Re: Digital Press Passes and Decentralized Public Key Infrastructures from Adrian Gropper on 2021-07-26 (public-credentials@w3.org from July 2021)

From: Adrian Gropper <agropper@healthurl.com>
Date: Mon, 26 Jul 2021 11:59:53 -0400
To: David Chadwick <d.w.chadwick@verifiablecredentials.info>
Cc: W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CANYRo8hxBDT9rvKhLqueQbdXntTSfrbTm7KG1h5r57iaWmW=Uw@mail.gmail.com>

The "problem", such as it is, has more to do with biometrics than DLTs.
Legacy (analog) credentials are a combination of biometric subject
attributes and forgery prevention. That enables a majority of use-cases to
avoid "calling home". The validity and linked attributes of a legacy
credential are only verified in a small fraction of their uses (police
stops, larger bank transactions).

DLTs (and related revocation dead-drops) are just a means of verification
without calling home in a manner that allows surveillance. They are part of
the forgery prevention and revocation solution. But without a biometric in
the VC, directly or indirectly through the assumption that a biometric was
involved "out-of-band", the misuse of valid credentials is a huge problem.

Avoiding biometrics in the VC through "chain-of-custody" protocols requires
jurisdiction over the holder, lest the holder transfer a valid VC to
another subject. Chain of custody methods effectively treat every subject
as a potential criminal - pre-crime style - and will not be acceptable in
most use-cases.

- Adrian

On Mon, Jul 26, 2021 at 10:51 AM David Chadwick <
d.w.chadwick@verifiablecredentials.info> wrote:

> Hi Manu
>
> as a footnote can you provide me with a single use case that does not use
> any centralised registry?
>
> Kind regards
>
> David
> On 25/07/2021 15:45, Manu Sporny wrote:
>
> On 7/24/21 5:36 PM, David Chadwick wrote:
>
> Our SSI implementation does not use any blockchain, so maybe this is your
> problem. Blockchain is a ball and chain around SSI.
>
> A controversial statement if there ever was one. :)
>
> Have you considered that you might not have hit a use case that benefits from
> the use of a DLT... but others have?
>
> That's not to say that there aren't use cases that don't require a DLT --
> because there absolutely are -- and we all recognized that when creating the
> Verifiable Credentials standard (which is why it doesn't mandate the use of
> DIDs). However, the argument that there aren't use cases that benefit from a
> DLT and that people that think that is a problem is... dubious.
>
> I'll just leave you with some hard data:
>
> There are now 103 registered DID Methods[1].
>
> There are 47 implementations that were submitted to the DID Test Suite for
> conformance testing[2].
>
> The vast majority of those implementations are DLT-based[2].
>
> It could be that most of the 47 DID Method implementations we have are
> horribly misguided and wrong... but I certainly wouldn't bet against all of
> those people. :)
>
> -- manu
>
> [1]https://lists.w3.org/Archives/Public/public-did-wg/2021Jul/0025.html
> [2]https://w3c.github.io/did-spec-registries/#did-methods
>
>

Received on Monday, 26 July 2021 16:00:19 UTC