W3C home > Mailing lists > Public > public-credentials@w3.org > July 2021

RE: Digital Press Passes and Decentralized Public Key Infrastructures

From: <steve.e.magennis@gmail.com>
Date: Tue, 20 Jul 2021 06:46:27 -0700
To: "'David Chadwick'" <d.w.chadwick@verifiablecredentials.info>, "'Adam Sobieski'" <adamsobieski@hotmail.com>, <public-credentials@w3.org>
Message-ID: <076c01d77d6d$a3b7d4c0$eb277e40$@gmail.com>
Two other projects in the VC space come to mind that might be worth looking
into:

*	GLEIF
<https://wiki.trustoverip.org/display/HOME/Ecosystem+Working+Group+Files?pre
view=%2F66630%2F67146%2FAccelerating-Digital-Identity-with-the+LEI_ToIP-Ecos
ystem-Foundry_WG_v1.0_final+.pdf>  - this is an ecosystem with a globally
authenticated list of orgs, think distinctly, and unequivocally known
publishers (sans reputation), they are potentially extending into named
individuals within those orgs, think writer(s). This could help solve the
problem of easily and confidently distinguishing John Smith at Reuters from
John Smith at Reuterzz.
*	Internet of Research
<https://wiki.trustoverip.org/display/HOME/Internet+of+Research+Ecosystem+Ta
sk+Force> : This group is tackling the issue of scholarly publications which
need to be very clear about authentic authorship, recognizable publication
and citations of published works. Maybe more granular than you need in some
ways, and maybe less granular than you need in others, but worth a look.

 

Happy to help with intros if interested in either.

-Steve

 

From: David Chadwick <d.w.chadwick@verifiablecredentials.info> 
Sent: Tuesday, July 20, 2021 5:28 AM
To: Adam Sobieski <adamsobieski@hotmail.com>; public-credentials@w3.org
Subject: Re: Digital Press Passes and Decentralized Public Key
Infrastructures

 

 

On 20/07/2021 13:10, Adam Sobieski wrote:

David,

Scott,

 

It sounds like W3C VC's can equip organizations (e.g.,
https://www.google.com/search?q=journalism+organizations) with the
capability to issue and revoke "digital press passes" per their own
policies, codes of ethics, and procedures.

 

As for the W3C VC models not being limited to the journalism domain, these
same technologies could equip ACM, IEEE, and AAAI with the means of issuing,
beyond membership-related credentials, credentials which represent
compliance with their ethical codes.

 

Broadly, then, under discussion are the matters of equipping professional
organizations with the means of issuing and revoking membership-related
credentials and credentials which indicate compliance with the
organizations' policies and/or codes of ethics.

 

yes, correct

 

Brainstorming and exploring the topic, we might also envision decentralized
systems

it depends what your definition of decentralised is, as it can encompass
several different functionalities. If you mean that issuers need DIDs, then
no, they can have standard X.509 signing certificates. If you mean that
blockchains are needed, again no, they are not essential. The only
decentralised feature I have found to be essential is that users can create
their own asymmetric key pairs (as many as they need).

What is clear (and all the decentralised people agree with this), is that
every SSI system today needs centralised systems in order to function at all
on the Internet. 

Kind regards

David

which allow, beyond issuing and revoking credentials, the capability to warn
organizations and individuals. That is, we might consider that a "digital
press pass" could be in states including: valid, warned, and revoked. If it
is possible to add warnings to VC systems, we could envision the UX in Web
browsers with a green news symbol for valid, a yellow news symbol for
warned, and a red error news symbol for revoked. These graphical symbols
could be placed next to the lock symbol in the left of the URL address bar,
before the URL text.

 

 

Best regards,

Adam

 

From: David Chadwick <mailto:d.w.chadwick@verifiablecredentials.info> 
Sent: Tuesday, July 20, 2021 6:19 AM
To: public-credentials@w3.org <mailto:public-credentials@w3.org> 
Subject: Re: Digital Press Passes and Decentralized Public Key
Infrastructures

 

Hi Scott

On 19/07/2021 22:47, Scott Yates wrote:

Adam, (and friends), 

 

I looked really hard at a PKI solution for a long time, and the downsides
were insurmountable.. 

