W3C home > Mailing lists > Public > public-credentials@w3.org > November 2022

Re: Saying yes to making @context optional

From: Christopher Allen <ChristopherA@lifewithalacrity.com>
Date: Mon, 28 Nov 2022 08:30:48 -0800
Message-ID: <CACrqygDGspRF7gEe67T+Py0Ft5Pmv+emgwgcPR=Tp_Qq6CcTaw@mail.gmail.com>
To: Nis Jespersen <nis.jespersen@gmail.com>
Cc: Anders Rundgren <anders.rundgren.net@gmail.com>, "Michael Herman (Trusted Digital Web)" <mwherman@parallelspace.net>, "public-credentials (public-credentials@w3.org)" <public-credentials@w3.org>, steve capell <steve.capell@gmail.com>
I’m not against schema & vocabularies. But I believe they can be form of
“layer violation” when they are used for cryptographic verification.
Validation of a data set against a schema is a semantic & business process
operation, not a cryptographic one. They should be separate.

If your business processes require distinction between two different
variant predicates, the business process can require a context (though I
personally prefer labeled property graphs). But that validation  should
happen separately from the cryptographic verification.

This “layer” separation between business process validation vs
cryptographic verification is important for other reasons. With Envelopes
the holder may not give you all the data, it may be elided (either through
redaction or by inclusion of an encrypted object as a form of escrow, or
refer to an external object by reference). Once that data is
cryptographically verified, you still have to do the business process to
determine that they give you sufficient information (non-elided) for your
risk profile, or request more non-elided data to be sent.

This is essential for progressive trust. In progressive trust architectures
you can’t assume that you can get everything you need to know in one data
object. Trust is not cryptographic verification!

 If we are to serve privacy, mandates that cryptographic verification
solves all problems with a single data object that results in a binary
true/false answer will fail us. Business processes must validate against
risk profiles. The results are more gray, not black & white.

Verification ≠ Validation ≠ Trust

— Christopher Allen
Received on Monday, 28 November 2022 16:31:19 UTC

This archive was generated by hypermail 2.4.0 : Monday, 28 November 2022 16:31:20 UTC