Re: Digital Press Passes and Decentralized Public Key Infrastructures from Kaliya IDwoman on 2021-07-20 (public-credentials@w3.org from July 2021)

From: Kaliya IDwoman <kaliya-id@identitywoman.net>
Date: Tue, 20 Jul 2021 08:20:07 -0700
To: steve.e.magennis@gmail.com
Cc: David Chadwick <d.w.chadwick@verifiablecredentials.info>, Adam Sobieski <adamsobieski@hotmail.com>, Credentials CG <public-credentials@w3.org>
Message-ID: <CA+z9oKDZ6xfup_LTc=qZfKvR1JOpkUNjrdU10QSALe6eBpytSg@mail.gmail.com>
Kerri just wrote this
The Future of Open Badges is Verifiable
https://kayaelle.medium.com/the-future-of-open-badges-is-verifiable-bce27664a668

On Tue, Jul 20, 2021 at 6:47 AM <steve.e.magennis@gmail.com> wrote:

> Two other projects in the VC space come to mind that might be worth
> looking into:
>
>    - GLEIF
>    <https://wiki.trustoverip.org/display/HOME/Ecosystem+Working+Group+Files?preview=%2F66630%2F67146%2FAccelerating-Digital-Identity-with-the+LEI_ToIP-Ecosystem-Foundry_WG_v1.0_final+.pdf>
>    – this is an ecosystem with a globally authenticated list of orgs, think
>    distinctly, and unequivocally known publishers (sans reputation), they are
>    potentially extending into named individuals within those orgs, think
>    writer(s). This could help solve the problem of easily and confidently
>    distinguishing John Smith at Reuters from John Smith at Reuterzz.
>    - Internet of Research
>    <https://wiki.trustoverip.org/display/HOME/Internet+of+Research+Ecosystem+Task+Force>:
>    This group is tackling the issue of scholarly publications which need to be
>    very clear about authentic authorship, recognizable publication and
>    citations of published works. Maybe more granular than you need in some
>    ways, and maybe less granular than you need in others, but worth a look.
>
>
>
> Happy to help with intros if interested in either.
>
> -Steve
>
>
>
> *From:* David Chadwick <d.w.chadwick@verifiablecredentials.info>
> *Sent:* Tuesday, July 20, 2021 5:28 AM
> *To:* Adam Sobieski <adamsobieski@hotmail.com>; public-credentials@w3.org
> *Subject:* Re: Digital Press Passes and Decentralized Public Key
> Infrastructures
>
>
>
>
>
> On 20/07/2021 13:10, Adam Sobieski wrote:
>
> David,
>
> Scott,
>
>
>
> It sounds like W3C VC’s can equip organizations (e.g.,
> https://www.google.com/search?q=journalism+organizations) with the
> capability to issue and revoke “digital press passes” per their own
> policies, codes of ethics, and procedures.
>
>
>
> As for the W3C VC models not being limited to the journalism domain, these
> same technologies could equip ACM, IEEE, and AAAI with the means of
> issuing, beyond membership-related credentials, credentials which represent
> compliance with their ethical codes.
>
>
>
> Broadly, then, under discussion are the matters of equipping professional
> organizations with the means of issuing and revoking membership-related
> credentials and credentials which indicate compliance with the
> organizations’ policies and/or codes of ethics.
>
>
>
> yes, correct
>
>
>
> Brainstorming and exploring the topic, we might also envision
> decentralized systems
>
> it depends what your definition of decentralised is, as it can encompass
> several different functionalities. If you mean that issuers need DIDs, then
> no, they can have standard X.509 signing certificates. If you mean that
> blockchains are needed, again no, they are not essential. The only
> decentralised feature I have found to be essential is that users can create
> their own asymmetric key pairs (as many as they need).
>
> What is clear (and all the decentralised people agree with this), is that
> every SSI system today needs centralised systems in order to function at
> all on the Internet.
>
> Kind regards
>
> David
>
> which allow, beyond issuing and revoking credentials, the capability to
> warn organizations and individuals. That is, we might consider that a
> “digital press pass” could be in states including: valid, warned, and
> revoked. If it is possible to add warnings to VC systems, we could envision
> the UX in Web browsers with a green news symbol for valid, a yellow news
> symbol for warned, and a red error news symbol for revoked. These graphical
> symbols could be placed next to the lock symbol in the left of the URL
> address bar, before the URL text.
>
>
>
>
>
> Best regards,
>
> Adam
>
>
>
> *From: *David Chadwick <d.w.chadwick@verifiablecredentials.info>
> *Sent: *Tuesday, July 20, 2021 6:19 AM
> *To: *public-credentials@w3.org
> *Subject: *Re: Digital Press Passes and Decentralized Public Key
> Infrastructures
>
>
>
> Hi Scott
>
> On 19/07/2021 22:47, Scott Yates wrote:
>
> Adam, (and friends),
>
>
>
