links between states, so that each of us can add our own legal trust anchor to our browser and the diplomatic web of trust can allow browsers to follow links from one trust anchor (e.g. https://usa.gov ) to others. 

Trust anchors should be able to specify warnings feeds where they could publish data regarding particular companies in other countries, so that a country does not need to completely sever all links to another country for a few bad apples.

I suggested those could be displayed in something like the Apple Touch bar here:
   https://medium.com/cybersoton/phishing-in-context-9c84ca451314


> Lastly, I’ll get on my soapbox and say that it is not infrequently the case where more information IS NOT better. It may be great, for example, that I know a particular VC is bound to the legal jurisdiction of SomeWhereistan, but unless I have a relevant and meaningful understanding of the rules of the jurisdiction, it affords me little value with respect to evaluating the risk associated with a VC.

In the browsers the problem is currently the opposite I think: the information given about sites is way too poor to be of interest.  

I have a few screenshots here that show just how poor the information is currently
https://medium.com/cybersoton/stopping-https-phishing-42226ca9e7d9

Of what interest is it to most people that they can find out the physical address of the headquarters of a company?

The information has to be rich enough to be of interest to people, so that they want to go there regularly. But it should not be overwhelming either. 

But you are right one country may be very strict on age based credentials, anotherone so lax as for them to be meaningless. So that does speak to there needing to be some way for a government to add warnings to claims made by other coutries, or even propose translations.


>  
> OK, now really lastly. I also think in very many cases, many of these ideas can and should be applied to binding VCs to non-legal jurisdictions. Specifically trusted entities like industry associations, standards bodies, etc whose brand seeks to convey trust to their membership by establishing rules and compliance activities. 

Yes, the proposed architecture should make it possible for people to have any number of trust anchors. 
One could have international bodies like the EU, the commonwealth or the UN too in there.

To start one would perhaps even have more ad-hoc networks such as standards bodies.

