- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 26 Nov 2024 09:52:59 -0500
- To: Steve Capell <steve.capell@gmail.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
On Mon, Nov 25, 2024 at 3:02 PM Steve Capell <steve.capell@gmail.com> wrote: > Long lived VCs need long lived DIDs. Domain names change, ledgers come and go, hosted DiD web issuers go bust, … lots of reasons why a business or government agency might need to “move” a DID without invalidating previously issued VCs Thank you, Steven, I've added your requirement here (and invite others to add theirs to the issue tracker): https://github.com/decentralized-identity/did-methods/issues/10#issuecomment-2500827870 I do agree that your requirement is important, but possibly for different reasons: There is one perspective here where government agencies, or businesses, might not need long-lived DIDs. Their DIDs only need to exist as long as the refresh cycles on their VCs (which might only be a few years). There is a need for them to report their new DID to some sort of trust framework that verifiers use, but one could make the argument that government-based DIDs only need to last a few years (as long as their longest credential). So, maybe the need isn't as strong for government agencies, which have strong control over their domain and refresh cycles? Now, the reality is that government agencies will probably just go with did:web (or any other web-based DID Method) for now, because they know how to secure a website and it ticks all the security boxes for their IT teams. It's probably also true that most government agencies have had a web domain for as long as their agency has existed as a presence on the Internet (.gov domain has been around for ~41 years). However, I think the need is stronger for individuals, who live for ~70+ years. More specifically, it's important for individuals to be able to have pairwise and ephemeral DIDs (for privacy reasons), but it's also important for individuals to have long-lived DIDs for public personas (reputation). That is, for things like your social media or other web-presence profiles (LinkedIn, X/Twitter, BlueSky, Instagram, Mastodon, etc.). There are dangers here -- like, never use your public DID when you have some expectation of privacy in the exchange and don't know how the other party will use your identifier over the long term -- it's dicey, and I don't mean to downplay the concern there. In any case, all that to say -- yes, long lived identifiers are needed for long-lived credentials... but perhaps the need is greater among individuals (who don't have control over the lifetime of VCs issued to them) than among organizations (who do have control over the lifetime of the VCs they issue). Then again, organizations don't have control over the VCs issued to them by individuals and other organizations, so perhaps this has more to do with "public personas" vs. private ones? There is, of course, a counter-argument that we should not be using long-lived identifiers at all... but I don't know how you can ZKP yourself through life -- at some point, people want to refer to you in a long-lived social context... and they prefer to use long-lived identifiers when doing so. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Tuesday, 26 November 2024 14:53:40 UTC