Re: Goals and Requirements for DID Method Standardization? from Steve Capell on 2024-11-26 (public-credentials@w3.org from November 2024)

From: Steve Capell <steve.capell@gmail.com>
Date: Wed, 27 Nov 2024 07:42:45 +1100
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: W3C Credentials CG <public-credentials@w3.org>
Message-Id: <17773DBB-5C3A-41A3-832C-E48AF9DB7E2E@gmail.com>
Thanks Manu 

I agree 100% that there is no intrinsic need for a DID to be long lived.  So long as I can link my DID to a trusted identity framework (see https://uncefact.github.io/spec-untp/docs/specification/DigitalIdentityAnchor for example) then I can churn through as many DIDs as I like 

The problem we encounter in UNTP is exactly the one you highlight - some VCs have a very long life.  In our case these are trade & industry credentials not personal ones.  Agri-food VCs are  typically only relevant for a few weeks (until the fresh food is eaten or processed into longer lived processed products but even then (apart from fine wines) it’s usually months. The construction industry on the other hand is interested in verifiable data throughout the lifetime of the built environment which is usually many decades.

So the business problem is - what happens to the verification of a long lived VC when the underlying DID is gone ?

Steven Capell
Mob: 0410 437854

> On 27 Nov 2024, at 1:53 AM, Manu Sporny <msporny@digitalbazaar.com> wrote:
> 
> On Mon, Nov 25, 2024 at 3:02 PM Steve Capell <steve.capell@gmail.com> wrote:
>> Long lived VCs need long lived DIDs.  Domain names change, ledgers come and go, hosted DiD web issuers go bust, … lots of reasons why a business or government agency might need to “move” a DID without invalidating previously issued VCs
> 
> Thank you, Steven, I've added your requirement here (and invite others
> to add theirs to the issue tracker):
> 
> https://github.com/decentralized-identity/did-methods/issues/10#issuecomment-2500827870
> 
> I do agree that your requirement is important, but possibly for
> different reasons:
> 
> There is one perspective here where government agencies, or
> businesses, might not need long-lived DIDs. Their DIDs only need to
> exist as long as the refresh cycles on their VCs (which might only be
> a few years). There is a need for them to report their new DID to some
> sort of trust framework that verifiers use, but one could make the
> argument that government-based DIDs only need to last a few years (as
> long as their longest credential). So, maybe the need isn't as strong
> for government agencies, which have strong control over their domain
> and refresh cycles?
> 
> Now, the reality is that government agencies will probably just go
> with did:web (or any other web-based DID Method) for now, because they
> know how to secure a website and it ticks all the security boxes for
> their IT teams. It's probably also true that most government agencies
> have had a web domain for as long as their agency has existed as a
> presence on the Internet (.gov domain has been around for ~41 years).
> 
> However, I think the need is stronger for individuals, who live for
> ~70+ years. More specifically, it's important for individuals to be
> able to have pairwise and ephemeral DIDs (for privacy reasons), but
> it's also important for individuals to have long-lived DIDs for public
> personas (reputation). That is, for things like your social media or
> other web-presence profiles (LinkedIn, X/Twitter, BlueSky, Instagram,
> Mastodon, etc.). There are dangers here -- like, never use your public
> DID when you have some expectation of privacy in the exchange and
> don't know how the other party will use your identifier over the long
> term -- it's dicey, and I don't mean to downplay the concern there.
> 
> In any case, all that to say -- yes, long lived identifiers are needed
> for long-lived credentials... but perhaps the need is greater among
> individuals (who don't have control over the lifetime of VCs issued to
> them) than among organizations (who do have control over the lifetime
> of the VCs they issue). Then again, organizations don't have control
> over the VCs issued to them by individuals and other organizations, so
> perhaps this has more to do with "public personas" vs. private ones?
> There is, of course, a counter-argument that we should not be using
> long-lived identifiers at all... but I don't know how you can ZKP
> yourself through life -- at some point, people want to refer to you in
> a long-lived social context... and they prefer to use long-lived
> identifiers when doing so.
> 
> -- manu
> 
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> https://www.digitalbazaar.com/
Received on Tuesday, 26 November 2024 20:43:02 UTC