Re: Tim Berners-Lee: He Created the Web. Now He’s Out to Remake the Digital World. from Adrian Gropper on 2021-01-16 (public-credentials@w3.org from January 2021)

From: Adrian Gropper <agropper@healthurl.com>
Date: Sat, 16 Jan 2021 11:11:01 -0500
To: Kayode Ezike <kezike13@gmail.com>
Cc: Kim Hamilton <kimdhamilton@gmail.com>, "Michael Herman (Parallelspace)" <mwherman@parallelspace.net>, "Sarven Capadisli (info@csarven.ca)" <info@csarven.ca>, Bill Claxton <williamc@itr8.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>, williamc@nextid.com, Dmitri Zagidulin <dzagidulin@gmail.com>
Message-ID: <CANYRo8iuF1eAPnCdtOB0HNu6YAxKr0SGRqv=RBR5JsJfsTo5sA@mail.gmail.com>
Thanks, Kayode for sharing your implementation experience and the clear
RWoT9 paper. I have a comment and a question for you and all of us here...

My comment has to do with trying to re-invent protocols around the W3C
standard data models (VC, DID) as well as established public certificates
like SSL. Protocol work in Kayode's paper and much of the work in DIF lags
the state of the art by almost a decade. The SSI community (and maybe
Solid) misses the mark by ignoring the role of self-sovereign
semi-autonomous authorization agents. It also treats as out of scope
protocols that deal with authorization requests without physically having
to transit the credential itself through a personal data store. The risk of
this narrow SSI perspective is that the protocols we're developing will be
incompatible with protocols for access to credentials in-general, with all
of the commonality in data models, revocation, and audit that applies to
all credentials.

Here's a short slide-set about Human-Centered Protocols and Zero Trust
Architecture:
https://docs.google.com/presentation/d/1ksKal62ZiApX09Nejm4RSqHzHJbgwpu_l2Ho64_ePKU/edit#slide=id.p


My question has to do with at-rest encryption in Solid or any other group
of SSI-related protocols. What are our options and which ones make sense?

- Adrian

On Sat, Jan 16, 2021 at 5:58 AM Kayode Ezike <kezike13@gmail.com> wrote:

> Thanks for the intro Kim!
>
> I was silently following this thread and preparing to share my thoughts on
> this, but I agree with Kim's sentiment. I will just add that when I
> developed solid-vc, I was operating mostly under the threat model of
> compromised cryptographic keys used to sign credentials via
> jsonld-signatures <https://github.com/digitalbazaar/jsonld-signatures> and
> a compromised Solid password.*
>
> I don't want to bombard you all with too much information about this
> project in this thread, but for now I will share the solid-vc repo
> <https://github.com/kezike/solid-vc> again as well as my RWoT9 submission
> <https://github.com/WebOfTrustInfo/rwot9-prague/blob/master/topics-and-advance-readings/solid-vc.md>.
> I have presented solid-vc to this group in the past and have been adding
> modest features and planning larger ones since then. I am happy to share
> more in another forum if folks are interested.
>
> Finally, concerns around implementing at-rest encryption in a
> standards-compliant manner are not unreasonable. Additionally, I know that
> it is a relatively new concept for everyday users to manage their own
> personal data with all the unwieldy process that comes with it, but I don't
> know that many of the projects in the digital identity space don't struggle
> with some of the same usability challenges.
>
> For these reasons, I believe that alignment between CCG and Solid CG is
> essential and I appreciate that the chairs have recognized that!
>
> *There is a complicated history around Solids's use of TLS that is
> informed by controversial browser releases that disrupted the key
> management process that Solid took for granted. Dmitri and Sarven are
> probably more qualified to provide context here. In any event, it seems
> that at least the recent enterprise release
> <https://inrupt.com/products/enterprise-solid-server> has tightened this
> up.
>
> P.S. - On a personal note, I discovered CCG when I embarked on solid-vc in
> earnest in 2018. I was able to leverage some of the core standards
> supported by CCG and W3C in the development process. Folks like Dmitri and
> Manu provided varying degrees of guidance, for which I am eternally
> grateful!
>
> On Fri, Jan 15, 2021, 9:33 PM Kim Hamilton <kimdhamilton@gmail.com> wrote:
>
>> Last year or so, Kayode Ezike (added) presented his solid/VC work on a
>> CCG call.
>>
>> Here's the github repo:
>> https://github.com/kezike/solid-vc
>>
>> The idea of using a Solid profile (URI) as the VC credentialSubject.id appeals
>> to me. I get Adrian's concern about whether people would be motivated to
>> manage their own PDS.  But, supposing one wants to deploy VC-based projects
>> in the immediate future, it's challenging identifying DID methods suitable
>> for individuals*, and Solid profiles start to look more feasible and
>> intuitive.
>>
>> * Based on criteria such as open-standard based, avoiding lockin,
>> longevity, ease of use. Again, this applies to methods available at the
>> current time
>>
>>
>>
>> On Thu, Jan 14, 2021 at 7:41 PM Michael Herman (Parallelspace) <
>> mwherman@parallelspace.net> wrote:
>>
>>> RE: If we understand the case for end-to-end encryption, why would we
>>> insist that two of our service providers must transfer data through my Pod
>>> as a way to share it?
>>>
>>>
>>>
>>> I’m not sure this is a target use case for Inrupt/Solid.  From what I’ve
>>> read so far, it sounds like the idea behind what TimBL and Inrupt are
>>> building is to create a new Web, based on pods, that runs as a peer to the
>>> WWW on top of the Internet.
>>>
>>>
>>>
>>> Michael
>>>
>>>
>>>
>>> *From:* Bill Claxton <williamc@itr8.com>
>>> *Sent:* January 14, 2021 8:17 PM
>>> *To:* public-credentials@w3.org
>>> *Cc:* williamc@nextid.com
>>> *Subject:* Re: Tim Berners-Lee: He Created the Web. Now He’s Out to
>>> Remake the Digital World.
>>>
>>>
>>>
>>> Adrian,
>>>
>>> Well put.  I agree on "a separation of concerns between who has the data
>>> and who controls how it's used".
>>>
>>> Let's say my VCs are stored in IPFS or similar decentralised storage and
>>> I am the only person with private key.  To share a VC, I can make a
>>> temporary copy, encrypt it with a different key and post it in volatile
>>> storage.  I can comply with GDPR requests to remove the information by
>>> simply deleting or expiring access to the volatile storage.  All without
>>> ever disclosing the location of the VCs in IPFS or the keys.
>>>
>>> Regards, Bill Claxton (williamc@itr8.com)
>>> Facebook, Skype, MSN, Yahoo, Twitter, Flickr or Gmail: wmclaxton
>>> Voice, Text or Whatsapp: +65-9012-4327
>>>
>>> On 1/15/2021 11:02 AM, Adrian Gropper wrote:
>>>
>>> Solid has fallen into the same trap as all first-generation
>>> people-centered technologies of linking storage of personal information to