>  
> -S
>  
>  
> -----Original Message-----
> From: Henry Story <henry.story@gmail.com>
> Sent: Wednesday, August 4, 2021 8:53 AM
> To: David Chadwick <d.w.chadwick@verifiablecredentials.info>
> Cc: W3C Credentials CG (Public List) <public-credentials@w3.org>
> Subject: WoN Re: Public consultation on EU digital principles
>  
> Hi all,
>  
> There is a need for a global, decentralised, geopolitically relevant trust system that reflects international law. It is not technically difficult to do, all the pieces are in place, and it is needed for a lot more than Verifiable Claims.
>  
> I wrote this up a couple of years ago as part of my 2nd year PhD report (on hold  as I ran out of money), and summarized it in this PDF.
> It’s a real simple application of linked data
>  
> https://co-operating.systems/2020/06/01/WoN.pdf
>  
> I have not had time to translate that doc to HTML, but  it actually 
> points to a number of earlier blog posts all in HTML. For example this 
> blog post describing 13 use cases
>  
> https://medium.com/@bblfish/use-cases-for-the-web-of-nations-361c24d5e
> aee
>  
> Perhaps that can be brought into the consultation process?
>  
> Henry
>  
>  
> > On 4. Aug 2021, at 17:30, David Chadwick <d.w.chadwick@verifiablecredentials.info> wrote:
> > 
> > All verifiers should be able to be configured with Issuers that they trust. So configuring with *.gov.country should be a viable option for a verifier. In this case a trust list is not needed because you already know your trusted issuers.
> > 
> > If you want to have a trust chain that goes from gov.country to unknown.issuer to holder.vc that is also fine because you an unbroken chain of trust, effectively with delegation of authority from gov.country to the unknown.issuer. But this is somewhat different to an attribute attestation service. Its an issuer attestation service (regardless of the attributes the unknown.issuer asserts). So lets not mix up concepts.
> > 
> > Kind regards
> > 
> > David
> > 
> > On 04/08/2021 10:06, Steve Capell wrote:
> >> Not sure that you need a published trust list in all cases.  As you 
> >> suggest, if both issuer and attestation provider are equivalently 
> >> “unknown” then there’s little value.  But that’s rarely the case.
> >> The whole point of attestations is that they are made by rusted 
> >> parties.  For example
> >> - a national health authority attests to the accreditation status 
> >> of an otherwise unknown clinic that issues a vaccination cert
> >> - a customs authority attests to the business identity and trusted 
> >> trader status of an otherwise unknown issuer of a declaration of 
> >> origin
> >> - and so on
> >> 
> >> In these cases I really only care that the attestation comes from *.gov.au or *.gov.uk . I Don’t really need a list to check that Australia or the United Kingdom governments exist or to decide whether to trust them - do I?
> >> 
> >> Steven Capell
> >> Mob: 0410 437854
> >> 
> >>> On 4 Aug 2021, at 6:43 pm, David Chadwick <d.w.chadwick@verifiablecredentials.info> wrote:
> >>> 
> >>> 
> >>> Hi Luca
> >>> 
> >>> This makes more sense. Simplify is more correct than shorten. But it is still a spurious argument.
> >>> 
> >>> This is because you are comparing apples and oranges. You are saying that if we get an issuer we don't recognise then it is complex to resolve this, so the holder should replace the issuer with an attribute attestation service that we do recognise. But what if you don't recognise the attribute attestation service that the holder has used to replace the issuer (e.g. one from Somewherestan). You have solved nothing. An unknown issuer and an unknown attribute attestation service are just as value-less, whilst a known issuer and a known attribute attestation service may be just as valuable to the RP.
> >>> 
> >>> So using an attribute attestation service is only of value if the RP (or EU) publishes the list of trusted issuers (which can include genuine issuers and attribute attestation services, as the two are indistinguishable from a trust perspective (unless the trust list describes the differences)) and tells the users that they must get VCs from issuers in this trusted list otherwise the RP wont be able to interact with them.
> >>> 
> >>> I think your comment really boils down to the fact that trust lists are really needed (which is exactly what the TRAIN project has produced, as part of eSSIF-lab).
> >>> 
> >>> Kind regards
> >>> 
> >>> David
> >>> 
> >>> 
> >>> 
> >>> On 03/08/2021 07:21, Luca Boldrin wrote:
> >>>> Correct, Steve.
> >>>> In general, “shorten” should perhaps be replaced with “simplify”. 
> >>>> Indeed, validating a credential issued by an unknown issuer requires a complex process of gathering information about that issuer (when available), and taking risk-based decisions.
> >>>> In the “qualified attribute attestation” model you just check that the attester is listed in the EU trust list, liability is clear.
> >>>> The model has drawbacks as well…
> >>>> Best,
> >>>>  
> >>>> --luca
> >>>>  
> >>>>  
> >>>>  
> >>>> Da: Steve Capell <steve.capell@gmail.com>
> >>>> Inviato: martedì 3 agosto 2021 02:28
> >>>> A: David Chadwick <d.w.chadwick@verifiablecredentials.info>
> >>>> Cc: public-credentials@w3.org
> >>>> Oggetto: Re: Public consultation on EU digital principles
> >>>>  
> >>>> ATTENZIONE: Questa e-mail proviene dall'esterno dell'organizzazione. Non cliccare sui link o aprire gli allegati a meno che tu non riconosca il mittente e sappia che il contenuto è sicuro.
> >>>> I assumed that it meant a shorter trust chain from the verifier 
> >>>> perspective
> >>>>  
> >>>> For example
> >>>> - option 1: clinic issues covid cert to subject.  Health 
> >>>> authority issues accreditation cert to clinic.  There is some 
> >>>> kind of hash link connection from covid vax cert to clinic accreditation cert.
> >>>> verifier must follow links and verify both
> >>>> - option 2: clinic does covid jab and requests certificate 
> >>>> issuing directly from national authority (Oracle as issuer pattern).
> >>>> Verifier just verified the one cert and trusts the national 
> >>>> authority
> >>>> 
> >>>> Steven Capell
> >>>> Mob: 0410 437854
> >>>> 
> >>>> 
> >>>> On 3 Aug 2021, at 6:11 am, David Chadwick <d.w.chadwick@verifiablecredentials.info> wrote:
> >>>> 
> >>>> 
> >>>> Hi Luca
> >>>> 
> >>>> I am interested to know how the introduction of an attribute 
> >>>> attestation service, presumably between the issuer and holder, 
> >>>> can shorten the trust chain. One would have thought that it would 
> >>>> do the opposite
> >>>> 
> >>>> Kind regards
> >>>> 
> >>>> David
> >>>> 
> >>>> On 02/08/2021 17:43, Luca Boldrin wrote:
> >>>> Hi Manu,
> >>>> the consultation is an online survey that anyone can fill in. In parallel the EU Commisison is conducting many one-to-one discussions with different stakeholders.
> >>>> One of the most relevant aspects under discussion is probably related to “attribute attestation service”, which is a trusted third party acting on behalf of the issuer (to shorten the trust chain):
> >>>> <image002.jpg>
> >>>> (from 
> >>>> https://ec.europa.eu/newsroom/dae/redirection/document/76608)
> >>>>  
> >>>> I would appreciate any views on that.
> >>>> Best,
> >>>> --luca
> >>>>  
> >>>>  
> >>>> Da: Snorre Lothar von Gohren Edwin <snorre@diwala.io>
> >>>> Inviato: lunedì 2 agosto 2021 15:00
> >>>> A: Manu Sporny <msporny@digitalbazaar.com>
> >>>> Cc: W3C Credentials CG <public-credentials@w3.org>
> >>>> Oggetto: Re: Public consultation on EU digital principles
> >>>>  
> >>>> ATTENZIONE: Questa e-mail proviene dall'esterno dell'organizzazione. Non cliccare sui link o aprire gli allegati a meno che tu non riconosca il mittente e sappia che il contenuto è sicuro.
> >>>> Has anyone attended these or done any consultation? 
> >>>> Any specific parts that was addressed?
> >>>> ᐧ
> >>>>  
> >>>> On Thu, Jul 8, 2021 at 4:18 PM Manu Sporny <msporny@digitalbazaar.com> wrote:
> >>>> For those that don't know about it yet, the EU has opened a 
> >>>> consultation, running through Sept 2021, to get input on future 
> >>>> EU digital principles. Folks that have an opinion (I expect many 
> >>>> in this group) may want to join and provide input.
> >>>> 
> >>>> https://digital-strategy.ec.europa.eu/en/news/europes-digital-dec
> >>>> ad 
> >>>> e-commission-launches-consultation-and-discussion-eu-digital-prin
> >>>> ci
> >>>> ples
> >>>> 
> >>>> -- manu
> >>>> 
> >>>> --
> >>>> Manu Sporny - https://www.linkedin.com/in/manusporny/
> >>>> Founder/CEO - Digital Bazaar, Inc.
> >>>> News: Digital Bazaar Announces New Case Studies (2021) 
> >>>> https://www.digitalbazaar.com/
> >>>> 
> >>>> 
> >>>> 
> >>>> 
> >>>>  
> >>>> --
> >>>> Snorre Lothar von Gohren Edwin
> >>>> Co-Founder & CTO, Diwala
> >>>> +47 411 611 94
> >>>> www.diwala.io
Received on Wednesday, 4 August 2021 21:48:12 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 4 August 2021 21:48:13 UTC