Re: NIST Draft on Digital Identity from Andrew Hughes on 2022-12-19 (public-credentials@w3.org from December 2022)

From: Andrew Hughes <andrewhughes3000@gmail.com>
Date: Sun, 18 Dec 2022 17:51:05 -0800
To: Steve Capell <steve.capell@gmail.com>
Cc: Mike Prorock <mprorock@mesur.io>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CAGJp9Ub46+SBb2e2WGdyFVvK7V+_JfxmNn0f=Uh9WcSegUjJrg@mail.gmail.com>
All of that is fine. But still in the bleeding edge category. 800-63 is
written for federal agencies to manage risk and ensure appropriate
safeguards.

On Sun, Dec 18, 2022 at 5:47 PM Steve Capell <steve.capell@gmail.com> wrote:

> Ok thank you Andrew
>
> With that specific scope, the criticisms are less valid
>
> However, even for that scope, isn’t there a valid pattern where a person
> has their own did in their own wallet and has some kind of identity
> credential (eg a drivers license) issued to that did - then this user
> provides a VP to a completely different (government or non government)
> party to create an account with identity integrity and then continue with
> the service.  Im not entirely sure the NIST document reflects that model?
>
> Steven Capell
> Mob: 0410 437854
>
> On 19 Dec 2022, at 12:17 pm, Andrew Hughes <andrewhughes3000@gmail.com>
> wrote:
>
> 
>
> Take a look at the Introduction and Scope text of the main document. SP
> 800-63 is about how a federal government organization can attain confidence
> in a person’s actual identity and then how to gain confidence that a
> returning user is the same user previously enrolled.
> It’s not about centralized or decentralized models.
>
> On Fri, Dec 16, 2022 at 9:30 AM Steve Capell <steve.capell@gmail.com>
> wrote:
>
>> Reading the table of contents you’d be forgiven for thinking that NIST
>> have totally forgotten to include decentralised identity models
>>
>> Digging further into the document you can see in fig 1 page 12 there’s a
>> diagram that has a bit of a flavour of decentralised models with the
>> “credential service provider” (issuer?) that does “identity origins and
>> enrolment” (issue Vc?) to an “applicant” (vc subject?) who then becomes a
>> “subscriber” (to what?).  The “subscriber” then “authenticates” (presents
>> vp?) to a “relying party” (verifier?) and gets redirected to a “verifier”
>> (another verifier?) to become a “claimant” and then can continue identified
>> and authenticated interactions with a relying party.  All three roles of
>> “relying party”, “verifier”, “credential service provider” are wrapped in
>> one box called “service provider functions”
>>
>> The diagram title is “non federated digital
>> Identity model”.  Don’t see anything in there about subject self issued
>> identifiers (dids).
>>
>> It looks like an attempt to include half the ideas of a proper
>> decentralised identity architecture and stuff them into a slightly tweaked
>> version of the federated identity model (ie a “federation” of centralised
>> idps) that we all know and “love” ;)
>>
>> I don’t understand the intent of fearing up this hybrid that is neither
>> decentralised or centralised  and labelling if “non-federated”?  Why do
>> that? Why not fully recognise the reality of decentralised models, name it
>> appropriately, draw it correctly, and include one of the most foundational
>> ideas (the did)?
>>
>> I think somebody with some clout (Anil?) should suggest some corrections
>> to NIST
>>
>> Steven Capell
>> Mob: 0410 437854
>>
>> On 17 Dec 2022, at 3:17 am, Mike Prorock <mprorock@mesur.io> wrote:
>>
>> 
>>
>> CCG,
>> I would love to collect thoughtful feedback and review comments from
>> members of the community on the the following:
>> https://csrc.nist.gov/publications/detail/sp/800-63/4/draft
>>
>> There are some strong implications in this doc, and it may set the stage
>> for many years to come, so we should all take some time to review
>> carefully, and comment in a professional, proactive, and positive way on
>> areas we are individually subject matter experts in.  I would love feedback
>> on the list as well for myself and the other Co-chairs as we review in
>> depth additionally for any items that are highly positive in the draft(s)
>> or areas of concern that could be refined to avoid future issues.
>>
>> thanks in advance!
>>
>> Mike Prorock
>> CTO, Founder
>> https://mesur.io/
>>
>> --
> Andrew Hughes CISM CISSP
> In Turn Information Management Consulting
> o  +1 650.209.7542 m +1 250.888.9474
> 5043 Del Monte Ave,,
> <https://www.google.com/maps/search/5043+Del+Monte+Ave,,+Victoria,+BC+V8Y+1W9?entry=gmail&source=g>
>  Victoria, BC V8Y 1W9
> <https://www.google.com/maps/search/5043+Del+Monte+Ave,,+Victoria,+BC+V8Y+1W9?entry=gmail&source=g>
> AndrewHughes3000@gmail.com
> https://www.linkedin.com/in/andrew-hughes-682058a
> Digital Identity | International Standards | Information Security
>
> --
Andrew Hughes CISM CISSP
In Turn Information Management Consulting
o  +1 650.209.7542 m +1 250.888.9474
5043 Del Monte Ave,, Victoria, BC V8Y 1W9
AndrewHughes3000@gmail.com
https://www.linkedin.com/in/andrew-hughes-682058a
Digital Identity | International Standards | Information Security
Received on Monday, 19 December 2022 01:51:28 UTC