- From: Andrew Hughes <andrewhughes3000@gmail.com>
- Date: Sun, 18 Dec 2022 17:17:05 -0800
- To: Steve Capell <steve.capell@gmail.com>
- Cc: Mike Prorock <mprorock@mesur.io>, W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CAGJp9Ub6DDSxhpgk_K2boN7EoSZWg0uGXGavZXXtZ6Pw6PDYHg@mail.gmail.com>
Take a look at the Introduction and Scope text of the main document. SP 800-63 is about how a federal government organization can attain confidence in a person’s actual identity and then how to gain confidence that a returning user is the same user previously enrolled. It’s not about centralized or decentralized models. On Fri, Dec 16, 2022 at 9:30 AM Steve Capell <steve.capell@gmail.com> wrote: > Reading the table of contents you’d be forgiven for thinking that NIST > have totally forgotten to include decentralised identity models > > Digging further into the document you can see in fig 1 page 12 there’s a > diagram that has a bit of a flavour of decentralised models with the > “credential service provider” (issuer?) that does “identity origins and > enrolment” (issue Vc?) to an “applicant” (vc subject?) who then becomes a > “subscriber” (to what?). The “subscriber” then “authenticates” (presents > vp?) to a “relying party” (verifier?) and gets redirected to a “verifier” > (another verifier?) to become a “claimant” and then can continue identified > and authenticated interactions with a relying party. All three roles of > “relying party”, “verifier”, “credential service provider” are wrapped in > one box called “service provider functions” > > The diagram title is “non federated digital > Identity model”. Don’t see anything in there about subject self issued > identifiers (dids). > > It looks like an attempt to include half the ideas of a proper > decentralised identity architecture and stuff them into a slightly tweaked > version of the federated identity model (ie a “federation” of centralised > idps) that we all know and “love” ;) > > I don’t understand the intent of fearing up this hybrid that is neither > decentralised or centralised and labelling if “non-federated”? Why do > that? Why not fully recognise the reality of decentralised models, name it > appropriately, draw it correctly, and include one of the most foundational > ideas (the did)? > > I think somebody with some clout (Anil?) should suggest some corrections > to NIST > > Steven Capell > Mob: 0410 437854 > > On 17 Dec 2022, at 3:17 am, Mike Prorock <mprorock@mesur.io> wrote: > > > > CCG, > I would love to collect thoughtful feedback and review comments from > members of the community on the the following: > https://csrc.nist.gov/publications/detail/sp/800-63/4/draft > > There are some strong implications in this doc, and it may set the stage > for many years to come, so we should all take some time to review > carefully, and comment in a professional, proactive, and positive way on > areas we are individually subject matter experts in. I would love feedback > on the list as well for myself and the other Co-chairs as we review in > depth additionally for any items that are highly positive in the draft(s) > or areas of concern that could be refined to avoid future issues. > > thanks in advance! > > Mike Prorock > CTO, Founder > https://mesur.io/ > > -- Andrew Hughes CISM CISSP In Turn Information Management Consulting o +1 650.209.7542 m +1 250.888.9474 5043 Del Monte Ave,, Victoria, BC V8Y 1W9 AndrewHughes3000@gmail.com https://www.linkedin.com/in/andrew-hughes-682058a Digital Identity | International Standards | Information Security
Received on Monday, 19 December 2022 01:17:28 UTC