- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 18 Aug 2022 11:23:33 -0400
- To: W3C Credentials CG <public-credentials@w3.org>
On Mon, Aug 15, 2022 at 7:39 AM Leah Houston, MD <leah@hpec.io> wrote: > I think in order to avoid a dystopian situation there needs to be a way to self register on these lists… Anyone should be able to register as an issuer, and the volume of usage of those issues credentials by verifiers can be tracked so that people can infer how trusted it is by the volume and diversity of who is using those verifiers. Are you thinking that self-registration would require the entity maintaining the list to vet the registration? If so, what are the rules to vet entities that self-register (perhaps they're set by the maintainer of the list)? What would the process be? (It could be as simple as emailing a VC to the registry). I do agree that having a protocol/mechanism to register/update on these lists is important, but that's a lot more work than what is suggested by the RWoT paper. So much more work that we're going to add years to getting the basic data model out there. That said, it might be important for ecosystems that have hundreds to thousands of issuers (like education). > In this example the instant that A new accreding body like NBPAS becomes available the founders of the accrediting body could add that body to the list. Initially it would go un-utilized, however as verifying bodies start accepting the new credentials the usage can be automatically tracked and registered under that particular accrediting body. As time went on and usage went up but accrediting body will gain more notoriety based on its actual usage. Hrm, perhaps you think that is being suggested is ONE authorized issuer list for a certain type of credential? That would be a huge mistake, IMHO, which would lead to the sort of market abuses that you spoke to in your original email. My expectation here, in your use case, is that ABMS would publish their list and NBPAS would publish a separate list, and the more progressive hospitals would add BOTH lists to their verifier in order to accept credentials of any issuer listed on either list. That seems to keep the proper decentralized market checks and balances in play to ensure that the regulators and accreditation bodies don't lock a particular market into their policies. > I feel a governance structure like this is absolutely necessary because at minimum it gives a mechanism for the people to regulate the regulators. Yes, agreed. I see no technical barrier to providing such a thing. I'd be careful about calling it a "governance structure" because those are easily gamed (as you demonstrate with ABMS over time). What we're looking for here is a technical solution that gives people and societies options, especially when the governance structure has been gamed. > Do any of the specifications support this kind of governance? I’d be curious to hear peoples thoughts on this. I'd be surprised if all of the solutions don't allow multiple authorized issuer lists to be used by a verifier. Then again, I expect that (as a community) we'll have to actively fight efforts to centralize this technology... though I'm struggling to think of a way authorized issuer lists could be centralized (other than through a governing body). Does that help, Leah, or am I completely off base? -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/
Received on Thursday, 18 August 2022 15:24:22 UTC