[PROPOSED WORK ITEM] Verifiable Issuers and Verifiers

Hi all,

A number of us have been collaborating over the past couple of months
via Rebooting the Web of Trust, the Internet Identity Workshop, and
weekly calls to unify the way anyone can share lists of issuers or
verifiers that perform a particular function in an ecosystem. This
work item is designed to answer questions like: "How can I trust that
this diploma is real?" or "Should I send my digital ID to this person
that is claiming to be law enforcement?". A draft version of this
industry survey work can be found here:

https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/draft-documents/verifiable-issuer-verifier-lists/verifiable-issuer-verifier-lists.pdf

We'd like to turn that paper into a W3C Credentials CG Work Item. The
work item focuses on how a party or its agent can decide whether or
not to engage with a counterparty in a transaction (that is: "Can I
trust X to do Y?"). The purpose of this work is to enable a party to
share a list of Verifiable Issuers and Verifiers in a way that is
useful to a particular transaction. The very drafty specification can
be found here (and will be migrated to CCG if the group adopts the
work item):

https://msporny.github.io/verifiable-issuers-verifiers/

Please support the adoption of the work item in CCG by adding your
support in a comment here:

https://github.com/w3c-ccg/community/issues/238

Work Item Leads: @hendersonweb and @msporny (CODEOWNERS)
Work Item Authors: @tsabolov @Oskar-van-Deventer @shigeya @lineko
@RieksJ (expect these folks to also be CODEOWNERS)

> Explain what you are trying to do using no jargon or acronyms.

In the Verifiable Credentials ecosystem, it is currently difficult to
know if you can trust the issuer of a Verifiable Credential. It is
also difficult to know if you should send a sensitive Verifiable
Credential to a Verifier that is asking for sensitive information.
This specification provides a way to share a list of Verifiable
Issuers (Universities that are accredited to issue Accounting degrees)
or a list of Verifiable Verifiers (National Border Protection Officers
that are authorized to ask you for identification documents) to be
shared such that entities can make decisions on who to trust during
particular transactions involving Verifiable Credentials.

> How is it done today, and what are the limits of the current practice?

Today, Verifiable Credential software needs to be configured by a
systems administrator or an individual to specify which parties they
trust to issue certain credentials or to receive certain credentials.
Since there can be thousands of issuers and many more verifiers, it
would be helpful if there was a standard to create lists of "trusted
parties" that people could use as a starting point to understand who
they can trust for certain credentials.

> What is new in your approach and why do you think it will be successful?

Our approach started by performing a broad industry analysis of many
of the initiatives in the space to gather commonalities among all of
the initiatives and then attempted to put the commonalities into a
consistent set of use cases, requirements, data model, and
serialization formats. We have proponents from many of the initiatives
directly involved in the analysis and the work and expect those
contributors to continue to provide input into the work ensuring broad
alignment among a global set of stakeholders in a variety of
industries.

> How are you involving participants from multiple skill sets and global locations in this work item? (Skill sets: technical, design, product, marketing, anthropological, and UX. Global locations: the Americas, APAC, Europe, Middle East.)

We started the work at Rebooting the Web of Trust 11, which included
participants from the Americas, Europe, and Japan and included work
from a variety of global initiatives. We then circulated the work at
the Internet Identity Workshop 35, which included participants from
Australia (in addition to the previous regions). We expect to continue
to engage at venues around the world as well as venues online with a
diverse set of stakeholders (such as the CCG, ToIP, DIF, and other
communities).

> What actions are you taking to make this work item accessible to a non-technical audience?

We are attempting to provide a gentle introduction to the topic via a
non-technical introduction in the specification as well as
non-technical use cases with imagery that is accessible to the general
population. The people that contributed to the work come from
academia, government, and private industry -- we are actively seeking
more diverse inputs via forums such as RWoT, IIW, and the CCG. We plan
to create presentation slide decks that outline the work in its
conceptual form so that non-technical audiences may engage with the
work. We are open to other mechanisms that could be used to improve
the input into the document.

We look forward to discussing this potential work item on the mailing
list as well as on a future call.

Please support the adoption of the work item in CCG by adding your
support in a comment here:

https://github.com/w3c-ccg/community/issues/238

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Friday, 16 December 2022 21:16:49 UTC