Re: Lists of Verifiable Issuers and Verifiers

On Tue, Mar 7, 2023 at 7:22 PM Bob Wyman <bob@wyman.us> wrote:
> Also, a question: Would either, or both, of the entries and lists have "Time To Live (TTL)" values that indicated for how long these things should be trusted?

Since the list is expressed in a Verifiable Credential, it has a TTL,
specified via the `validFrom` and `validUntil` properties on the VC:

https://w3c-ccg.github.io/verifiable-issuers-verifiers/#verifiable-credential

Entries don't have TTLs yet, and I doubt we'd add them because doing
so doesn't add much value beyond the TTL of the list.

I'll note that the example, which is almost 8 months old now, needs to
be updated to get in line w/ the v2.0 VC Data Model specification and
use those properties in the example.

> It seems to me that use of a list having 10 members would present a very different set of issues than one that had 10's of millions of members.

It does present a different set of issues, it's a different class of
problem, and I'll hazard a proposition that we're not interested in
publishing lists with 10s of millions of members in them. If you want
to do that, you're probably in a different problem space (and this
spec isn't going to help you). I expect the lists start to lose value
after you get several thousand entries in them... however, most of the
use cases we're looking at right now don't go far above a few thousand
entries (in the most extreme cases).

I'll also note that much of this discussion is getting into governance
models and liability, which the specification is explicitly not going
to make any recommendations on... that's a third rail that we're
trying to stay away from. The issuers of these lists could be:

* An individual.
* Your close circle of friends.
* Your mortal enemy ("Oh, I definitely don't want to interact w/
anyone on THAT list!")
* A for-profit organization that you trust.
* A local or national government.
* A society of professionals.
* A trade organization.

We should also be very careful about using the word "trust", which
means different things to different people and changes based on
context. I personally think it's a really bad idea to refer to
anything in these lists as "trusted" or "trust registries" or "trust
lists". This came up multiple times during the creation of the paper,
and some people seem to not be able to help themselves in using that
term, which muddies the discussion.

Who or what you trust is a personal/organizational decision. An
individual/organization might trust one list, while another
individual/organization wouldn't trust that same list. So, calling it
a "trusted" anything always results in a: "Why should I trust YOUR
list?!" discussion (which tends to go around in circles).

These lists are meant to be decentralized in nature -- anyone can
publish them, anyone can consume them, the only authority they have is
the one the consumer of the list imbues onto them.

The specification is focused on just publishing/consuming lists of
issuers and verifiers. Anything extra you project onto those lists are
a delusion you share w/ the assurance community, and no one else. :P

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Wednesday, 8 March 2023 14:13:59 UTC