It sounds like W3C VC’s can equip organizations (e.g., https://www.google.com/search?q=journalism+organizations) with the capability to issue and revoke “digital press passes” per their own policies, codes of ethics, and procedures.
As for the W3C VC models not being limited to the journalism domain, these same technologies could equip ACM, IEEE, and AAAI with the means of issuing, beyond membership-related credentials, credentials which represent compliance with their ethical codes.
Broadly, then, under discussion are the matters of equipping professional organizations with the means of issuing and revoking membership-related credentials and credentials which indicate compliance with the organizations’ policies and/or codes of ethics.
Brainstorming and exploring the topic, we might also envision decentralized systems
it depends what your definition of decentralised is, as it can
encompass several different functionalities. If you mean that
issuers need DIDs, then no, they can have standard X.509 signing
certificates. If you mean that blockchains are needed, again no,
they are not essential. The only decentralised feature I have
found to be essential is that users can create their own
asymmetric key pairs (as many as they need).
What is clear (and all the decentralised people agree with this),
is that every SSI system today needs centralised systems in order
to function at all on the Internet.
which allow, beyond issuing and revoking credentials, the capability to warn organizations and individuals. That is, we might consider that a “digital press pass” could be in states including: valid, warned, and revoked. If it is possible to add warnings to VC systems, we could envision the UX in Web browsers with a green news symbol for valid, a yellow news symbol for warned, and a red error news symbol for revoked. These graphical symbols could be placed next to the lock symbol in the left of the URL address bar, before the URL text.
On 19/07/2021 22:47, Scott Yates wrote:
Adam, (and friends),
I looked really hard at a PKI solution for a long time, and the downsides were insurmountable..
PKI does not propose to tell you who is press and who is not. It was never designed to do this. From the outset PKI was designed to bind an identifier to a public key for authentication purposes, that's all. PMI is what you were looking for (X.509 attribute certificates) e.g. as we implemented in the PERMIS open source code. But now, we have switched to W3C VCs as a better way of telling you who is a member of the press or not.
The other ingredient you need is something like the TRAIN API which tells you if the issuer of the "press VCs" is trusted to do this or not. We have this built into our VC eco system.
Probably the biggest problem that you can't get around is: Who decides who is in and who is out?
The answer is simple. The verifier does. But it can delegate this task to a TTP if it wants e.g. the TRAIN API, or it can have its own list of trusted issuers.
After beating my head against the wall for a couple of years, I came up with trust.txt. It's a text file in the tradition of robots.txt and ads.txt. In that file, press associations list their members, and members list their associations.
This is exactly what we do with the TRAIN API and VCs. Issuers (members in your terminology) put a ToU property in the VCs they issue listing the associations they are affiliated to. The verifier passes the association and issuer to the TRAIN API and it returns true or false to this affiliation.
With those, anyone can build a crawler and an algo to get confirmation about who belongs to whom.
No one body has to decide who is "press" and who is not. Groups on their own decide who is a member, and it's up to the platforms to interpret the signal and decide that the Hays Free Press is just a bit more trustworthy because they at least know that it belongs to the TPA.
I'm now rolling this out to press and broadcasting associations in the U.S., and hope to go international starting in the fall.
Sounds very good. Well done.
After studying it for a long long time, I think this is as close as we can get to a "digital press pass" that is consistent with the First Amendment and an open, decentralized web.
I agree. And the model is not limited to press passes but to any VCs in any domain
On Mon, Jul 19, 2021 at 3:23 PM Adam Sobieski <adamsobieski@hotmail..com> wrote:
Credible Web Community Group,
Credentials Community Group,
I would like to broach the topic of “digital press passes” towards a more credible web.
As envisioned, “digital press passes” could be provided to organizations and individuals utilizing decentralized public key infrastructure.
Webpages could include URLs to their “digital press passes” in link elements (<link rel="press-pass" href="…" />). This information could also be encoded in documents in a manner interoperable with Web schema. News content could be digitally signed by one or more “digital press passes”.
Upsides include: (1) end-users and services could configure which certificate authorities that they desired to recognize, (2) end-users could visually see, in their Web browsers, whether displayed content was from a source with a valid “digital press pass”, (3) news aggregation sites could distinguish content digitally signed by “digital press passes”, (4) social media websites could visually adorn and prioritize shared content which is digitally signed by “digital press passes”, (5) entry for new news organizations and recognition as such by existing services would be simplified, e.g., a new newspaper organization, the new news organization would need to obtain a “digital press pass” from a certificate authority.
Downsides include: impact on citizen journalism, where users other than journalists desire to publish or distribute news content.
Have these ideas been considered before? Any thoughts on these ideas?