W3C home > Mailing lists > Public > public-credentials@w3.org > December 2022

Re: [PROPOSED WORK ITEM] Verifiable Issuers and Verifiers

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 17 Dec 2022 14:27:27 -0500
Message-ID: <CAMBN2CTRmN+ewwyhkSO5wNBTEeV4nUC+KCBwn-AcwYrwj9q66g@mail.gmail.com>
To: Alan Karp <alanhkarp@gmail.com>
Cc: W3C Credentials CG <public-credentials@w3.org>
On Fri, Dec 16, 2022 at 4:42 PM Alan Karp <alanhkarp@gmail.com> wrote:
> I think an equally important question is "In what ways am I vulnerable if I ask X to do Y?"

Alan, your comment is too meta for me. Please help me understand your
point with a concrete use case or example.

Also, please forgive me if we haven't considered what you're
raising... we're early days here, so not everything is going to have a
well trodden rationale. :)

In an attempt to interpret your statement through a use case -- there
are around 3,982 degree-granting postsecondary institutions in the
U.S. The U.S. Department of Education's Office of Postsecondary
Education (OPE) maintains ONE of the accreditation databases and
provides it as a public service (without warranty). That database
could be published as a Verifiable Issuer List on a web page.

If you run a Verifier that checks if someone has a university degree
as a part of some business process, it would be helpful for you to
consume an up to date list of those 3,982 issuers... presumably by
reading that Verifiable Issuer List from a website.

So, given that use case, your question can be construed as: "In what
ways am I vulnerable if I ask this university registrar to issue a
university degree to me?... or "In what ways am I vulnerable if I ask
this employer to check to see if my university degree is valid?" --
see why I'm confused? The answer could be: "You're not?" to "You're
always vulnerable in some way?".

What the work is attempting to do is address 80% of the use cases, not
be a 100% solution. It focuses just on the data model and verifiable
credential, not on the surrounding ecossytem, or APIs, or any of the
other higher order management/governance processes that make
addressing "the problem" nearly intractable.

The work focuses on ensuring that anyone can create and share these
lists, you don't have to be special to do it. Anyone can use someone
else's list, or combine lists for their own use.

We tried to stay away from the word "trust" because it's over used,
loaded, and tends toward meaninglessness. That I trust a particular
list doesn't mean that you trust that same list. A trust in a list
might wax and wane depending on who is maintaining that list over
time. So, it's important that we don't put too much faith into these
lists or suggest that they're infallible or there must be ONE list for
any particular ecosystem.

All that to say -- I'm afraid I've misinterpreted what you were saying
and need you to be more concrete and blunt. :)

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Saturday, 17 December 2022 19:28:16 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 17 December 2022 19:28:17 UTC