Re: Authorized Issuer Lists

On Mon, Aug 15, 2022 at 7:39 AM Leah Houston, MD <> wrote:
> I think in order to avoid a dystopian situation there needs to be a way to self register on these lists… Anyone should be able to register as an issuer, and the volume of usage of those issues credentials by verifiers can be tracked so that people can infer how trusted it is by the volume and diversity of who is using those verifiers.

Are you thinking that self-registration would require the entity
maintaining the list to vet the registration? If so, what are the
rules to vet entities that self-register (perhaps they're set by the
maintainer of the list)? What would the process be? (It could be as
simple as emailing a VC to the registry).

I do agree that having a protocol/mechanism to register/update on
these lists is important, but that's a lot more work than what is
suggested by the RWoT paper. So much more work that we're going to add
years to getting the basic data model out there. That said, it might
be important for ecosystems that have hundreds to thousands of issuers
(like education).

> In this example the instant that A new accreding body like NBPAS becomes available the founders of the accrediting body could add that body to the list. Initially it would go un-utilized, however as verifying bodies start accepting the new credentials the usage can be automatically tracked and registered under that particular accrediting body. As time went on and usage went up but accrediting body will gain more notoriety based on its actual usage.

Hrm, perhaps you think that is being suggested is ONE authorized
issuer list for a certain type of credential? That would be a huge
mistake, IMHO, which would lead to the sort of market abuses that you
spoke to in your original email.

My expectation here, in your use case, is that ABMS would publish
their list and NBPAS would publish a separate list, and the more
progressive hospitals would add BOTH lists to their verifier in order
to accept credentials of any issuer listed on either list. That seems
to keep the proper decentralized market checks and balances in play to
ensure that the regulators and accreditation bodies don't lock a
particular market into their policies.

> I feel a governance structure like this is absolutely necessary because at minimum it gives a mechanism for the people to regulate the regulators.

Yes, agreed. I see no technical barrier to providing such a thing. I'd
be careful about calling it a "governance structure" because those are
easily gamed (as you demonstrate with ABMS over time). What we're
looking for here is a technical solution that gives people and
societies options, especially when the governance structure has been

> Do any of the specifications support this kind of governance? I’d be curious to hear peoples thoughts on this.

I'd be surprised if all of the solutions don't allow multiple
authorized issuer lists to be used by a verifier. Then again, I expect
that (as a community) we'll have to actively fight efforts to
centralize this technology... though I'm struggling to think of a way
authorized issuer lists could be centralized (other than through a
governing body).

Does that help, Leah, or am I completely off base?

-- manu

Manu Sporny -
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)

Received on Thursday, 18 August 2022 15:24:22 UTC