- From: Christopher Allen <ChristopherA@lifewithalacrity.com>
- Date: Wed, 14 Dec 2022 22:15:20 -0800
- To: Daniel Hardman <daniel.hardman@gmail.com>
- Cc: "Michael Herman (Trusted Digital Web)" <mwherman@parallelspace.net>, Wolf McNally <wolf@wolfmcnally.com>, Shannon Appelcline <shannon.appelcline@gmail.com>, Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CACrqygCX0p5hJi0y3anW5pg519EAgNWOwi4njPWSmxoNpv1=Dg@mail.gmail.com>
Daniel, On Wed, Dec 14, 2022 at 8:29 PM Daniel Hardman <daniel.hardman@gmail.com> wrote: > This is not to advocate for ACDCs here; I'm sure downsides to their > approach could be pointed out and analysed, but that's not the purpose of > your thread. My point is simply that there is strong evidence that A) > others share your concerns; > Exactly. The existence of ACDC, of the existence of (and choices by) mDL, of Gordian Envelopes, along with what I believe lies hidden underneath various DIF objections, demonstrates evidence of the bigger problem. > and B) it is possible to come up with at least one coherent solution that > addresses them broadly -- and efforts to do so are not in their infancy. > I'm less confident about a single coherent solution. Instead I prefer every layer to be as independent as possible (an aside: this is the root of what drove my leadership in SSL/TLS — the alternative solutions for early web security were very tightly integrated stacks that benefited orgs like Visa or Microsoft over independents). In my own designs for the Gordian Envelope architecture, I instead try to be as agnostic as possible. We can support multiple graph types or maybe even be useful for those with no graph. We don't mandate specific signature or cryptographic approaches; Gordian Envelopes should work with COSE but also other alternative mechanisms. But I worry that due the complexity of what we are trying to do is pushing more developers to want integrated architectures. To Michael's question about where/how to constructively work the issue, I > suggest that perhaps W3C isn't the right home, because web-centrism is > woven into its DNA. The abstract for the W3C spec says "This specification > provides a mechanism to express these sorts of credentials on *the Web*." > The status section says "W3C recommends the wide deployment of this > specification as a standard for *the Web*." The first three paragraphs of > the intro says credential use "on *the Web* continues to be elusive"; > "Currently it is difficult to express...third-party verified > machine-readable personal information *on the Web*"; "The difficulty of > expressing digital credentials *on the Web* makes it challenging to > receive the same benefits through *the Web* that physical credentials > provide us in the physical world. This specification provides a standard > way to express credentials *on the Web*." > > I supposed this text could be revised to convey a broader conception, but > I don't think it should be. The text as it currently stands is an accurate > capture of the priorities and mindset. It is exactly what we could and > should produce in an organization that takes as its motto, "leading the web > to its full potential" (see w3c home page). > I think you are correct — DID/VCs are very web-centric. I'd be happy to endorse the VC-WG offering VC-LD 2.0 spec (provided that they also deliver, even better require, something that supports elision, such as Merkle Disclosure Proof 2021: https://w3c-ccg.github.io/Merkle-Disclosure-2021/). But we do have to be careful of the current VC data model becoming a "One Ring Rule Them All" solution — it should be understood what VC-LD can do and what it should not be used for, and not lock people into other solutions. I would like a technology that is usable on the Web, but also over the > internet writ larger than Web (e.g., email, ssh, UDP...), plus over > Bluetooth, over LoRa, over Kafka, over sneakernet, etc. > Agreed! > I've come to feel that IETF is a better home for that kind of thing. I > invite you to come join the ACDC discussions there, if you're interested -- > or to pull the ACDC discussions and discussions from other parties who > share these concerns into an IETF home that you recommend, if that's better. > I have submitted the Gordian Envelope as an internet-draft ( https://datatracker.ietf.org/doc/draft-mcnally-envelope/ ). I've reached out to various groups at IETF to consider leveraging Gordian Envelope — it has many uses besides credentials. One of the challenges with the IETF process is that it doesn't quite have the equivalent of the Credentials Community Group that crosses multiple working groups. When Joe, Kimberly, and I became co-chairs of the CCG, we hoped it could become a big tent, just as we thought #RebootingWebTrust was, and that early efforts here toward solutions could advance not only in the W3C but also IETF, Oasis, or even someday ISO. However, so far, getting discussion given the 5 different groups that could leverage Gordian Envelopes it has been hard. If you have advice (my IETF experience is 20+ years old) it would be appreciated! -- Christopher Allen
Received on Thursday, 15 December 2022 06:16:11 UTC