>>> control of personal data. Yes, it's easier to control data about you if you
>>> also store that data but the problem is that almost nobody cares about the
>>> data you have in storage - they have their own copies of that data and
>>> their own ways of monetizing it whether you have a Solid Pod or not.
>>>
>>>
>>>
>>> I'm looking forward to scalable people-centered technologies where
>>> personal data is controlled without having to be copied into a PDS. Proper
>>> authorization standards like GNAP introduce a separation of concerns
>>> between who has the data and who controls how it's used. If we understand
>>> the case for end-to-end encryption, why would we insist that two of our
>>> service providers must transfer data through my Pod as a way to share it?
>>>
>>>
>>>
>>> I'm told by people who work on Solid that they could adopt authorization
>>> standards to provide independent control over what's in my Pod. Yet they
>>> haven't AFAIK. I would not trust Solid as being person-centric until they
>>> provide me with standards-based authorization for access control to what is
>>> in my Pod. Otherwise, they're just like Apple who controls access to my
>>> health record stored on my iPhone based on opaque App Store policies and
>>> proprietary app APIs.
>>>
>>>
>>>
>>> Adrian
>>>
>>>
>>>
>>> On Thu, Jan 14, 2021 at 9:23 PM Michael Herman (Parallelspace) <
>>> mwherman@parallelspace.net> wrote:
>>>
>>> There is already 3-4 years of sources of general information on Solid
>>> (e.g. Inrupt forums, Solid CG Specifications, Technical Report, YouTube
>>> videos, etc.).
>>>
>>>
>>>
>>> In terms of inter-CG communication/discussions, I’m interested in
>>> Inrupt/Solid’s directions in terms of its adoption of:
>>>
>>>
>>>
>>>    1. Decentralized Identity Models
>>>    2. Self-Sovereign Identity Models (a subset of the above)
>>>    3. Other points of potential intersection
>>>
>>>
>>>
>>> Best regards,
>>>
>>> Michael
>>>
>>>
>>>
>>> *From:* Heather Vescent <heathervescent@gmail.com>
>>> *Sent:* January 14, 2021 9:54 AM
>>> *To:* W3C Credentials CG (Public List) <public-credentials@w3.org>
>>> *Subject:* Re: Tim Berners-Lee: He Created the Web. Now He’s Out to
>>> Remake the Digital World.
>>>
>>>
>>>
>>> All,
>>>
>>>
>>>
>>> The CCG and Solid co-chairs are discussing coordinating introductory
>>> presentations from each group to each group in order to jump start
>>> collaboration -- this will likely happen in February.
>>>
>>>
>>>
>>> CCG members: what questions on Solid would you like answered?
>>>
>>>
>>>
>>> More details as they happen.
>>>
>>>
>>>
>>> Cheers,
>>>
>>>
>>>
>>> -Heather
>>>
>>>
>>>
>>> On Thu, Jan 14, 2021 at 1:27 AM Kishore Bhatia <kishore@affinidi.com>
>>> wrote:
>>>
>>> Thanks for shedding some more light on this Michael and Dmitri, have
>>> been following Solid/Inrupt’s launch from community pods to ESS and very
>>> interested in convergence or parallels with Secure data storage!
>>>
>>>
>>>
>>> Looking at Solid again in 2021 for VC compliant storage: encrypted data
>>> vault, maybe even Cloud-agents/identity-hub like components in Affinidi’s
>>> architecture, would be great to sync’up with you direct on the identity/VC
>>> relevant roadmap so far - will ping direct!
>>>
>>>
>>>
>>> Cheers!
>>>
>>> Kishore
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Jan 14, 2021 at 12:39 AM Dmitri Zagidulin <dzagidulin@gmail.com>
>>> wrote:
>>>
>>> >  Is there anyone from the Solid project or Inrupt a member of CCG?
>>>
>>>
>>>
>>> I'll add my name to that list as well -- I'm an active participant in
>>> the Solid project (am one of the core spec editors, implementer, etc) as
>>> well. And in general, try to bring Solid's perspective to various w3c
>>> groups I'm part of (including the Confidential Storage group).
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Heather Vescent <http://www.heathervescent.com/>
>>>
>>> Co-Chair, Credentials Community Group @W3C
>>> <https://www.w3.org/community/credentials/>
>>>
>>> President, The Purple Tornado, Inc <https://thepurpletornado.com/>
>>>
>>> Author, The Secret of Spies <https://amzn.to/2GfJpXH> (Available Oct
>>> 2020)
>>>
>>> Author, The Cyber Attack Survival Manual
>>> <https://www.amazon.com/Cyber-Attack-Survival-Manual-Apocalypse/dp/1681886545/> (revised,
>>> Dec 2020)
>>>
>>> Author, A Comprehensive Guide to Self Sovereign Identity
>>> <https://ssiscoop.com/>
>>>
>>>
>>>
>>> @heathervescent <https://twitter.com/heathervescent> | Film Futures
>>> <https://vimeo.com/heathervescent> | Medium
>>> <https://medium.com/@heathervescent/> | LinkedIn
>>> <https://www.linkedin.com/in/heathervescent/> | Future of Security
>>> Updates <https://app.convertkit.com/landing_pages/325779/>
>>>
>>>
>>>
>>
Received on Saturday, 16 January 2021 16:11:27 UTC