W3C home > Mailing lists > Public > public-credentials@w3.org > January 2022

Re: Ideals meet Implementations - Blockchains, NFTs, Decentralization, Oh My!

From: Adrian Gropper <agropper@healthurl.com>
Date: Thu, 20 Jan 2022 17:23:16 -0500
Message-ID: <CANYRo8jxxz57t6Q==FNZ1PPi8ZEVBwDPQFuco8eA6WX0xCzJAA@mail.gmail.com>
To: Kyle Den Hartog <kyle.denhartog@mattr.global>
Cc: W3C Credentials Community Group <public-credentials@w3.org>
Thanks, Kyle, for your thoughtful perspective.

My hope was / is that GNAP could form the bridge to "champion the other
side of the work". GNAP as a technical foundation for protocols involving
VCs and DIDs could shift the "legal" or regulatory discussions out of CCG.
The problem, as I understand it, is that adopting GNAP as a MUST in VC-API
and a few other protocols such as Confidential Storage, would invalidate a
lot of implementers' pre-standards work.

- Adrian

On Thu, Jan 20, 2022 at 4:19 PM Kyle Den Hartog <kyle.denhartog@mattr.global>

> I think it's worth pointing out that in a technical sense delegation is
> not that tricky of a problem, since it's mainly focused on establishing
> patterns of usage in either the DID or VC layer and evaluating the
> different tradeoffs that come with the chosen patterns. However, I don't
> believe enough of us haven't had time or business cases that have driven
> the priority for us to standardize a solution for this problem quite yet.
> That's not to say we haven't thought about the issue or started to explore
> it. I know many people in the ToIP ecosystem have, there's some brief
> mention of capabilities mentioned in the VC spec already, and there's
> aspects of consideration that I know have been brought up in the past based
> on credential transferability and whether it should be acceptable or not.
> With this in mind, I think Moxie's original points are very important to
> us. They're not outside the realm of possibility for us to extend the VC or
> DID Core data model to make our work aligned with his description and
> potentially standardize on the designs in future working groups. The two
> key methods I see being usable here are either via the addition of
> non-controller based verification methods for the did document or via some
> method of transferring of credentials between holders. My thinking is that
> the VC credential transfer method is probably the better option because it
> serves the purpose of credential portability and multi-device flows. The
> downside is that this could run up against the requirements that come from
> subject authenticity and needing to understand acceptable usages of
> transfer and unacceptable usages.In any case, I think we're well positioned
> to address these concerns if we choose to focus on enabling transparent
> portability in a way that avoids confused deputy issues, balances the
> desires of the user (as Moxie points out not wanting to run their own
> server which implies the need of custodial services), and takes a balanced
> and measured approach to get there that will apply broadly to many
> different use cases and deployment patterns.
> Furthermore, by combining these aspects with other legal approaches like
> terms of services and other methods I believe we're slowly on track to
> aligning with the human rights described by Adrian.  Unfortunately, I only
> have the knowledge to contribute on the technical levels. I assume many
> others in this forum are likely caught in the same boat with a few people
> here able to champion the other side of the work. However, It may be that
> there's too few of people here who do have that level of legal expertise to
> keep that moving forward here and so those discussions need to be had else
> where. I'm not certain but what I can say is that for the technical aspects
> we are heading in the right direction (even if it takes longer than
> expected) to align with Moxie's thinking to set up the technical rails for
> broader decentralization of systems.
> -Kyle
> ------------------------------
> *From:* Adrian Gropper <agropper@healthurl.com>
> *Sent:* Friday, January 21, 2022 7:17 AM
> *To:* W3C Credentials Community Group <public-credentials@w3.org>
> *Subject:* Re: Ideals meet Implementations - Blockchains, NFTs,
> Decentralization, Oh My!
> EXTERNAL EMAIL: This email originated outside of our organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
> Manu, thank you for the blunt response and your focused suggestion. I also
> thank Anil and the others that have contributed to this thread.
> I hear you and I will keep my CCG comments to this thread as I try to find
> a co-lead and write something as Manu is suggesting. I will work hard to
> avoid introducing this issue into other discussions on CCG. In VC-API, I
> will stick with the authorization/delegation related Issues and avoid
> discussing human rights or burdens except in the context of specific
> issues.
> This thread is specific to the broad decentralization issues raised by
> https://moxie.org/2022/01/07/web3-first-impressions.html so I hope it
> continues to the extent any of the 450+ people in CCG find it useful.
> In an attempt to name and scope a CCG Work Item, I would point to two
> relevant calls today. ToIP discussed the relationship between KERI (and
