- From: Adrian Gropper <agropper@healthurl.com>
- Date: Tue, 20 Jul 2021 19:45:35 -0400
- To: Orie Steele <orie@transmute.industries>
- Cc: Ted Thibodeau Jr <tthibodeau@openlinksw.com>, Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CANYRo8jMTWhk=_b0H_yAuvRDji_vRepQ5q3NgJ3_rrGvrZiT0Q@mail.gmail.com>
Hi Orie, On this day when W3C DIDs moved to PR, it's worth taking a bit of perspective on why many of us are here. Understanding where I come from will hopefully help explain my perspective on Web standards that impact people and human rights. I have spent decades working on self-sovereign technology. It started long before there was self-sovereign identity and before I paid any attention to W3C. My passion for self-sovereign agents goes back to the 1994 Guardian Angel project at MIT http://groups.csail.mit.edu/medg/ga/manifesto/GAtr.html It inspired the co-founding (along with the lead developer of Guardian Angel) of AMICAS, the first major medical device company built around Web standards, NASDAQ:AMCS https://www.prnewswire.com/news-releases/amicas-agrees-to-be-acquired-by-merge-healthcare-for-605-per-share-in-cash-86588352.html The merged copany was bought by IBM Watson in 2015 https://www.wsj.com/articles/ibm-adds-to-its-watson-health-service-1438869366 . Along the way building a startup in a field dominated by GE, Siemens, and Philips, I had to learn about standards (DICOM) and protocols (HTTP). I learned about digital identity early on and came to be chair of the Liberty Alliance Healthcare Subgroup. As Liberty Alliance morphed to Kantara, I was significantly responsible for the evolution of UMA 1 to UMA 2. Although both UMA 1 and 2 are based on OAuth, UMA 2 is the first standard designed to support self-sovereign agency for a natural person. As I briefly replied to Manu in the parallel thread https://lists.w3.org/Archives/Public/public-credentials/2021Jul/0195.html, I have made a career of understanding the role of technical standards in society by leveraging experience in corporate regulation (FDA and HIPAA) of my startups and decentralized regulation of the fiduciary agents we call physicians. Although I was licensed, I never practiced medicine but my customers were both very large corporations (AMICAS was founded out of Massachusetts General Hospital) as well as physicians and physician-led small businesses. Which brings us to "we are all in this together". The adoption of SSI depends on winning the hearts and minds of people and regulators that are increasingly concerned with the relationship between multinationals and natural people. In W3C, this is now happening over browsers and tracking https://www.protocol.com/policy/w3c-privacy-war That a startup built around Web standards for accessing personal data in competition with GE, was bought by IBM as leverage to introduce machine learning / artificial intelligence at scale, should not be lost on our group. Huge regulatory challenges lie ahead as Google, Facebook, Amazon, and Apple are creating the next generation of intelligent agents. Will they be your Guardian Angel? - Adrian On Tue, Jul 20, 2021 at 3:54 PM Orie Steele <orie@transmute.industries> wrote: > Feels like we are getting somewhere here... > > Assertion: > VC Data Model + OAS3.0 + OAuth2 => digital slavery. > > Proof: > 1. Assume OAuth2.0 leads to digital slavery > 2. QED > > The logic is both incorrect, and offensive. > > Consider, the implication is that the following folks are "supporting > digital slavery" by using OAuth2.0 or similar technologies.... > > 1. Google - https://developers.google.com/identity/protocols/oauth2 > 2. Apple - > https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api > 3. Microsoft - > https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow > 4. Amazon - https://developer.amazon.com/blogs/home/tag/OAuth+2.0 > 5. Okta - https://developer.okta.com/docs/concepts/oauth-openid/ > 6. Auth0 - https://auth0.com/docs/protocols/protocol-oauth2 > 7. Ping - > https://www.pingidentity.com/en/resources/client-library/articles/oauth.html > 8. Login.gov - https://login.gov/ > > Continuing to assert that OAuth 2.0 leads to digital slavery and GNAP and > RAR are the only way to avoid digital slavery appears a very poor strategy > for promoting web standards in the W3C which has many of the members I > listed above actively involved in standards. > > I would like to see more engagement from the OpenID Foundation, and > established Identity Providers, including Apple, Microsoft and Google. > > I think we ought to be extra careful using terms like "digital slavery", > when we actually mean "enterprise / government approved security > technology"... > > This perpetuates an "Us vs Them" mentality which is harmful. > > Attempts to exclude or slander key stakeholders should be met with > resistance. > > I object to the attempts to paint OAuth2.0 as "digital slavery enhancing > technology"... > > I don't think the previous email demonstrates an understanding of how > OAuth2.0 is used in practice to secure APIs. > > The reality is that individuals, corporations, not for profits and > governments all have a legitimate right to use security and privacy > enhancing technology. > > We are all in this together, trying to use cryptography and standards to > build the fabric of digital life, reinforcing all aspects of sovereignty, > including personal, profession and international. > > > OS >
Received on Tuesday, 20 July 2021 23:46:01 UTC