W3C home > Mailing lists > Public > public-credentials@w3.org > January 2022

RE: Web3 First Impressions by Moxie Marlinspike (was: Re: Ideals meet Implementations - Blockchains, NFTs, Decentralization, Oh My!)

From: <steve.e.magennis@gmail.com>
Date: Thu, 27 Jan 2022 11:12:09 -0800
To: "'Joe Andrieu'" <joe@legreq.com>, "'Credentials Community Group'" <public-credentials@w3.org>
Message-ID: <012901d813b1$c88729b0$59957d10$@gmail.com>
Buried in the second paragraph from the end but the clarity and precision of the statement: “It is unchecked power that leads to untenable and avoidable harm.” really resonated with me. A colleague of mine once said something to the effect that given the appropriate context, people will kill one another with forks but that doesn’t mean that forks were poorly designed (sporks notwithstanding). It is tempting, and I think a good thing that we endeavor to solve problems that are fundamentally problems with humanity by developing solutions that are based in technology. I think the real strength though as Joe states is in the ability of technology to help keep power in-check, or perhaps put another way to say that technology has the ability to help keep power ‘more appropriately balanced’ rather than the ability to ‘solve’ problems rooted in the shortcomings of humanity. 




From: Joe Andrieu <joe@legreq.com> 
Sent: Thursday, January 27, 2022 9:57 AM
To: Credentials Community Group <public-credentials@w3.org>
Subject: Re: Web3 First Impressions by Moxie Marlinspike (was: Re: Ideals meet Implementations - Blockchains, NFTs, Decentralization, Oh My!)


There are two huge misconceptions going on here, which are understandable, but make it harder for us to develop a shared understanding of both the problems and opportunities of this emerging technology.


I'll tackle the easier one first:


The fundamental difference between VCs and NFTs is that NFTs are designed for transferability, with protections against double spend. VCs are not. The root model of a VC is that it is a verifiable statement by a cryptographically deterministic author. It is not guaranteed to be unique nor is it expected to be transferable in any meaningful way. Trust me, I'm one of the editors of the use case document for that specification https://www.w3.org/TR/vc-use-cases/. Driver's licenses, diplomas, passports, certifications. These things are statements by a knowable authority about a specific subject. There is no notion of transferability of any of the rights or privileges associated with those statements. As digital objects, of course they can be copied and sent to someone else, but it doesn't transfer the statement to a new subject or anything like that. In fact, Verifiable Presentations were created as a mechanism to verify that the current presenter of a VC (called a Holder), has a specific relationship to the Subject of the VC, especially when Subject = Holder, e.g., when you present your own Driver's License to a police officer. That's all VCs do: enable verifiable statements by a knowable author.


NFTs on the other hand are rivalrous digital goods. Period. They are unique and they have specific control structures that ensure a certain form of assurance about the current presumed owner. The transferability of control without fraudulent double spend is EVERYTHING to an NFT, just as it is to cryptocurrencies. Unlike other digital objects, merely copying the bits DOES NOT transfer the essential notion of control & ownership. The current fad of collectible NFTs is just the first grasps of a toddler trying to figure out how this fundamentally new thing works.


VCs and NFTs are only similar in the sense that they both use cryptography to ensure specific notions of integrity. VC's ensure authenticity and timeliness. NFTs ensure transferability and provable control.


My second issue is much deeper and more important.


Moxie Marlinspike's fundamental observation is correct, but their conclusion is wrong. They assert that people don't want to run their own servers and THEREFORE systems that focus on the ability for people to run their own servers are fundamentally flawed. This is as dangerously unfounded as Mussolini's moral foundation of fascism: without power, policy doesn't matter and groups are more powerful than individuals, THEREFORE, individuals only have moral authority insofar as their actions align with the group, which in his case meant the state. Moxies's conclusions are equally as dangerous.


I agree that people don't want to run their own server. I recently went through the trouble to host my own server in my house, with dynamic DNS and upgrading to a commercial plan (so I didn't get nastygrams from my ISP threatening cancellation). I am not a system administrator, but as a programmer, I figured it out. And it put me on the front-line of maintaining those systems, which turned out to be far more trouble that it was worth. We've since shifted all our servers to trusted service providers who handle that for me. It's totally worth the modest monthly fee. So, yes, I agree, people don't want to run their own servers.


