Re: The SSI protocols challenge [Was]: W3C DID Core 1.0 enters Candidate Recommendation stage from Drummond Reed on 2021-03-22 (public-credentials@w3.org from March 2021)

From: Drummond Reed <drummond.reed@evernym.com>
Date: Mon, 22 Mar 2021 13:27:47 -0700
To: Steve Capell <steve.capell@gmail.com>
Cc: David Chadwick <D.W.Chadwick@kent.ac.uk>, Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAAjunnYgqrohwRiAk4syOg0Riu7efK18u8aThuRz-dXwHtzREA@mail.gmail.com>
Steve, just to clarify, the need to avoid public DIDs for privacy reasons
is generally only needed when the subject is a person. However thre are
certainly other use cases in business contexts (such as blind auctions).
Another common case for ZKP-based VCs is when you want traceability of a
supply chain but do not want to reveal sensitive commercial data about
volumes, shipping info, etc.

=Drummond

On Mon, Mar 22, 2021 at 1:23 PM Steve Capell <steve.capell@gmail.com> wrote:

> So my use case is almost the converse - the did is most definitely a
> persistent and correlatable identifier - but for a transient thing, not for
> a beating heart
>
> Steven Capell
> Mob: 0410 437854
>
> On 23 Mar 2021, at 7:19 am, Steve Capell <steve.capell@gmail.com> wrote:
>
> Well I certainly agree that did is not a necessary part of vc
>
> We are using vc now for cross border trade docs - where the concern is
> mostly about trust and less about privacy (although it it commercially
> sensitive so we use things like one time passwords in QR codes to limit
> access).
>
> In our case the subject identifier is not an SSI at all, it is a public ID
> from a national business register - which is exactly what is needed for our
> business use case
>
> And, as you state, the #1 value is the decoupling of issuer and verifier -
> because, although the ABF provides a hosted verifier, it is fundamental to
> international uptake that each national regulator can deploy their own
> verifiers. Partly so they can do so in their own language but mostly so
> they can trust it.  I don’t think we’d get very far if we have to ask
> certain foreign governments to install an AU government issued app on their
> official phones or back end systems !
>
> I’m still thinking about where to use DIDs.  To be honest, I think the
> primary use case might be for things not people.  I know it’s not the
> primary thinking - but if each cross border consignment had its own DID and
> that DID was referenced in all the conversations and claims about that
> consignment - and if, given just a did, I could find the VCs about that
> consignment - this would “solve world hunger” from a trade facilitation abd
> border compliance perspective
>
> Steven Capell
> Mob: 0410 437854
>
> On 22 Mar 2021, at 11:12 pm, David Chadwick <D.W.Chadwick@kent.ac.uk>
> wrote:
>
> 
>
> Hi Steve
>
> to my mind the fundamental benefit of the VC ecosystem and SSI is giving
> users control of their identity attributes. It is not about
> decentralisation per se, or identifiers, but it is about control of your
> identity. How users are given control is shown quite clearly in the VC data
> model. The user is in the centre of the VC eco-system. The user receives
> VCs, and the user presents VCs. Most importantly, the issuer does not know
> who the user is presenting them to. This is the fundamental benefit of VCs.
> It does not require DIDs, DID documents, blockchains or any of the other
> add ons that people are bundling together today. Personally I think that
> the roll out of SSI is being hampered by bundling all this other
> infrastructure with VCs. Selling VCs to businesses and governments is hard
> enough, without requiring them to take DIDs, DID documents, blockchains etc
> as well. If we can say to them, use your existing trust and security
> infrastructures that you are familiar with (X.509 PKI, TLS, JWT) and gain
> the benefits of VCs and SSI now, then it would be a much easier sell, much
> less pain to implement, much less churn, much less administrative burden,
> technical know-how etc. Once SSI takes off, you can then try to replace the
> existing trust infrastructure with blockchains and DIDs. That's my
> two-penneth.
>
> Kind regards
>
> David
> On 22/03/2021 10:42, Steve Capell wrote:
>
> Ok but then I honestly struggle to think of a single example of a useful
> VC that doesn’t come from an issuer that has some kind of authority to make
> a claim about a subject, does so for many subjects, and keeps records ..
>
> Can you think of one? If not, and if record keeping by issuers is really a
> problem - then what is the goal of this group?
>
> To my mind the decentralisation that VC allows is not about issuers but
> rather about various identity “hubs” that aggregate information from
> various “issuers” about subjects
>
> Am I missing something ?
>
> Steven Capell
> Mob: 0410 437854
>
> On 22 Mar 2021, at 8:54 pm, David Chadwick <D.W.Chadwick@kent.ac.uk>
> <D.W.Chadwick@kent.ac.uk> wrote:
>
> 
>
> Hi Steve
>
> I take "represent" to mean the issuer of the VC and not the phone app.
> Looking up the definition of represent we have "to speak for", "to stand
> for", "to denote", which is what the issuer is doing when it issues a VC to
> a holder. "DVLA says that I can drive a car".
>
> So my point was that today, all issuers represent the subject by issuing
> VCs, and all issuers today use centralised systems. So today, all VC
> systems rely on centralised systems.
>
> Whilst I take Drummond's point that SSI might not *require* centralised
> systems, I have yet to see a workable viable SSI system that does *rely*
> on them. (Cars do not require tarmaced roads, but they all rely on them,
> and would be much worse off without them)
>
> Kind regards
>
> David
> On 21/03/2021 21:50, Steve Capell wrote:
>
> Hi David
>
> There will always be issuers of credentials that are the natural authority
> for a think and will naturally (legally obliged actually) to keep records
