W3C home > Mailing lists > Public > public-credentials@w3.org > July 2021

Re: VC HTTP API Telecon Minutes for 2021-07-13

From: Adrian Gropper <agropper@healthurl.com>
Date: Tue, 20 Jul 2021 19:45:35 -0400
Message-ID: <CANYRo8jMTWhk=_b0H_yAuvRDji_vRepQ5q3NgJ3_rrGvrZiT0Q@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: Ted Thibodeau Jr <tthibodeau@openlinksw.com>, Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
Hi Orie,

On this day when W3C DIDs moved to PR, it's worth taking a bit of
perspective on why many of us are here. Understanding where I come from
will hopefully help explain my perspective on Web standards that impact
people and human rights.

I have spent decades working on self-sovereign technology. It started long
before there was self-sovereign identity and before I paid any attention to
W3C. My passion for self-sovereign agents goes back to the 1994 Guardian
Angel project at MIT http://groups.csail.mit.edu/medg/ga/manifesto/GAtr.html
It inspired the co-founding (along with the lead developer of Guardian
Angel) of AMICAS, the first major medical device company built around Web
standards, NASDAQ:AMCS
https://www.prnewswire.com/news-releases/amicas-agrees-to-be-acquired-by-merge-healthcare-for-605-per-share-in-cash-86588352.html
The
merged copany was bought by IBM Watson in 2015
https://www.wsj.com/articles/ibm-adds-to-its-watson-health-service-1438869366
 .

Along the way building a startup in a field dominated by GE, Siemens, and
Philips, I had to learn about standards (DICOM) and protocols (HTTP). I
learned about digital identity early on and came to be chair of the Liberty
Alliance Healthcare Subgroup. As Liberty Alliance morphed to Kantara, I was
significantly responsible for the evolution of UMA 1 to UMA 2. Although
both UMA 1 and 2 are based on OAuth, UMA 2 is the first standard designed
to support self-sovereign agency for a natural person.

As I briefly replied to Manu in the parallel thread
https://lists.w3.org/Archives/Public/public-credentials/2021Jul/0195.html,
I have made a career of understanding the role of technical standards in
society by leveraging experience in corporate regulation (FDA and HIPAA) of
my startups and decentralized regulation of the fiduciary agents we call
physicians. Although I was licensed, I never practiced medicine but my
customers were both very large corporations (AMICAS was founded out of
Massachusetts General Hospital) as well as physicians and physician-led
small businesses.

Which brings us to "we are all in this together". The adoption of SSI
depends on winning the hearts and minds of people and regulators that are
increasingly concerned with the relationship between multinationals and
natural people. In W3C, this is now happening over browsers and tracking
https://www.protocol.com/policy/w3c-privacy-war

That a startup built around Web standards for accessing personal data in
competition with GE, was bought by IBM as leverage to introduce machine
learning / artificial intelligence at scale, should not be lost on our
group. Huge regulatory challenges lie ahead as Google, Facebook, Amazon,
and Apple are creating the next generation of intelligent agents.

Will they be your Guardian Angel?

- Adrian

On Tue, Jul 20, 2021 at 3:54 PM Orie Steele <orie@transmute.industries>
wrote:

> Feels like we are getting somewhere here...
>
> Assertion:
> VC Data Model + OAS3.0 + OAuth2 => digital slavery.
>
> Proof:
> 1. Assume OAuth2.0 leads to digital slavery
> 2. QED
>
> The logic is both incorrect, and offensive.
>
> Consider, the implication is that the following folks are "supporting
> digital slavery" by using OAuth2.0 or similar technologies....
>
> 1. Google - https://developers.google.com/identity/protocols/oauth2
> 2. Apple -
> https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api
> 3. Microsoft -
> https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
> 4. Amazon - https://developer.amazon.com/blogs/home/tag/OAuth+2.0
> 5. Okta - https://developer.okta.com/docs/concepts/oauth-openid/
> 6. Auth0 - https://auth0.com/docs/protocols/protocol-oauth2
> 7. Ping -
> https://www.pingidentity.com/en/resources/client-library/articles/oauth.html
> 8. Login.gov - https://login.gov/
>
> Continuing to assert that OAuth 2.0 leads to digital slavery and GNAP and
> RAR are the only way to avoid digital slavery appears a very poor strategy
> for promoting web standards in the W3C which has many of the members I
> listed above actively involved in standards.
>
> I would like to see more engagement from the OpenID Foundation, and
> established Identity Providers, including Apple, Microsoft and Google.
>
> I think we ought to be extra careful using terms like "digital slavery",
> when we actually mean "enterprise / government approved security
> technology"...
>
> This perpetuates an "Us vs Them" mentality which is harmful.
>
> Attempts to exclude or slander key stakeholders should be met with
> resistance.
>
> I object to the attempts to paint OAuth2.0 as "digital slavery enhancing
> technology"...
>
> I don't think the previous email demonstrates an understanding of how
> OAuth2.0 is used in practice to secure APIs.
>
> The reality is that individuals, corporations, not for profits and
> governments all have a legitimate right to use security and privacy
> enhancing technology.
>
> We are all in this together, trying to use cryptography and standards to
> build the fabric of digital life, reinforcing all aspects of sovereignty,
> including personal, profession and international.
>
>
> OS
>
Received on Tuesday, 20 July 2021 23:46:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 20 July 2021 23:46:04 UTC