W3C home > Mailing lists > Public > public-credentials@w3.org > January 2022

Re: [GNAP] Human rights perspective on W3C and IETF protocol interaction

From: Mark Lizar <mark@openconsent.com>
Date: Thu, 6 Jan 2022 14:03:12 +0000
To: Justin Richer <jricher@mit.edu>
CC: Orie Steele <orie@transmute.industries>, Alan Karp <alanhkarp@gmail.com>, Bob Wyman <bob@wyman.us>, Adrian Gropper <agropper@healthurl.com>, GNAP Mailing List <txauth@ietf.org>, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <12ADDD1D-FE53-41E9-A804-E6E1B7FA438C@openconsent.com>
Hi List,

I have been mostly a lurker on this list as the majority of technical discussion doesn’t include ethics, human rights etc.

To this end, we are working on the next evolution of a project to Open Privacy Notice and subsequently consent with specifications based on international  ISO/IEC standards @  Kantara in the follow on from the Consent and Information Sharing WG, called ANCR WG. \

It is a project human centric transparency, control and rights access, or in short computational privacy law, utilizing these standards for creating Proof of Notice (records), for evidence of Consent (receipts), and we have an implementation with a rights Notary, and Controller State Change Ledger (Not block chain).

In this regard, receipts are easily tokens, signed by a rights Notary (GNAP end point), and can automatically be provided from a data subject client to a Controller, processor or the like.      A service architecture which aims to provide the capacity for micro-credentials to be used, and to enable strong independent authorization and autonomous rights access.  AKA, access to rights and data governance independent of the service provider and technology.   (Not dependent on it). I see GNAP enabling in this architecture what we refer to as decentralized data governance, using public rules/privacy law (which this architecture can implement with standards).

Perhaps, rather than a human rights section, there would be a human rights case study / example, to coincide with security considerations?  (A case study that is inclusive and not only the engineering geeks. )

Kind Regards,


On Jan 6, 2022, at 8:46 AM, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:

This is really the crux of the argument — the technology is never going to outweigh the trust and policy side of things. You could have a completely internet-wide fully-distributed system, like OpenID 2.0, and people would still make allowlists and blocklists to limit which sites they accept login from. The same thing already happens with DIDs — implementors are limiting to specific methods and resolvers, which immediately slices the “global distributed” network up into silos. This will always happen. The best thing that we can do is build a technology that makes it easier to connect and work on policies, regulations, and environments that encourage those interconnections to happen. It takes both the capability and the will to do so, and technologies all too often focus on the former.

This is at the heart of what Adrian is talking about, in my interpretation: we need to make sure that the technological choices we are making :enable: the policy and trust decisions to be good ones. This is what the human rights considerations work in IETF is trying to accomplish, to make sure that technologies being developed are considered in that light, in the same way that the security and privacy considerations have done in the past. I applaud and welcome this, even though it means more work for me as a specification author.

Received on Thursday, 6 January 2022 14:06:32 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:28 UTC