> about the thing they do
> - your DVLA issues drivers licenses and it would be nice to issue them as
> VCs so that holders can selectively disclose
> - Oxford University issues degree certificates and certainly keeps records
> of their alumni
> - and so on ..
> It would be odd to suggest that, to comply with SSI, these organisations
> should dispose of their records
>
> And, at least with my amateur reading of that principle “ An SSI
> ecosystem shall not require reliance on a centralized system to represent,
> control, or verify an entity’s digital identity data.”
> - represent : isn’t that the users phone app (or even PDF with QR)
> - control : the users digital wallet
> - verify : at the holders discretion via a VP and unknown to the issuer
>
> So - where is the conflict with the legal requirement for issuers to keep
> records ?
>
> Steven Capell
> Mob: 0410 437854
>
> On 21 Mar 2021, at 10:37 pm, David Chadwick <D.W.Chadwick@kent.ac.uk>
> <D.W.Chadwick@kent.ac.uk> wrote:
>
> 
>
> Hi Steve
>
> I think you will have a hard time convincing anyone of the principles of
> SSI when Sovrin's third principle states
>
> 3. An SSI ecosystem shall not require reliance on a centralized system to
> represent, control, or verify an entity’s digital identity data.
>
> This is clearly impossible, since every VC Issuer that I know has a
> centralised system in which they store, manage and update the user's PII
> from which they issue their VCs.
>
> Kind regards
>
> David
>
>
> On 20/03/2021 20:25, Steve Capell wrote:
>
> Hi Michael
>
> As a contractor to Australian government I deal with policy makers almost
> every day and so I understand both the difficulty and the necessity of
> conveying these concepts to non technical audiences.
>
> As a sufficiently technical reader, I liked your article. It’s the first
> time I’ve seen that meta-model of the identity domain and, for me, it was
> very helpful.
>
> However, sadly, I don’t think it will help the policy maker that is not
> used to reading meta models. I usually have more success with storyboards
> that contrast two architectures with real examples. Policy makers don’t
> need to “understand the architecture”.  They need to be able to
> conceptualise how it works through examples to that they can understand the
> policy impacts and opportunities.
>
> I also need to convey these ideas - both to AU and UN sometime over the
> next month or so. I’ll need to test my communication materials on non
> technical people to ensure the message has worked - and also on expert SSI
> community members to ensure that the message is right. For that latter
> concern, please let me know if anyone in this group is willing to be a
> sounding board
>
> Kind regards
>
> Steven Capell
> Mob: 0410 437854
>
> On 21 Mar 2021, at 4:47 am, Michael Herman (Trusted Digital Web)
> <mwherman@parallelspace.net> <mwherman@parallelspace.net> wrote:
>
> 
>
> RE: In prep calls for the panel and other mentions of our work, the
> “Self-Sovereign Identity” concept is treated as controversial. In a recent
> major webinar about mandated protocols by the US regulators themselves,
> they referred to “Distributed Identity”.
>
>
>
> I’m trying to address the same issue wrt what is “Self-Sovereign Identity”
> / “SSI” at its very core.
>
>
>
> Check out: https://hyperonomy.com/2021/02/01/ssi-unconscious-contractions/
>
>
>
> I’m looking for additional people who share a similar perspective.
>
>
>
> Best regards,
>
> Michael
>
>
>
> *From:* Adrian Gropper <agropper@healthurl.com> <agropper@healthurl.com>
> *Sent:* March 20, 2021 8:58 AM
> *To:* Manu Sporny <msporny@digitalbazaar.com> <msporny@digitalbazaar.com>
> *Cc:* W3C Credentials CG <public-credentials@w3.org>
> <public-credentials@w3.org>
> *Subject:* The SSI protocols challenge [Was]: W3C DID Core 1.0 enters
> Candidate Recommendation stage
>
>
>
> It is indeed a big deal and cause for celebration.
>
>
>
> From my perspective the next challenge is to get the protocols right from
> a human-centered and community perspective.
>
>
>
> For an example of that challenge, on March 30 I’m on a Digital Credentials
> panel at the ONC (US Federal healthcare regulator) Annual Meeting. In prep
> calls for the panel and other mentions of our work, the “Self Sovereign
> Identity” concept is treated as controversial. In a recent major webinar
> about mandated protocols by the US regulators themselves, they referred to
> “Distributed Identity” :-?
>
>
>
> Let us celebrate and consider the Fun times ahead....
>
>
>
> Adrian
>
>
>
> On Sat, Mar 20, 2021 at 10:16 AM Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>
> Hi all,
>
> Decentralized Identifiers (DIDs) v1.0 has reached the Candidate
> Recommendation
> stage at W3C. The current specification can be found here:
>
> https://www.w3.org/TR/2021/CR-did-core-20210318/
>
> This is a major milestone in the W3C global standards process. It marks the
> start of a period of 1-4 months where the official W3C Working Group has
> communicated that it is done with all features in the specification.
>
> The W3C DID WG has also communicated that the specification is stable
> enough
> to collect implementation experience from the global implementer community.
> Once the WG collects enough implementation experience, it may then make
> final
> adjustments before publishing the v1.0 global standard, which is expected
> at
> the end of September 2021.
>
> I have attached an image with an (unofficial) graphical depiction of the
> DID
> standards history and expected future timeline.
>
> Congratulations to everyone that contributed to get us to this point; this
> is
> a big deal and cause for celebration. :)
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> blog: Veres One Decentralized Identifier Blockchain Launches
> https://tinyurl.com/veres-one-launches
>
>
Received on Monday, 22 March 2021 20:28:14 UTC