W3C home > Mailing lists > Public > public-credentials@w3.org > March 2021

Re: The "self-sovereign" problem (was: The SSI protocols challenge)

From: David Waite <dwaite@pingidentity.com>
Date: Tue, 23 Mar 2021 19:50:09 -0600
Message-ID: <CA+3kW=ZppR=Oh=c8kCwuJ004+9EEfdF7qtPkShBS012b3OtPDg@mail.gmail.com>
To: "Jim St.Clair" <jim.stclair@lumedic.io>
Cc: Leonard Rosenthol <lrosenth@adobe.com>, Drummond Reed <drummond.reed@evernym.com>, "Michael Herman (Trusted Digital Web)" <mwherman@parallelspace.net>, sankarshan <sankarshan@dhiway.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
On Tue, Mar 23, 2021 at 2:43 PM Jim St.Clair <jim.stclair@lumedic.io> wrote:

> “VC and DID are **NOT** decentralized.”
>
>    - Isn’t the first word in DID decentralized?
>
> The decentralization in DIDs conflates whether it means it represents
infrastructural decentralization in terms of the impact on reliability of
 a single point of failure (which just about every internet protocol has
support for), or decentralization of authority - saying that the
infrastructure is not run by a single organization but is rather a group of
parties under a governance model.

In any case, there is nothing about DID itself that makes it more
decentralized than your average other URI scheme - it is the DID methods
which refer to systems which may be _depoyed_ in such a manner to have
infrastructural and authority decentralization. For all I know, an
arbitrary DID method might resolve through a PHP script running on a $35/yr
hosting account.

The subject may choose to use a DID method that meets their requirements
here (likely that 99.9% will only do so under guidance, the DID rubric
document has way more text on this topic). Likewise issuers, verifiers and
wallets may all choose to reject use of that DID method - supporting a new
DID method has an unquantified security and reliability cost.

In terms of deploying "decentralized" technology, there is nothing about
VCs or DIDs which mandates these concepts of decentralization, or even
requires a deployment to _allow_ for decentralization. As an example, my
employer or bank may restrict the DID subject to one they control so that I
am unable to choose unaudited forms of validation.

Likewise, there are no DRM-like technical measures to extend a person's
self-sovereignty outside of their own choice of interactions - a party may
correlate the user by every piece of information they can get ahold of,
defeat attempts to use distinct personas, and so on. The inverse is, there
are no technical reasons you could not use existing protocols like OpenID
Connect to implement a decentralized system that respects user's consent
and control - Dick Hardt is attempting to do that with https://signin.org
as an example. The technology just may have limitations that you would not
have with a newer protocol choice (as is always the case).

So basically:
- DIDs and VCs do not mandate organizational decentralization or
infrastructural decentralization, and implying so both sets unrealistic
expectations and is negatively impacting adoption
- Self-sovereignty is a societal/legal initiative and construct, not a
technical one - but there are obviously aspects which make a particular
technology a better fit for self-sovereignty.

-DW

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
Received on Wednesday, 24 March 2021 01:50:37 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 24 March 2021 01:50:37 UTC