W3C home > Mailing lists > Public > public-credentials@w3.org > August 2021

Re: WoN Re: Public consultation on EU digital principles

From: Henry Story <henry.story@gmail.com>
Date: Wed, 11 Aug 2021 10:14:16 +0200
Cc: Bob Wyman <bob@wyman.us>, David Chadwick <d.w.chadwick@verifiablecredentials.info>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-Id: <58AC1FEB-9C64-473C-B4B2-6F28C1593733@gmail.com>
To: daniel.hardman@gmail.com


> On 11. Aug 2021, at 09:14, Daniel Hardman <daniel.hardman@gmail.com> wrote:
> 
>>> Another solution is chaining: have an accreditation authority issue a VC to issuers, attesting to the issuer's bona fides; verification = verify proximate VC + VC that makes proximate issuer trustworthy. Possibly repeat through several levels of indirection.
> Bob Wyman wrote:
>> If it is discovered, through some arbitrary means, that some intermediary in a chain should not be considered trustworthy, even though that intermediary produces credentials that satisfy the specification's requirements, how can a lack of trust be expressed, communicated, etc?
> 
> A chain has to be followed. That means each credential must be verified. And if an intermediate credential in the chain is revoked, the chain gets broken and thus will not validate. So: revoke. 

Following a question by Prof @brynosaurus on Twitter on why a Web of Nations would
work where PGP web of trust had failed, I digged into the whole problem and wrote 
it up

”Why did the PGP Web of Trust fail?"
https://medium.com/@bblfish/what-are-the-failings-of-pgp-web-of-trust-958e1f62e5b7

The short of why PGP WoT failed is exactly that trust is not transitive. That
is in part because verification skills are not transitive. That is: it is actually
not that easy to verify someone’s name, and one person may be really good about it,
but not the person they signed for. Some people just trust everyone that comes along.

But you can get trust transitivity in limited circumstances, such as within a legal
framework. If I start from my UK trust anchor, https://gov.uk/ and it states that 
companies house is a registrar, and registrars are legally able to make certain claims,
then I know that the legal enforcing authority in the UK has made a claim about the 
legal validity of claims made by that institution. The same gov.uk site could have
a list pointing to age verification companies, and these companies listing could in
turn point back to the official listing. 
So we can build linked data verification chains. 

But we can see that trust won’t be transitive in international relations. If the
UK has severed diplomatic relations with a country, or does not recognize a country,
then it will likely maintain relations with countries that do recognize that country.
Still a UK citizen will not get legal/diplomatic protection by trying to claim
transitivity of diplomatic relations.

Henry
Received on Wednesday, 11 August 2021 08:15:31 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 11 August 2021 08:15:32 UTC