- From: Kim Hamilton <kimdhamilton@gmail.com>
- Date: Tue, 26 Nov 2024 17:02:17 +0000
- To: "Adrian Gropper" <agropper@healthurl.com>
- Cc: "Manu Sporny" <msporny@digitalbazaar.com>, "Steve Capell" <steve.capell@gmail.com>, "W3C Credentials CG" <public-credentials@w3.org>
- Message-ID: <m3ypcpkh.68402cec-90ea-47cc-8199-73b310f4d63f@we.are.superhuman.com>
Speaking as an individual, not with any official hats, I would also like to see more coverage on biometrics. If anyone has points to projects/efforts that are working on that (w.r.t DIDs) I'd love to read up on it. Sent via Superhuman ( https://sprh.mn/?vip=kimdhamilton@gmail.com ) On Tue, Nov 26, 2024 at 8:29 AM, Adrian Gropper < agropper@healthurl.com > wrote: > > Manu, > > > I agree with your analysis, particularly with the issues around individual > reputation in various separable contexts. From that perspective, the major > difference between individuals and organizations is that one has > biometrics and the other uses biometrics. https:/ / www. technologyreview. > com/ 2024/ 11/ 20/ 1107002/ clear-airport-identity-management-biometrics-facial-recognition/ > ( > https://www.technologyreview.com/2024/11/20/1107002/clear-airport-identity-management-biometrics-facial-recognition/ > ) > > > It seems to me that our community should be addressing the role of > biometrics relative to DIDs as a primary or foundational concern. > > > Adrian > > On Tue, Nov 26, 2024 at 9:55 AM Manu Sporny < msporny@ digitalbazaar. com ( > msporny@digitalbazaar.com ) > wrote: > > >> On Mon, Nov 25, 2024 at 3:02 PM Steve Capell < steve. capell@ gmail. com ( >> steve.capell@gmail.com ) > wrote: >> > Long lived VCs need long lived DIDs. Domain names change, ledgers come >> and go, hosted DiD web issuers go bust, … lots of reasons why a business >> or government agency might need to “move” a DID without invalidating >> previously issued VCs >> >> Thank you, Steven, I've added your requirement here (and invite others >> to add theirs to the issue tracker): >> >> https:/ / github. com/ decentralized-identity/ did-methods/ issues/ 10#issuecomment-2500827870 >> ( >> https://github.com/decentralized-identity/did-methods/issues/10#issuecomment-2500827870 >> ) >> >> I do agree that your requirement is important, but possibly for >> different reasons: >> >> There is one perspective here where government agencies, or >> businesses, might not need long-lived DIDs. Their DIDs only need to >> exist as long as the refresh cycles on their VCs (which might only be >> a few years). There is a need for them to report their new DID to some >> sort of trust framework that verifiers use, but one could make the >> argument that government-based DIDs only need to last a few years (as >> long as their longest credential). So, maybe the need isn't as strong >> for government agencies, which have strong control over their domain >> and refresh cycles? >> >> Now, the reality is that government agencies will probably just go >> with did:web (or any other web-based DID Method) for now, because they >> know how to secure a website and it ticks all the security boxes for >> their IT teams. It's probably also true that most government agencies >> have had a web domain for as long as their agency has existed as a >> presence on the Internet (.gov domain has been around for ~41 years). >> >> However, I think the need is stronger for individuals, who live for >> ~70+ years. More specifically, it's important for individuals to be >> able to have pairwise and ephemeral DIDs (for privacy reasons), but >> it's also important for individuals to have long-lived DIDs for public >> personas (reputation). That is, for things like your social media or >> other web-presence profiles (LinkedIn, X/Twitter, BlueSky, Instagram, >> Mastodon, etc.). There are dangers here -- like, never use your public >> DID when you have some expectation of privacy in the exchange and >> don't know how the other party will use your identifier over the long >> term -- it's dicey, and I don't mean to downplay the concern there. >> >> In any case, all that to say -- yes, long lived identifiers are needed >> for long-lived credentials... but perhaps the need is greater among >> individuals (who don't have control over the lifetime of VCs issued to >> them) than among organizations (who do have control over the lifetime >> of the VCs they issue). Then again, organizations don't have control >> over the VCs issued to them by individuals and other organizations, so >> perhaps this has more to do with "public personas" vs. private ones? >> There is, of course, a counter-argument that we should not be using >> long-lived identifiers at all... but I don't know how you can ZKP >> yourself through life -- at some point, people want to refer to you in >> a long-lived social context... and they prefer to use long-lived >> identifiers when doing so. >> >> -- manu >> >> -- >> Manu Sporny - https:/ / www. linkedin. com/ in/ manusporny/ ( >> https://www.linkedin.com/in/manusporny/ ) >> Founder/CEO - Digital Bazaar, Inc. >> https:/ / www. digitalbazaar. com/ ( https://www.digitalbazaar.com/ ) > > >
Received on Tuesday, 26 November 2024 17:02:30 UTC