Re: NIST Draft on Digital Identity from Steve Capell on 2022-12-16 (public-credentials@w3.org from December 2022)

From: Steve Capell <steve.capell@gmail.com>
Date: Sat, 17 Dec 2022 04:29:12 +1100
To: Mike Prorock <mprorock@mesur.io>
Cc: W3C Credentials CG <public-credentials@w3.org>
Message-Id: <CA4733F7-88E2-498D-89F9-F6EB9265DD4D@gmail.com>

Reading the table of contents you’d be forgiven for thinking that NIST have totally forgotten to include decentralised identity models 

Digging further into the document you can see in fig 1 page 12 there’s a diagram that has a bit of a flavour of decentralised models with the “credential service provider” (issuer?) that does “identity origins and enrolment” (issue Vc?) to an “applicant” (vc subject?) who then becomes a “subscriber” (to what?).  The “subscriber” then “authenticates” (presents vp?) to a “relying party” (verifier?) and gets redirected to a “verifier” (another verifier?) to become a “claimant” and then can continue identified and authenticated interactions with a relying party.  All three roles of “relying party”, “verifier”, “credential service provider” are wrapped in one box called “service provider functions”

The diagram title is “non federated digital
Identity model”.  Don’t see anything in there about subject self issued identifiers (dids). 

It looks like an attempt to include half the ideas of a proper decentralised identity architecture and stuff them into a slightly tweaked version of the federated identity model (ie a “federation” of centralised idps) that we all know and “love” ;) 

I don’t understand the intent of fearing up this hybrid that is neither decentralised or centralised  and labelling if “non-federated”?  Why do that? Why not fully recognise the reality of decentralised models, name it appropriately, draw it correctly, and include one of the most foundational ideas (the did)?  

I think somebody with some clout (Anil?) should suggest some corrections to NIST 

Steven Capell
Mob: 0410 437854

> On 17 Dec 2022, at 3:17 am, Mike Prorock <mprorock@mesur.io> wrote:
> 
> 
> CCG,
> I would love to collect thoughtful feedback and review comments from members of the community on the the following:
> https://csrc.nist.gov/publications/detail/sp/800-63/4/draft
> 
> There are some strong implications in this doc, and it may set the stage for many years to come, so we should all take some time to review carefully, and comment in a professional, proactive, and positive way on areas we are individually subject matter experts in.  I would love feedback on the list as well for myself and the other Co-chairs as we review in depth additionally for any items that are highly positive in the draft(s) or areas of concern that could be refined to avoid future issues.
> 
> thanks in advance!
> 
> Mike Prorock
> CTO, Founder
> https://mesur.io/
>

Received on Friday, 16 December 2022 17:29:39 UTC