Re: Goals and Requirements for DID Method Standardization?

Manu,

I agree with your analysis, particularly with the issues around individual
reputation in various separable contexts. From that perspective, the major
difference between individuals and organizations is that one has biometrics
and the other uses biometrics.
https://www.technologyreview.com/2024/11/20/1107002/clear-airport-identity-management-biometrics-facial-recognition/

It seems to me that our community should be addressing the role of
biometrics relative to DIDs as a primary or foundational concern.

Adrian

On Tue, Nov 26, 2024 at 9:55 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On Mon, Nov 25, 2024 at 3:02 PM Steve Capell <steve.capell@gmail.com>
> wrote:
> > Long lived VCs need long lived DIDs.  Domain names change, ledgers come
> and go, hosted DiD web issuers go bust, … lots of reasons why a business or
> government agency might need to “move” a DID without invalidating
> previously issued VCs
>
> Thank you, Steven, I've added your requirement here (and invite others
> to add theirs to the issue tracker):
>
>
> https://github.com/decentralized-identity/did-methods/issues/10#issuecomment-2500827870
>
> I do agree that your requirement is important, but possibly for
> different reasons:
>
> There is one perspective here where government agencies, or
> businesses, might not need long-lived DIDs. Their DIDs only need to
> exist as long as the refresh cycles on their VCs (which might only be
> a few years). There is a need for them to report their new DID to some
> sort of trust framework that verifiers use, but one could make the
> argument that government-based DIDs only need to last a few years (as
> long as their longest credential). So, maybe the need isn't as strong
> for government agencies, which have strong control over their domain
> and refresh cycles?
>
> Now, the reality is that government agencies will probably just go
> with did:web (or any other web-based DID Method) for now, because they
> know how to secure a website and it ticks all the security boxes for
> their IT teams. It's probably also true that most government agencies
> have had a web domain for as long as their agency has existed as a
> presence on the Internet (.gov domain has been around for ~41 years).
>
> However, I think the need is stronger for individuals, who live for
> ~70+ years. More specifically, it's important for individuals to be
> able to have pairwise and ephemeral DIDs (for privacy reasons), but
> it's also important for individuals to have long-lived DIDs for public
> personas (reputation). That is, for things like your social media or
> other web-presence profiles (LinkedIn, X/Twitter, BlueSky, Instagram,
> Mastodon, etc.). There are dangers here -- like, never use your public
> DID when you have some expectation of privacy in the exchange and
> don't know how the other party will use your identifier over the long
> term -- it's dicey, and I don't mean to downplay the concern there.
>
> In any case, all that to say -- yes, long lived identifiers are needed
> for long-lived credentials... but perhaps the need is greater among
> individuals (who don't have control over the lifetime of VCs issued to
> them) than among organizations (who do have control over the lifetime
> of the VCs they issue). Then again, organizations don't have control
> over the VCs issued to them by individuals and other organizations, so
> perhaps this has more to do with "public personas" vs. private ones?
> There is, of course, a counter-argument that we should not be using
> long-lived identifiers at all... but I don't know how you can ZKP
> yourself through life -- at some point, people want to refer to you in
> a long-lived social context... and they prefer to use long-lived
> identifiers when doing so.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> https://www.digitalbazaar.com/
>
>