- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sat, 17 Dec 2022 14:27:27 -0500
- To: Alan Karp <alanhkarp@gmail.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
On Fri, Dec 16, 2022 at 4:42 PM Alan Karp <alanhkarp@gmail.com> wrote: > I think an equally important question is "In what ways am I vulnerable if I ask X to do Y?" Alan, your comment is too meta for me. Please help me understand your point with a concrete use case or example. Also, please forgive me if we haven't considered what you're raising... we're early days here, so not everything is going to have a well trodden rationale. :) In an attempt to interpret your statement through a use case -- there are around 3,982 degree-granting postsecondary institutions in the U.S. The U.S. Department of Education's Office of Postsecondary Education (OPE) maintains ONE of the accreditation databases and provides it as a public service (without warranty). That database could be published as a Verifiable Issuer List on a web page. If you run a Verifier that checks if someone has a university degree as a part of some business process, it would be helpful for you to consume an up to date list of those 3,982 issuers... presumably by reading that Verifiable Issuer List from a website. So, given that use case, your question can be construed as: "In what ways am I vulnerable if I ask this university registrar to issue a university degree to me?... or "In what ways am I vulnerable if I ask this employer to check to see if my university degree is valid?" -- see why I'm confused? The answer could be: "You're not?" to "You're always vulnerable in some way?". What the work is attempting to do is address 80% of the use cases, not be a 100% solution. It focuses just on the data model and verifiable credential, not on the surrounding ecossytem, or APIs, or any of the other higher order management/governance processes that make addressing "the problem" nearly intractable. The work focuses on ensuring that anyone can create and share these lists, you don't have to be special to do it. Anyone can use someone else's list, or combine lists for their own use. We tried to stay away from the word "trust" because it's over used, loaded, and tends toward meaninglessness. That I trust a particular list doesn't mean that you trust that same list. A trust in a list might wax and wane depending on who is maintaining that list over time. So, it's important that we don't put too much faith into these lists or suggest that they're infallible or there must be ONE list for any particular ecosystem. All that to say -- I'm afraid I've misinterpreted what you were saying and need you to be more concrete and blunt. :) -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/
Received on Saturday, 17 December 2022 19:28:16 UTC