- From: Henry Story <henry.story@gmail.com>
- Date: Wed, 11 Aug 2021 10:14:16 +0200
- To: daniel.hardman@gmail.com
- Cc: Bob Wyman <bob@wyman.us>, David Chadwick <d.w.chadwick@verifiablecredentials.info>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
> On 11. Aug 2021, at 09:14, Daniel Hardman <daniel.hardman@gmail.com> wrote: > >>> Another solution is chaining: have an accreditation authority issue a VC to issuers, attesting to the issuer's bona fides; verification = verify proximate VC + VC that makes proximate issuer trustworthy. Possibly repeat through several levels of indirection. > Bob Wyman wrote: >> If it is discovered, through some arbitrary means, that some intermediary in a chain should not be considered trustworthy, even though that intermediary produces credentials that satisfy the specification's requirements, how can a lack of trust be expressed, communicated, etc? > > A chain has to be followed. That means each credential must be verified. And if an intermediate credential in the chain is revoked, the chain gets broken and thus will not validate. So: revoke. Following a question by Prof @brynosaurus on Twitter on why a Web of Nations would work where PGP web of trust had failed, I digged into the whole problem and wrote it up ”Why did the PGP Web of Trust fail?" https://medium.com/@bblfish/what-are-the-failings-of-pgp-web-of-trust-958e1f62e5b7 The short of why PGP WoT failed is exactly that trust is not transitive. That is in part because verification skills are not transitive. That is: it is actually not that easy to verify someone’s name, and one person may be really good about it, but not the person they signed for. Some people just trust everyone that comes along. But you can get trust transitivity in limited circumstances, such as within a legal framework. If I start from my UK trust anchor, https://gov.uk/ and it states that companies house is a registrar, and registrars are legally able to make certain claims, then I know that the legal enforcing authority in the UK has made a claim about the legal validity of claims made by that institution. The same gov.uk site could have a list pointing to age verification companies, and these companies listing could in turn point back to the official listing. So we can build linked data verification chains. But we can see that trust won’t be transitive in international relations. If the UK has severed diplomatic relations with a country, or does not recognize a country, then it will likely maintain relations with countries that do recognize that country. Still a UK citizen will not get legal/diplomatic protection by trying to claim transitivity of diplomatic relations. Henry
Received on Wednesday, 11 August 2021 08:15:31 UTC