> did:peer) as it relates to DIDComm. The notes are superb:
> https://wiki.trustoverip.org/display/HOME/2022-01-20+TATF+Meeting+Notes My
> takeaway, as it relates to this thread, is that the reputation associated
> with an identifier needs to be handled at a different layer from the
> messaging associated with the identifier. Although the meeting ended
> without a conclusion, I urge everyone in CCG to listen or at least read the
> notes whether you have a direct interest in ToIP or not. That is
> particularly important for Anil and others that hope to regulate the
> interaction between non-repudiable (as in, for example, biometric)
> identities and pseudonymous identifiers as they are used in CCG-related
> protocols.
> The other relevant call today was a GNAP interim meeting where Dmitri
> Zagidulin presented on the applicability of the GNAP interaction model to
> https://docs.google.com/presentation/d/1fCUvUHo_x34rHfjvd4YSMcnuSqM-94V-ds_V7Lyc-Sc/edit#slide=id.p
> The minutes will be posted here
> https://datatracker.ietf.org/wg/gnap/meetings/ This conversation is
> exactly what I have been hoping for, as it makes explicit support for
> delegation of access to a VC and the  privacy considerations for requests
> that might include a VC and/or result in access to a VC.
> So, this reply is not yet a formal work item proposal but if anyone thinks
> there's a relationship between Moxie's delegation to servers perspective,
> KERI's clarification of reputation relative to messaging, and the way GNAP
> handles requests to an authorization server, then we're making progress.
> And yes, I do apologize to all for my circuitous path on the way to being
> able to reference specific technical concerns that are hopefully relevant
> to CCG.
> Adrian
> On Thu, Jan 20, 2022 at 10:54 AM Manu Sporny <msporny@digitalbazaar.com>
> wrote:
> Adrian, I'm going to try and speak directly below. It might come off as
> rude,
> but that's not my intent.
> The responses to your questions on the mailing list from others have gone
> out
> of their way to be polite in their framing. Since I've worked with you for
> going on five years now, having met you in person and shared a number of
> nice
> meals and conversation, I'm going to take the approach of being politely
> blunt. There was a time where your input was helpful, but it has
> degenerated
> into commentary that is largely unhelpful over the past year or so. You
> have
> been harming your cause by continuing to engage in the way that you are and
> people are starting to increasingly ignore your input.
> I'm saying this because I respect your time and the time of everyone else
> that
> is responding to you.
> On 1/18/22 9:50 PM, Adrian Gropper wrote:
> > CCG rules require two leads for the work item. Ideally, the two people
> > structuring the work item should both represent implementers and I could
> > continue to play my advisor role.
> Adrian, you need to step up and become ONE of the co-leads for the work
> item.
> You can't continue to insist that other people do the work that you want
> done.
> The best work items tend to have ONE technical lead and ONE non-technical
> lead. My suggestion to you is to find a technical lead to help you with the
> work item, while taking lead.
> > If there aren't two separate people in CCG that are concerned about the
> > burdens of standardized digital credentials and/or the relationship to
> > biometrics in DIDs and VCs, then pushing a work item seems pointless.
> There are 450+ people in this community group. You are not the only one
> that
> cares about the things that you do.
> This has been repeatedly stated to you, but it does not seem to be sinking
> in.
> There's a certain amount of social unawareness at play here that is
> frustrating to many of us, as well as you, I'm sure.
> I know others are deeply concerned about "the burdens of standardized
> digital
> credentials on those that hold them" and "the relationship to biometrics in
> DIDs and VCs". I know I am and I've spoken with others that have the same
> concerns, but your continued insistence that this is not a priority for
> everyone but you pushes people to not want to work with you. That you keep
> asking vague questions and citing passages in United Nations documents that
> have tenuous links to the vague questions you're asking are not helping
> make
> your case.
> A number of us have had one-on-one conversations w/ you and continue to
> try to
> guide your input in a positive direction. You have been reminded, multiple
> times, on calls to find a way to contribute in a way that is positive and
> at
> least to stop derailing conversations that have nothing to do with
> delegation
> or "digital slavery" or GNAP or biometrics or "digital burdens".
> Please step up, Adrian, and write something that you can get others on the
> mailing list to rally behind. Until you do that, your pleas for others to
> care
> as much about this stuff as you do will continue to result in nothing
> actionable and wasted effort on everyone's part, including yours.
> -- manu
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
Received on Thursday, 20 January 2022 22:23:42 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:28 UTC