RE: Lists of Verifiable Issuers and Verifiers from steve.e.magennis@gmail.com on 2023-03-08 (public-credentials@w3.org from March 2023)

From: <steve.e.magennis@gmail.com>
Date: Wed, 8 Mar 2023 08:11:43 -0800
To: "'Manu Sporny'" <msporny@digitalbazaar.com>, "'W3C Credentials CG'" <public-credentials@w3.org>
Message-ID: <008401d951d8$aca4af40$05ee0dc0$@gmail.com>
I agree 
a) you don't want to imply that one can inherently 'trust' a list just because the list exists and someone put the word 'trust' in its title
b) from the perspective of writing a spec, you want to stay clear of recommendations on trust, governance and liability. 

However, my understanding is that there is an explicit intended purpose for these lists and that is to help people make trust decisions without having to perform full due-diligence themselves (enables the scaling of due-diligence if you will). I don't think the intent of the spec is really to just be a generic list primitive without expectation for how or why it will be used. There may be utility in that but I don't see that nearly as interesting.

This being the case, the question shouldn't be 'why should I trust your list' (messy conversation with no good procedural answer) but rather the statement: for the list to be useful in helping make a trust decision one must trust the party (in the appropriate context) that manages the list to do what they say they will do. How one comes to trust the manager of the list is a different topic. How a list is managed and how large it is directly impacts the utility of the list in helping make trust decisions and puts boundaries on the ability to scale due-diligence (to whatever level of detail required). I'm not advocating that any of this should be baked into the spec, but when considering using lists I think these are important considerations.

-S


-----Original Message-----
From: Manu Sporny <msporny@digitalbazaar.com> 
Sent: Wednesday, March 8, 2023 6:13 AM
To: W3C Credentials CG <public-credentials@w3.org>
Subject: Re: Lists of Verifiable Issuers and Verifiers

On Tue, Mar 7, 2023 at 7:22 PM Bob Wyman <bob@wyman.us> wrote:
> Also, a question: Would either, or both, of the entries and lists have "Time To Live (TTL)" values that indicated for how long these things should be trusted?

Since the list is expressed in a Verifiable Credential, it has a TTL, specified via the `validFrom` and `validUntil` properties on the VC:

https://w3c-ccg.github.io/verifiable-issuers-verifiers/#verifiable-credential

Entries don't have TTLs yet, and I doubt we'd add them because doing so doesn't add much value beyond the TTL of the list.

I'll note that the example, which is almost 8 months old now, needs to be updated to get in line w/ the v2.0 VC Data Model specification and use those properties in the example.

> It seems to me that use of a list having 10 members would present a very different set of issues than one that had 10's of millions of members.

It does present a different set of issues, it's a different class of problem, and I'll hazard a proposition that we're not interested in publishing lists with 10s of millions of members in them. If you want to do that, you're probably in a different problem space (and this spec isn't going to help you). I expect the lists start to lose value after you get several thousand entries in them... however, most of the use cases we're looking at right now don't go far above a few thousand entries (in the most extreme cases).

I'll also note that much of this discussion is getting into governance models and liability, which the specification is explicitly not going to make any recommendations on... that's a third rail that we're trying to stay away from. The issuers of these lists could be:

* An individual.
* Your close circle of friends.
* Your mortal enemy ("Oh, I definitely don't want to interact w/ anyone on THAT list!")
* A for-profit organization that you trust.
* A local or national government.
* A society of professionals.
* A trade organization.

We should also be very careful about using the word "trust", which means different things to different people and changes based on context. I personally think it's a really bad idea to refer to anything in these lists as "trusted" or "trust registries" or "trust lists". This came up multiple times during the creation of the paper, and some people seem to not be able to help themselves in using that term, which muddies the discussion.

Who or what you trust is a personal/organizational decision. An individual/organization might trust one list, while another individual/organization wouldn't trust that same list. So, calling it a "trusted" anything always results in a: "Why should I trust YOUR list?!" discussion (which tends to go around in circles).

These lists are meant to be decentralized in nature -- anyone can publish them, anyone can consume them, the only authority they have is the one the consumer of the list imbues onto them.

The specification is focused on just publishing/consuming lists of issuers and verifiers. Anything extra you project onto those lists are a delusion you share w/ the assurance community, and no one else. :P

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/
Received on Wednesday, 8 March 2023 16:11:58 UTC