W3C home > Mailing lists > Public > public-credentials@w3.org > July 2021

Re: VC-HTTP-API - A follow up on the RAR presentation

From: Daniel Hardman <daniel.hardman@gmail.com>
Date: Thu, 8 Jul 2021 12:55:30 +0200
Message-ID: <CACU_chm6V0efdXoMdChMQkHCGmMD+rGtTipCxgq89BmX3V-c=Q@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: "public-credentials (public-credentials@w3.org)" <public-credentials@w3.org>
>
> > A1 - VC-HTTP API is *the one place* where the asymmetry of power between
> > issuers and subjects comes to a head.
>
> You have yet to demonstrate why and how. This seems to be the basis of your
> position, so it's hard to even consider your other points because the
> foundation of your argument hasn't been established yet.
>
> Why is the VC HTTP API the one place where the asymmetry of power between
> issuers and subjects comes to a head?
>
> Where exactly in the VC HTTP API is this concretely realized? You should be
> able to point to and endpoint and say "right there".


I beg to differ with your characterization, Manu. I gave a concrete example
of why the VC HTTP perpetuates a power asymmetry when I came to this group
on April 30 with slides
<https://docs.google.com/presentation/d/1VhTcthBwDppKB-k71YOtoB6F-32vJNeXKF5P_hScshM/edit>
and 20 minutes of commentary about it. It is not an example of an endpoint;
it's in the architectural mindset that frames the standard as
endpoint-centric in the first place, guaranteeing for all practical
purposes that the standard can be implemented only by an entity having a
stable point of presence on the internet. (And I made the same argument a
year before, on the CCG mailing list and in issues in the VC http repos,
when the DHS SVIP project first raised the possibility of a "standardised"
API for issuance, before the API was intended to service external
interactions. You commented on some of those issues, so I know you have
thought about them.) In my most recent tilt at the windmills, I made a
concrete counter-proposal, too (to reframe this API as derivative of a
higher-level standard that does not perpetuate the client-server assumption
that locks institutions in as identity power brokers and as controllers of
the standards around them). And I pointed out how something bigger than
HTTP is fundamental to the integration of VCs with digital cash, with
governments on every continent demanding strong identity + offline support
right now. The group dismissed my counter-proposal without a vote, and its
engagement with my argument was relatively light. My conclusion was that I
was wasting my time because the group had little interest in the power
asymmetry problem. Indeed, the way I received Dave Longley's response to my
concern was essentially, "I don't care about those problems because they're
not use cases of my customers. If somebody besides online institutions
wants a standard for credential exchange, let them find their own money and
write their own standard." (Note my careful language "the way I received"
-- I may have received it wrong. I'm not claiming my perception is
objective reality--only that I received it that way.) And, if the group
continues to insist that its only priorized use cases flow from
institutions that pay the proximate bills, I can't see how it can reach any
other conclusion. So I have largely withdrawn from this group, except to
lurk. I will make my appeal about the architectural and idealogical flaws
in your approach in the court of public opinion and the court of government
contracts, since it could not be made in the CCG. It is your privilege to
continue, and it is my privilege to disengage. But it is not reasonable to
claim that you've never received a coherent, concise, actionable
articulation of the problem or its solution.

--Daniel
Received on Thursday, 8 July 2021 10:57:41 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 8 July 2021 10:58:19 UTC