Re: The SSI protocols challenge [Was]: W3C DID Core 1.0 enters Candidate Recommendation stage from Steve Capell on 2021-03-22 (public-credentials@w3.org from March 2021)

From: Steve Capell <steve.capell@gmail.com>
Date: Tue, 23 Mar 2021 07:19:34 +1100
To: David Chadwick <D.W.Chadwick@kent.ac.uk>
Cc: public-credentials@w3.org
Message-Id: <A7598559-F303-4533-B1C0-9C894B49C1A8@gmail.com>
Well I certainly agree that did is not a necessary part of vc

We are using vc now for cross border trade docs - where the concern is mostly about trust and less about privacy (although it it commercially sensitive so we use things like one time passwords in QR codes to limit access).  

In our case the subject identifier is not an SSI at all, it is a public ID from a national business register - which is exactly what is needed for our business use case 

And, as you state, the #1 value is the decoupling of issuer and verifier - because, although the ABF provides a hosted verifier, it is fundamental to international uptake that each national regulator can deploy their own verifiers. Partly so they can do so in their own language but mostly so they can trust it.  I don’t think we’d get very far if we have to ask certain foreign governments to install an AU government issued app on their official phones or back end systems !

I’m still thinking about where to use DIDs.  To be honest, I think the primary use case might be for things not people.  I know it’s not the primary thinking - but if each cross border consignment had its own DID and that DID was referenced in all the conversations and claims about that consignment - and if, given just a did, I could find the VCs about that consignment - this would “solve world hunger” from a trade facilitation abd border compliance perspective 

