- From: <steve.e.magennis@gmail.com>
- Date: Mon, 15 Aug 2022 08:40:49 -0700
- To: "'Kerri Lemoie'" <klemoie@mit.edu>, "'Manu Sporny'" <msporny@digitalbazaar.com>, "'Credentials Community Group'" <public-credentials@w3.org>
- Cc: "'Tobias Looker'" <tobias.looker@mattr.global>, "'Steve Capell'" <steve.capell@gmail.com>, "'Kyano Kashi'" <kyanokashi2@gmail.com>, "'Tomislav Markovski'" <tomislav@trinsic.id>, "'W3C Credentials CG'" <public-credentials@w3.org>
- Message-ID: <04d501d8b0bd$6512fb80$2f38f280$@gmail.com>
The two problem I have with the concept of trust chains that extend beyond the immediate issuer are 1) many people assert that the solution must assume the verifier has no context as to the trustworthiness of the chain beyond what can be determined through the system and 2) if #1 is a requirement then the result – at best – is that we will be putting a lot of burden onto the verifier to determine (or, I suppose pre-determine as in a filter) if the chain presented to them is trustworthy enough to accept in a particular context. At worst, we would be moving around a lot of information that will only be ignored by the verifier because verification becomes too complex. I acknowledge there are some use-cases where long chaining is simply a necessity. I think we should talk about long chain solutions in the context of those use-cases though, rather than as a generic solution for everything where a much lighter weight solution is IMHO better suited. -S From: Kerri Lemoie <klemoie@mit.edu> Sent: Monday, August 15, 2022 7:00 AM To: Manu Sporny <msporny@digitalbazaar.com> Cc: Tobias Looker <tobias.looker@mattr.global>; Steve Capell <steve.capell@gmail.com>; Kyano Kashi <kyanokashi2@gmail.com>; Tomislav Markovski <tomislav@trinsic.id>; W3C Credentials CG <public-credentials@w3.org> Subject: Re: Authorized Issuer Lists Hi Manu, Thanks for kicking off this discussion. As Dmitri and Simone noted, this has been coming up quite a bit at VC-EDU. We’re looking forward to the EBSI call. We’ve also had some discussions with Credential Engine (https://credentialengine.org/) about what it means for a credential to explain the difference between a credential organization, a provider, a creator, and an issuer - in some cases a single entity may be all four of these roles. Keeping in mind that our charter is to consider credentials in education, workforce, and also achievements any of which could be formal, informal, or non-formal—peer to peer even. A few layers of issuer identity verifiability to consider: 1) Is the identity of the issuer verifiable (KYC)? This is how paper credentials work now. Even with Open Badges, issuers are typically verified by their domain names or by badging platforms that serve as an issuer proxy and don’t assume responsibility for verifying issuer accreditation status or qualifications. 2) Doe the issuer have permission to issue this credential content? Does the issuer own this content? 3) Does the issuer have the qualifications to issue the credential? I’ve often heard all three of these being conflated and suggest that we carefully keep them separate because while they may overlap, trust is contextual, subjective, and fluid. Also, we should keep in mind that we don’t disregard individuals as issuers to others and to themselves. Thanks, K. —————— Kerri Lemoie, PhD Director of Technology, Digital Credentials Consortium https://digitalcredentials.mit.edu @kayaelle she/her/hers On Aug 15, 2022, at 8:24 AM, Tomislav Markovski <tomislav@trinsic.id <mailto:tomislav@trinsic.id> > wrote: Naming is fun. I would even take this a step further and move away from the loaded word "trust" to something more generic like "membership list" or "membership registry" or simply just "registry". You can then have a "registry" named "authorized issuers" or "trusted verifiers" to reflect the specific use case. In addition, and on topic, registries can also have privacy-preserving features and can be implemented using technologies like cryptographic accumulators. Accumulators support use-cases where registry or list membership is sensitive and shouldn't reveal information about everyone in the registry. For example a registry of authorized debt collection agencies, or list of obgyn licensed providers. We've done some POC work in this area and I would love to have these privacy use cases supported by the subject of our topic. On Sun, Aug 14, 2022 at 6:29 PM Tobias Looker <tobias.looker@mattr.global <mailto:tobias.looker@mattr.global> > wrote: This is a great and much needed initiative for the credential space. I would note that I think language like "authorized issuer lists" does tend to setup the possible misconception that there is a singular arbiter around who to trust for a particular credential type when in reality trust is contextual. Therefore, I think "trust lists" or "trust registries" are perhaps a better language framing of what we are looking for an interoperable solution to. Thanks, <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> Tobias Looker MATTR CTO +64 (0) 27 378 0461 <mailto:tobias.looker@mattr.global> tobias.looker@mattr.global <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. _____ From: Steve Capell <steve.capell@gmail.com <mailto:steve.capell@gmail.com> > Sent: 15 August 2022 09:39 To: Kyano Kashi <kyanokashi2@gmail.com <mailto:kyanokashi2@gmail.com> > Cc: Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com> >; W3C Credentials CG <public-credentials@w3.org <mailto:public-credentials@w3.org> > Subject: Re: Authorized Issuer Lists EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. Yes! And then the school includes the accreditation vc in their student credential vc Steven Capell Mob: 0410 437854 On 15 Aug 2022, at 7:28 am, Kyano Kashi <kyanokashi2@gmail.com <mailto:kyanokashi2@gmail.com> > wrote: Hi Manu, Forgive my ignorance, but couldn’t we simply have the American Bar Association issue VCs to the schools it wishes to accredit for issuing law VCs? Best, Kyano On Sun, Aug 14, 2022 at 6:19 PM Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com> > wrote: Hi all, The topic of "lists of authorized issuers for certain types of credentials" has been floating around the VC community for a few years now. We don't seem to have hit a point where implementers and customers feel they absolutely need the feature, but there has been enough curiosity around it to perhaps have some exploratory technical discussions at some of the upcoming conferences. The basic concept here is: Can a verifier lean on established trust it has in some authority, such as an accreditation body, to get a list of issuers for particular types of credentials? To focus on a use case in education, how would the American Bar Association publish a list of all law schools that it has accredited to issue law degree VCs? The following paper calls for the exploration of the topic, starting at the upcoming RWoT in The Hague (end of September): https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/advance-readings/authorized-issuer-lists.md Thoughts, concerns, and identification of similar work, are all welcome. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/
Received on Monday, 15 August 2022 15:41:05 UTC