HOWEVER, It is the *option* to run our own servers that is fundamentally important here. The fact that I *could* do that meant that I can also change my service provider at any time. I just need a compatible platform and as a linux fan, there are plenty to chose from. When I don't have that option, we become beholden to the dominant, centralized service providers. This is the problem with Facebook. It *used* to be the problem with AOL and Compuserve, which was fixed with the World Wide Web's http and html standards. It was the problem with MCIMail and ATTMail, wich was fixed by SMTP, POP, and IMAP. In both cases, the very POSSIBILITY of self-hosting meant that those who wanted to make that investment would--and many large organizations LOVE their on-premise IT centers. It also meant that a plethora of alternatives could be offered by different service providers. That readily availability of email and web hosting services has dramatically democratized our digital infrastructure.


We have seen this structural denial of ownership before and it is unacceptable in a free society. It wasn't until the 1970s that women had the legal right to apply for credit cards separate from their husbands. In eras before that, women couldn't even own property, making them fundamentally, structurally dependent on their fathers and husbands.  The feminist movement brought a stop to that oppression (and still has work ahead). Serfs and commoners of the feudal era could not own real property, based on nothing more than their lineage. The Enlightenment brought an end to that system of non-ownership. Pre-civil war, slaves in America could not own property. Post civil war, sharecroppers (often former slaves) were denied the ability to own their own land and instead became veritable surfs: slaves in all but name. Not to mention the actual It was also the foundation of the HUD-directed segregation policy in the United States that created red-line districts so that minorities were structurally unable to buy property in neighborhoods declared for "white people". The Civil Rights movement continues the hard work of reversing this systemic ingrained tyranny. The denial of ownership is, and always has been, a fundamental tool of oppression and exclusion. It doesn't matter that most people in big cities rent rather than own, what matters is that ANYONE *can* own and they can own ANYWHERE in the United States. That's freedom. Anything less than that is structural tyranny.


I am willing to give Moxie the benefit of the doubt. I have no reason to believe they are intentionally propagating fundamentally fascist ideas or that they have some hidden fascist agenda. They seems smart and their argument is well presented without a call to fearmongering and hate. Nevertheless, the net result of their position is, undeniably, fascist. The ability to run your own server is, IMO, a fundamental right in a free society.


The real lesson to be learned is that power accumulates power and power's corruption is an inevitable as entropy's increase. The absolute, inevitable drive of any organization or initiative is toward self-preservation, which manifests as the will to power. Of course people will attempt to use this next generation technology to increase and thereby centralize their power. That is inevitable. And THAT is what we need to engage to resist. It isn't that Web3 is flawed, its that we must remain eternally vigilant against the centralization of power because that, in and of itself, WILL lead to abuses of that power and a loss of freedom and compromise of human dignity.


This will to power, whether organizational or individual, is not evil, in and of itself. It is unchecked power that leads to untenable and avoidable harm. This is PRECISELY what the American founding fathers set out to do with a tripartite government with checks and balances. It's not perfect, but it was perhaps the best, most successful attempt to moderate the unchecked accumulation of power. In short, the very notion of freedom that shaped the United States is anchored on the ability to reign in runaway centralization.


So, while modern cryptography in the hands of individuals will be at least as transformative as modern transportation in the hands of individuals, we are still figuring out what that means. As part of that exploration, it pays to understand how groups like OpenSea centralize power in unfortunate ways so that we can iterate and find better solutions. We must find new expressions of individual and social will that enable and increase human freedom and dignity, rather than simply watch early movers crown themselves as the feudal lords of this uncharted territory.




On Thu, Jan 27, 2022, at 4:19 AM, Simone Ravaioli wrote:

Exactly !


This brief thread already produced substantial value and elevated the conversation. Thx Bob, Christopher,  Adrian, Alan et all !  


- How might we feed this back in the emergent, “adjacent possible” credentialing conversation ?  

- What responsibility - agency, ownership, control, stake - should CCG take with regards to "NFT credentials” ?

- Do we feel any sense of fostering/parenting with regards to  this “toddler" making noises and bouncing at the door ?  

- Is there an opportunity for this community to find additional (alternative) avenues to participate and shape the future of the internet of credentials ?

- How might we best organise to address this ?  


IMHO, the CCG voice is needed more than ever in that #rabbithole.  


The discourse online is quickly reaching “escape velocity”: 


- Imagine DAO replacing standards bodies like DIF and W3C <https://twitter.com/sgershuni/status/1486654386537381893?s=20> 

- How can Verifiable Credentials be used to help DAOs ? <https://twitter.com/sgershuni/status/1486654386537381893?s=20> 

- Individual community members we are increasingly taking a public interest and open enquiry approach into Web3 <https://www.linkedin.com/posts/aniljohn_my-first-impressions-of-web3-activity-6888942553350078464-vn63> 


While not fully Autonomous, CCG is already a Distributed Organization. The caliber of the individual contributions to CCG is unparalleled in this domain, however I would argue that value is not adequately recognised - “karma tokens” have already been coined by Reddit (ie.  We all do this pro-bono).  Is there something we should not be afraid to reflect on although it may feel dystopian ?