> I looked really hard at a PKI solution for a long time, and the downsides
> were insurmountable..
>
> PKI does not propose to tell you who is press and who is not. It was never
> designed to do this. From the outset PKI was designed to bind an identifier
> to a public key for authentication purposes, that's all. PMI is what you
> were looking for (X.509 attribute certificates) e.g. as we implemented in
> the PERMIS open source code. But now, we have switched to W3C VCs as a
> better way of telling you who is a member of the press or not.
>
> The other ingredient you need is something like the TRAIN API which tells
> you if the issuer of the "press VCs" is trusted to do this or not. We have
> this built into our VC eco system.
>
>
>
> Probably the biggest problem that you can't get around is: Who decides who
> is in and who is out?
>
> The answer is simple. The verifier does. But it can delegate this task to
> a TTP if it wants e.g. the TRAIN API, or it can have its own list of
> trusted issuers.
>
>
>
>
> After beating my head against the wall for a couple of years, I came up
> with trust.txt. It's a text file in the tradition of robots.txt and
> ads.txt. In that file, press associations list their members, and members
> list their associations.
>
> This is exactly what we do with the TRAIN API and VCs. Issuers (members in
> your terminology) put a ToU property in the VCs they issue listing the
> associations they are affiliated to. The verifier passes the association
> and issuer to the TRAIN API and it returns true or false to this
> affiliation.
>
>
>
>
>
> For example, the Texas Press Association's file is here:
> https://www.texaspress.com/trust.txt and the file for a small weekly
> paper in Hays has its file here: https://haysfreepress.com/trust.txt
>
>
>
> With those, anyone can build a crawler and an algo to get
> confirmation about who belongs to whom.
>
>
>
> No one body has to decide who is "press" and who is not. Groups on their
> own decide who is a member, and it's up to the platforms to interpret the
> signal and decide that the Hays Free Press is just a bit more trustworthy
> because they at least know that it belongs to the TPA.
>
>
>
> I'm now rolling this out to press and broadcasting associations in the
> U.S., and hope to go international starting in the fall.
>
> Sounds very good. Well done.
>
>
>
>
>
> After studying it for a long long time, I think this is as close as we can
> get to a "digital press pass" that is consistent with the First Amendment
> and an open, decentralized web.
>
> I agree. And the model is not limited to press passes but to any VCs in
> any domain
>
> Kind regards
>
> David
>
>
>
> -Scott Yates
>
> Founder
>
> JournalList.net, caretaker of the trust.txt framework
>
> 202-742-6842
>
> Short Video Explanation of trust.txt <https://youtu.be/lunOBapQxpU>
>
>
>
>
>
> On Mon, Jul 19, 2021 at 3:23 PM Adam Sobieski <adamsobieski@hotmail..com
> <adamsobieski@hotmail.com>> wrote:
>
> Credible Web Community Group,
>
> Credentials Community Group,
>
>
>
> I would like to broach the topic of “digital press passes” towards a more
> credible web.
>
>
>
> As envisioned, “digital press passes” could be provided to organizations
> and individuals utilizing decentralized public key infrastructure.
>
>
>
> Webpages could include URLs to their “digital press passes” in link
> elements (<link rel="press-pass" href="…" />). This information could
> also be encoded in documents in a manner interoperable with Web schema.
> News content could be digitally signed by one or more “digital press
> passes”.
>
>
>
> Upsides include: (1) end-users and services could configure which
> certificate authorities that they desired to recognize, (2) end-users could
> visually see, in their Web browsers, whether displayed content was from a
> source with a valid “digital press pass”, (3) news aggregation sites could
> distinguish content digitally signed by “digital press passes”, (4) social
> media websites could visually adorn and prioritize shared content which is
> digitally signed by “digital press passes”, (5) entry for new news
> organizations and recognition as such by existing services would be
> simplified, e.g., a new newspaper organization, the new news organization
> would need to obtain a “digital press pass” from a certificate authority.
>
>
>
> Downsides include: impact on citizen journalism, where users other than
> journalists desire to publish or distribute news content.
>
>
>
> Have these ideas been considered before? Any thoughts on these ideas?
>
>
>
>
>
> Best regards,
>
> Adam Sobieski
>
>
>
> P.S.: https://meta.wikimedia.org/wiki/Wikifact
>
>
>
>
>
>
Received on Tuesday, 20 July 2021 15:20:40 UTC