Steven Capell
Mob: 0410 437854

> On 22 Mar 2021, at 11:12 pm, David Chadwick <D.W.Chadwick@kent.ac.uk> wrote:
> 
> 
> Hi Steve
> 
> to my mind the fundamental benefit of the VC ecosystem and SSI is giving users control of their identity attributes. It is not about decentralisation per se, or identifiers, but it is about control of your identity. How users are given control is shown quite clearly in the VC data model. The user is in the centre of the VC eco-system. The user receives VCs, and the user presents VCs. Most importantly, the issuer does not know who the user is presenting them to. This is the fundamental benefit of VCs. It does not require DIDs, DID documents, blockchains or any of the other add ons that people are bundling together today. Personally I think that the roll out of SSI is being hampered by bundling all this other infrastructure with VCs. Selling VCs to businesses and governments is hard enough, without requiring them to take DIDs, DID documents, blockchains etc as well. If we can say to them, use your existing trust and security infrastructures that you are familiar with (X.509 PKI, TLS, JWT) and gain the benefits of VCs and SSI now, then it would be a much easier sell, much less pain to implement, much less churn, much less administrative burden, technical know-how etc. Once SSI takes off, you can then try to replace the existing trust infrastructure with blockchains and DIDs. That's my two-penneth.
> 
> Kind regards
> 
> David
> 
> On 22/03/2021 10:42, Steve Capell wrote:
>> Ok but then I honestly struggle to think of a single example of a useful VC that doesn’t come from an issuer that has some kind of authority to make a claim about a subject, does so for many subjects, and keeps records ..
>> 
>> Can you think of one? If not, and if record keeping by issuers is really a problem - then what is the goal of this group?
>> 
>> To my mind the decentralisation that VC allows is not about issuers but rather about various identity “hubs” that aggregate information from various “issuers” about subjects 
>> 
>> Am I missing something ?
>> 
>> Steven Capell
>> Mob: 0410 437854
>> 
>>> On 22 Mar 2021, at 8:54 pm, David Chadwick <D.W.Chadwick@kent.ac.uk> wrote:
>>> 
>>> 
>>> Hi Steve
>>> 
>>> I take "represent" to mean the issuer of the VC and not the phone app. Looking up the definition of represent we have "to speak for", "to stand for", "to denote", which is what the issuer is doing when it issues a VC to a holder. "DVLA says that I can drive a car".
>>> 
>>> So my point was that today, all issuers represent the subject by issuing VCs, and all issuers today use centralised systems. So today, all VC systems rely on centralised systems.
>>> 
>>> Whilst I take Drummond's point that SSI might not require centralised systems, I have yet to see a workable viable SSI system that does rely on them. (Cars do not require tarmaced roads, but they all rely on them, and would be much worse off without them)
>>> 
>>> Kind regards
>>> 
>>> David
>>> 
>>> On 21/03/2021 21:50, Steve Capell wrote:
>>>> Hi David 
>>>> 
>>>> There will always be issuers of credentials that are the natural authority for a think and will naturally (legally obliged actually) to keep records about the thing they do
>>>> - your DVLA issues drivers licenses and it would be nice to issue them as VCs so that holders can selectively disclose 
>>>> - Oxford University issues degree certificates and certainly keeps records of their alumni 
>>>> - and so on ..
>>>> It would be odd to suggest that, to comply with SSI, these organisations should dispose of their records 
>>>> 
>>>> And, at least with my amateur reading of that principle “ An SSI ecosystem shall not require reliance on a centralized system to represent, control, or verify an entity’s digital identity data.”
>>>> - represent : isn’t that the users phone app (or even PDF with QR)
>>>> - control : the users digital wallet 
>>>> - verify : at the holders discretion via a VP and unknown to the issuer 
>>>> 
>>>> So - where is the conflict with the legal requirement for issuers to keep records ?
>>>> 
>>>> Steven Capell
>>>> Mob: 0410 437854
>>>> 
>>>>> On 21 Mar 2021, at 10:37 pm, David Chadwick <D.W.Chadwick@kent.ac.uk> wrote:
>>>>> 
>>>>> 
>>>>> Hi Steve
>>>>> 
>>>>> I think you will have a hard time convincing anyone of the principles of SSI when Sovrin's third principle states
>>>>> 
>>>>> 3. An SSI ecosystem shall not require reliance on a centralized system to represent, control, or verify an entity’s digital identity data.
>>>>> 
>>>>> This is clearly impossible, since every VC Issuer that I know has a centralised system in which they store, manage and update the user's PII from which they issue their VCs.
>>>>> 
>>>>> Kind regards
>>>>> 
>>>>> David
>>>>> 
>>>>> 
>>>>> 
>>>>> On 20/03/2021 20:25, Steve Capell wrote:
>>>>>> Hi Michael
>>>>>> 
>>>>>> As a contractor to Australian government I deal with policy makers almost every day and so I understand both the difficulty and the necessity of conveying these concepts to non technical audiences.
>>>>>> 
>>>>>> As a sufficiently technical reader, I liked your article. It’s the first time I’ve seen that meta-model of the identity domain and, for me, it was very helpful.
>>>>>> 
>>>>>> However, sadly, I don’t think it will help the policy maker that is not used to reading meta models. I usually have more success with storyboards that contrast two architectures with real examples. Policy makers don’t need to “understand the architecture”.  They need to be able to conceptualise how it works through examples to that they can understand the policy impacts and opportunities.  
>>>>>> 
>>>>>> I also need to convey these ideas - both to AU and UN sometime over the next month or so. I’ll need to test my communication materials on non technical people to ensure the message has worked - and also on expert SSI community members to ensure that the message is right. For that latter concern, please let me know if anyone in this group is willing to be a sounding board 
>>>>>> 
>>>>>> Kind regards 
>>>>>> 
>>>>>> Steven Capell
>>>>>> Mob: 0410 437854
>>>>>> 
>>>>>>> On 21 Mar 2021, at 4:47 am, Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> RE: In prep calls for the panel and other mentions of our work, the “Self-Sovereign Identity” concept is treated as controversial. In a recent major webinar about mandated protocols by the US regulators themselves, they referred to “Distributed Identity”.
>>>>>>>  
>>>>>>> I’m trying to address the same issue wrt what is “Self-Sovereign Identity” / “SSI” at its very core. 
>>>>>>>  
>>>>>>> Check out: https://hyperonomy.com/2021/02/01/ssi-unconscious-contractions/
>>>>>>>  
>>>>>>> I’m looking for additional people who share a similar perspective.
>>>>>>>  
>>>>>>> Best regards,
>>>>>>> Michael
>>>>>>>  
>>>>>>> From: Adrian Gropper <agropper@healthurl.com> 
>>>>>>> Sent: March 20, 2021 8:58 AM
>>>>>>> To: Manu Sporny <msporny@digitalbazaar.com>
>>>>>>> Cc: W3C Credentials CG <public-credentials@w3.org>
>>>>>>> Subject: The SSI protocols challenge [Was]: W3C DID Core 1.0 enters Candidate Recommendation stage
>>>>>>>  
>>>>>>> It is indeed a big deal and cause for celebration. 
>>>>>>>  
>>>>>>> From my perspective the next challenge is to get the protocols right from a human-centered and community perspective. 
>>>>>>>  
>>>>>>> For an example of that challenge, on March 30 I’m on a Digital Credentials panel at the ONC (US Federal healthcare regulator) Annual Meeting. In prep calls for the panel and other mentions of our work, the “Self Sovereign Identity” concept is treated as controversial. In a recent major webinar about mandated protocols by the US regulators themselves, they referred to “Distributed Identity” :-?
>>>>>>>  
>>>>>>> Let us celebrate and consider the Fun times ahead....
>>>>>>>  
>>>>>>> Adrian
>>>>>>>  
>>>>>>> On Sat, Mar 20, 2021 at 10:16 AM Manu Sporny <msporny@digitalbazaar.com> wrote:
>>>>>>> Hi all,
>>>>>>> 
>>>>>>> Decentralized Identifiers (DIDs) v1.0 has reached the Candidate Recommendation
>>>>>>> stage at W3C. The current specification can be found here:
>>>>>>> 
>>>>>>> https://www.w3.org/TR/2021/CR-did-core-20210318/
>>>>>>> 
>>>>>>> This is a major milestone in the W3C global standards process. It marks the
>>>>>>> start of a period of 1-4 months where the official W3C Working Group has
>>>>>>> communicated that it is done with all features in the specification.
>>>>>>> 
>>>>>>> The W3C DID WG has also communicated that the specification is stable enough
>>>>>>> to collect implementation experience from the global implementer community.
>>>>>>> Once the WG collects enough implementation experience, it may then make final
>>>>>>> adjustments before publishing the v1.0 global standard, which is expected at
>>>>>>> the end of September 2021.
>>>>>>> 
>>>>>>> I have attached an image with an (unofficial) graphical depiction of the DID
>>>>>>> standards history and expected future timeline.
>>>>>>> 
>>>>>>> Congratulations to everyone that contributed to get us to this point; this is
>>>>>>> a big deal and cause for celebration. :)
>>>>>>> 
>>>>>>> -- manu
>>>>>>> 
>>>>>>> -- 
>>>>>>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>>>>>>> Founder/CEO - Digital Bazaar, Inc.
>>>>>>> blog: Veres One Decentralized Identifier Blockchain Launches
>>>>>>> https://tinyurl.com/veres-one-launches
Received on Monday, 22 March 2021 20:19:54 UTC