Adam, (and friends),
I looked really hard at a PKI solution for a long time, and the downsides were insurmountable..
PKI does not propose to tell you who is press and who is not. It
was never designed to do this. From the outset PKI was designed to
bind an identifier to a public key for authentication purposes,
that's all. PMI is what you were looking for (X.509 attribute
certificates) e.g. as we implemented in the PERMIS open source
code. But now, we have switched to W3C VCs as a better way of
telling you who is a member of the press or not.
The other ingredient you need is something like the TRAIN API
which tells you if the issuer of the "press VCs" is trusted to do
this or not. We have this built into our VC eco system.
The answer is simple. The verifier does. But it can delegate this task to a TTP if it wants e.g. the TRAIN API, or it can have its own list of trusted issuers.
Probably the biggest problem that you can't get around is: Who decides who is in and who is out?
After beating my head against the wall for a couple of years, I came up with trust.txt. It's a text file in the tradition of robots.txt and ads.txt. In that file, press associations list their members, and members list their associations.
This is exactly what we do with the TRAIN API and VCs. Issuers (members in your terminology) put a ToU property in the VCs they issue listing the associations they are affiliated to. The verifier passes the association and issuer to the TRAIN API and it returns true or false to this affiliation.
For example, the Texas Press Association's file is here: https://www.texaspress.com/trust.txt and the file for a small weekly paper in Hays has its file here: https://haysfreepress.com/trust.txt
With those, anyone can build a crawler and an algo to get confirmation about who belongs to whom.
No one body has to decide who is "press" and who is not. Groups on their own decide who is a member, and it's up to the platforms to interpret the signal and decide that the Hays Free Press is just a bit more trustworthy because they at least know that it belongs to the TPA.
I'm now rolling this out to press and broadcasting associations in the U.S., and hope to go international starting in the fall.
Sounds very good. Well done.
After studying it for a long long time, I think this is as close as we can get to a "digital press pass" that is consistent with the First Amendment and an open, decentralized web.
I agree. And the model is not limited to press passes but to any VCs in any domain
On Mon, Jul 19, 2021 at 3:23 PM Adam Sobieski <adamsobieski@hotmail..com> wrote:
Credible Web Community Group,
Credentials Community Group,
I would like to broach the topic of “digital press passes” towards a more credible web.
As envisioned, “digital press passes” could be provided to organizations and individuals utilizing decentralized public key infrastructure.
Webpages could include URLs to their “digital press passes” in link elements (<link rel="press-pass" href="…" />). This information could also be encoded in documents in a manner interoperable with Web schema. News content could be digitally signed by one or more “digital press passes”.
Upsides include: (1) end-users and services could configure which certificate authorities that they desired to recognize, (2) end-users could visually see, in their Web browsers, whether displayed content was from a source with a valid “digital press pass”, (3) news aggregation sites could distinguish content digitally signed by “digital press passes”, (4) social media websites could visually adorn and prioritize shared content which is digitally signed by “digital press passes”, (5) entry for new news organizations and recognition as such by existing services would be simplified, e.g., a new newspaper organization, the new news organization would need to obtain a “digital press pass” from a certificate authority.
Downsides include: impact on citizen journalism, where users other than journalists desire to publish or distribute news content.
Have these ideas been considered before? Any thoughts on these ideas?