- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sat, 17 Dec 2022 14:53:07 -0500
- To: Steve Capell <steve.capell@gmail.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
On Fri, Dec 16, 2022 at 5:53 PM Steve Capell <steve.capell@gmail.com> wrote: > The thing that worries me in reading your proposal is the use of words like “list of trusted issuers”. We will be addressing this problem not with lists but with chained credentials where the verifier follows the chain until it reaches a trust anchor that they can trust. Yes, I'm familiar with the approach. That's one way to address the issue. In an attempt to learn by suggesting something that might very well be wrong: Chained credentials mirror the worst parts of the centralized and hierarchical certificate authority system that we have today, are more complex to verify than using one or more lists, force an unnatural binary security approach when modern systems have long since moved to a "signals-based security" approach, and are thus over-engineered solutions at best. How's that for a controversial statement!? :P > That’s because the lists are too big and fast changing Define "too big" and "fast changing". Do you mean tens of thousands of issuers, or millions? Do you expect changes every week, day, hour, or on the order of milliseconds? > and are themselves sensitive. Verifiable Issuer Lists (as an example) don't require that they be shared publicly -- they can have access controls around them OR you can just deliver them like any other VC during a private transaction. > With 1000’s of certifiers working across 1000’s of specific standard criteria, the list in advance option runs into millions and changes hourly. Your list is then several thousand long... hardly difficult for a modern smart watch to process? Even a list with a million entries that changes hourly isn't difficult for low power cloud servers to process these days... but, let's take a step back, why do you think that all products and all certifiers are going to go into a single list? > Much better if the national accreditation authority issues a VC to a certifier (ie the conformity testing body) that said “we accredit you to test and certify against standards a, b, and c”. Ok, I challenge your "Much better if" -- why do you say that? Why is it better? Why doesn't the national accreditation authority just share a list of issuers that are accredited to test and certify against standards a, b, and c? Then a verifier would just check any certification against that list? In addition, you don't have to have ONE list, you can have many lists that can be aggregated by a verifier. Why does that not scale? > So Manu - will your new work item be willing to consider standardised solutions for semantic matching of criteria across chained credentials ? If so then I’d LOVE to participate - and do whatever W3C membership stuff is necessary To be clear, I'm not going to be leading this work item (too much on my plate already). I was just a part of the group that came together from a variety of different markets that was trying to tackle this problem, the paper provides more background on all of the existing initiatives we analyzed before we made a first attempt at a common set of use cases, requirements, and data model: https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/draft-documents/verifiable-issuer-verifier-lists/verifiable-issuer-verifier-lists.pdf To answer your question, "standardized solutions for semantic matching of criteria across credentials" is in scope. The "chained" bits are a bit more of a topic of discussion -- we should eliminate that if we can, one viewpoint right now is that it adds complexity where none is needed. No "W3C Membership stuff" would be necessary to participate given that this is a CCG work item. I'll also note that much of what you might be interested in may already be happening in the Traceability work item (and I expect they'll have some input into this work item, if there is interest). Interested in your thoughts on the above, especially on being convinced that hierarchical chaining is necessary. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/
Received on Saturday, 17 December 2022 19:53:56 UTC