Re: [PROPOSED WORK ITEM] Verifiable Issuers and Verifiers

On Fri, Dec 16, 2022 at 5:53 PM Steve Capell <> wrote:
> The thing that worries me in reading your proposal is the use of words like “list of trusted issuers”.  We will be addressing this problem not with lists but with chained credentials where the verifier follows the chain until it reaches a trust anchor that they can trust.

Yes, I'm familiar with the approach. That's one way to address the issue.

In an attempt to learn by suggesting something that might very well be
wrong: Chained credentials mirror the worst parts of the centralized
and hierarchical certificate authority system that we have today, are
more complex to verify than using one or more lists, force an
unnatural binary security approach when modern systems have long since
moved to a "signals-based security" approach, and are thus
over-engineered solutions at best. How's that for a controversial
statement!? :P

> That’s because the lists are too big and fast changing

Define "too big" and "fast changing". Do you mean tens of thousands of
issuers, or millions? Do you expect changes every week, day, hour, or
on the order of milliseconds?

> and are themselves sensitive.

Verifiable Issuer Lists (as an example) don't require that they be
shared publicly -- they can have access controls around them OR you
can just deliver them like any other VC during a private transaction.

> With 1000’s of certifiers working across 1000’s of specific standard criteria, the list in advance option runs into millions and changes hourly.

Your list is then several thousand long... hardly difficult for a
modern smart watch to process? Even a list with a million entries that
changes hourly isn't difficult for low power cloud servers to process
these days... but, let's take a step back, why do you think that all
products and all certifiers are going to go into a single list?

> Much better if the national accreditation authority issues a VC to a certifier (ie the conformity testing body) that said “we accredit you to test and certify against standards a, b, and c”.

Ok, I challenge your "Much better if" -- why do you say that? Why is
it better? Why doesn't the national accreditation authority just share
a list of issuers that are accredited to test and certify against
standards a, b, and c? Then a verifier would just check any
certification against that list? In addition, you don't have to have
ONE list, you can have many lists that can be aggregated by a
verifier. Why does that not scale?

> So Manu - will your new work item be willing to consider standardised solutions for semantic matching of criteria across chained credentials ? If so then I’d LOVE to participate - and do whatever W3C membership stuff is necessary

To be clear, I'm not going to be leading this work item (too much on
my plate already). I was just a part of the group that came together
from a variety of different markets that was trying to tackle this
problem, the paper provides more background on all of the existing
initiatives we analyzed before we made a first attempt at a common set
of use cases, requirements, and data model:

To answer your question, "standardized solutions for semantic matching
of criteria across credentials" is in scope. The "chained" bits are a
bit more of a topic of discussion -- we should eliminate that if we
can, one viewpoint right now is that it adds complexity where none is

No "W3C Membership stuff" would be necessary to participate given that
this is a CCG work item. I'll also note that much of what you might be
interested in may already be happening in the Traceability work item
(and I expect they'll have some input into this work item, if there is

Interested in your thoughts on the above, especially on being
convinced that hierarchical chaining  is necessary.

-- manu

Manu Sporny -
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)

Received on Saturday, 17 December 2022 19:53:56 UTC