Our community is of made of season experts, most of us lived across the 3 generations of the Internet.  How do we think about the future of CCG from a human resource perspective ?  It feels there is increasing energy and excitement out there in regards to credentials (of all sorts) coming from the next generation of humans, likely the next leaders of CCG.  


These emerging communities share many of those “first principles” we ascribe to: openness, self-sovereignty, decentralisation. In fact, they are stretching (if not re-rewriting) how those principles are acted out.   It feels like this might be an opportunity to double click on “open” and not only welcome, but actively invite those new rough ideas, criticised them to make them better, not to shut them off.  


If adoption is the ultimate outcome of standards making, then we should strive to be as attentive and responsive to what is happening “out there”.  




— Simone Ravaioli



On 27 Jan 2022, at 00:05, Alan Karp <alanhkarp@gmail.com <mailto:alanhkarp@gmail.com> > wrote:


I don't see the word "Subject" in the discussion.  I thought that an Issuer creates a VC identifying a Subject, which may or not be the same as the Holder, the party that knows the private key associated with presenting the VC to a Verifier.



Alan Karp



On Wed, Jan 26, 2022 at 2:34 PM Christopher Allen <ChristopherA@lifewithalacrity.com> wrote:



On Wed, Jan 26, 2022 at 12:29 PM Bob Wyman <bob@wyman.us <mailto:bob@wyman.us> > wrote:

*	Why have you listed VCs as not generating "Value due to scarcity?" GIven the essentially unlimited variety of claims that could be incorporated into a VC, it seems to me that one could craft a VC which has semantic content equivalent to any NFT. (i.e. A VC that identifies the "ownership" of some specific object.) The limited issuance of such VCs would create a "scarce" resource in just the same way that issuance of an NFT does.
*	Why do you say that a VC is not "transferable?" Rights that are recorded in a VC could either be delegated , in whole or in part, or the "ownership" of the VC itself might be transferred by the issuance of a new VC recording the delegation or transfer. How is this different from an NFT?


*	Why do you say that a VC only proves the "identity of an entity" but not "ownership of an object?" I can issue a VC to identify the existence (identity) of some right (e.g. the ownership of, or limited right to use, an object) and then issue another VC to associate that VC with some identified individual. While the VC-based mechanics are a bit different from what is typical with NFTs, how is the net effect different from that provided by issuing an NFT?

When I read this, I realize that once again, our language around the use of "owner" is entirely wrong. We've in the past tried to do better and avoid any of the words associated with property rights idea of "ownership" in DIDs and VCs, but it keeps cropping back in. (An aside: "control" is better but not perfect. I've also been seeking language from the "law of agency" such as authority. Not so far limited success in coming up with something better).


Part of the problem is that there is a natural centrality in the controller of a DID, and for the issuer of a VC. This natural centrality isn't "ownership", but sometimes acts like it. Similary, there is the problem that multiple parties may have unrestricted read-access (no encryption or DRM), but are restricted in their ability to fully verify the VC by some other party. Though this is not part of the definition of "holder", I feel that a holder a) has to have a readable version of the VC, and b) can fully verify it, else they are not truly a "holder". They also are not an owner, instead have limited control or authority.


Another part of the problem when comparing NFTs to VCs is that the role of the issuer in an NFT is very limited, or none at all (typically only a royalty on future sales), once the transfer is complete. Whereas an issuer of a VC can always revoke a VC, refuse to reissue one on expiration, and issue a new one possibly even to a new cryptographic party so it resembles a "transfer" but isn't. As far as I know, there is no way to "transfer" the issuer's role in a VC — they either issued it, didn't issue it, or there is a problem. Thus NFT isn't quite comparable to a VC, as in effect the issue has no (or limited) control or authority over its future use. Note also that I don't know of any NFT that is revocable or expires.


-- Christopher Allen




Joe Andrieu, PMP                                                                              joe@legreq.com <mailto:joe@legreq.com> 

LEGENDARY REQUIREMENTS                                                        +1(805)705-8651

Do what matters.                                                                            http://legreq.com <http://www.legendaryrequirements.com> 


Received on Thursday, 27 January 2022 19:12:27 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:28 UTC