PKI does not propose to tell you who is press and who is not. It was never
designed to do this. From the outset PKI was designed to bind an identifier
to a public key for authentication purposes, that's all. PMI is what you
were looking for (X.509 attribute certificates) e.g. as we implemented in
the PERMIS open source code. But now, we have switched to W3C VCs as a
better way of telling you who is a member of the press or not.

The other ingredient you need is something like the TRAIN API which tells
you if the issuer of the "press VCs" is trusted to do this or not. We have
this built into our VC eco system.

 

Probably the biggest problem that you can't get around is: Who decides who
is in and who is out?

The answer is simple. The verifier does. But it can delegate this task to a
TTP if it wants e.g. the TRAIN API, or it can have its own list of trusted
issuers.




 

After beating my head against the wall for a couple of years, I came up with
trust.txt. It's a text file in the tradition of robots.txt and ads.txt. In
that file, press associations list their members, and members list their
associations.

This is exactly what we do with the TRAIN API and VCs. Issuers (members in
your terminology) put a ToU property in the VCs they issue listing the
associations they are affiliated to. The verifier passes the association and
issuer to the TRAIN API and it returns true or false to this affiliation.

 

 

For example, the Texas Press Association's file is here:
https://www.texaspress.com/trust.txt and the file for a small weekly paper
in Hays has its file here: https://haysfreepress.com/trust.txt 

 

With those, anyone can build a crawler and an algo to get confirmation about
who belongs to whom.

 

No one body has to decide who is "press" and who is not. Groups on their own
decide who is a member, and it's up to the platforms to interpret the signal
and decide that the Hays Free Press is just a bit more trustworthy because
they at least know that it belongs to the TPA. 

 

I'm now rolling this out to press and broadcasting associations in the U.S.,
and hope to go international starting in the fall.

Sounds very good. Well done.

 

 

After studying it for a long long time, I think this is as close as we can
get to a "digital press pass" that is consistent with the First Amendment
and an open, decentralized web.

I agree. And the model is not limited to press passes but to any VCs in any
domain

Kind regards

David

 

-Scott Yates

Founder

JournalList.net <http://JournalList.net> , caretaker of the trust.txt
framework

202-742-6842

 <https://youtu.be/lunOBapQxpU> Short Video Explanation of trust.txt

 

 

On Mon, Jul 19, 2021 at 3:23 PM Adam Sobieski <adamsobieski@hotmail..com
<mailto:adamsobieski@hotmail.com> > wrote:

Credible Web Community Group,

Credentials Community Group,

 

I would like to broach the topic of "digital press passes" towards a more
credible web.

 

As envisioned, "digital press passes" could be provided to organizations and
individuals utilizing decentralized public key infrastructure.

 

Webpages could include URLs to their "digital press passes" in link elements
(<link rel="press-pass" href="." />). This information could also be encoded
in documents in a manner interoperable with Web schema. News content could
be digitally signed by one or more "digital press passes".

 

Upsides include: (1) end-users and services could configure which
certificate authorities that they desired to recognize, (2) end-users could
visually see, in their Web browsers, whether displayed content was from a
source with a valid "digital press pass", (3) news aggregation sites could
distinguish content digitally signed by "digital press passes", (4) social
media websites could visually adorn and prioritize shared content which is
digitally signed by "digital press passes", (5) entry for new news
organizations and recognition as such by existing services would be
simplified, e.g., a new newspaper organization, the new news organization
would need to obtain a "digital press pass" from a certificate authority.

 

Downsides include: impact on citizen journalism, where users other than
journalists desire to publish or distribute news content.

 

Have these ideas been considered before? Any thoughts on these ideas?

 

 

Best regards,

Adam Sobieski

 

P.S.: https://meta.wikimedia.org/wiki/Wikifact

 

 
Received on Tuesday, 20 July 2021 13:46:44 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 20 July 2021 13:46:45 UTC