Re: Goals and Requirements for DID Method Standardization? from Harrison on 2024-11-26 (public-credentials@w3.org from November 2024)

From: Harrison <harrison@spokeo.com>
Date: Tue, 26 Nov 2024 12:46:47 -0800
To: Steve Capell <steve.capell@gmail.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CAFYh=43X10-28x4097CM2SQMq=w26ofY851HNKymmM3YnzitsQ@mail.gmail.com>
Hi Michael and all,

As the W3C CCG co-chair, I would like to restate that W3C CCG is an open
and inclusive place to discuss, incubate, and work on identity-related
technologies wherever it comes from.  We've tried hard to collaborate with
other communities, such as DIF, OpenID, and IETF, because we all share the
same goal of advancing self-sovereign identity for billions of people.
Consequently, I would like to thank, and continue to encourage, you, Manu,
and many others to share identity-related news and developments across all
communities around the world.

Sincerely,

*Harrison Tang*
CEO
 LinkedIn  <https://www.linkedin.com/company/spokeo/> •   Instagram
<https://www.instagram.com/spokeo/> •   Youtube <https://bit.ly/2oh8YPv>


On Tue, Nov 26, 2024 at 12:44 PM Steve Capell <steve.capell@gmail.com>
wrote:

> Thanks Manu
>
> I agree 100% that there is no intrinsic need for a DID to be long lived.
> So long as I can link my DID to a trusted identity framework (see
> https://uncefact.github.io/spec-untp/docs/specification/DigitalIdentityAnchor for
> example) then I can churn through as many DIDs as I like
>
> The problem we encounter in UNTP is exactly the one you highlight - some
> VCs have a very long life.  In our case these are trade & industry
> credentials not personal ones.  Agri-food VCs are  typically only relevant
> for a few weeks (until the fresh food is eaten or processed into longer
> lived processed products but even then (apart from fine wines) it’s usually
> months. The construction industry on the other hand is interested in
> verifiable data throughout the lifetime of the built environment which is
> usually many decades.
>
> So the business problem is - what happens to the verification of a long
> lived VC when the underlying DID is gone ?
>
> Steven Capell
> Mob: 0410 437854
>
> On 27 Nov 2024, at 1:53 AM, Manu Sporny <msporny@digitalbazaar.com> wrote:
>
> On Mon, Nov 25, 2024 at 3:02 PM Steve Capell <steve.capell@gmail.com>
> wrote:
>
> Long lived VCs need long lived DIDs.  Domain names change, ledgers come
> and go, hosted DiD web issuers go bust, … lots of reasons why a business or
> government agency might need to “move” a DID without invalidating
> previously issued VCs
>
>
> Thank you, Steven, I've added your requirement here (and invite others
> to add theirs to the issue tracker):
>
>
> https://github.com/decentralized-identity/did-methods/issues/10#issuecomment-2500827870
>
> I do agree that your requirement is important, but possibly for
> different reasons:
>
> There is one perspective here where government agencies, or
> businesses, might not need long-lived DIDs. Their DIDs only need to
> exist as long as the refresh cycles on their VCs (which might only be
> a few years). There is a need for them to report their new DID to some
> sort of trust framework that verifiers use, but one could make the
> argument that government-based DIDs only need to last a few years (as
> long as their longest credential). So, maybe the need isn't as strong
> for government agencies, which have strong control over their domain
> and refresh cycles?
>
> Now, the reality is that government agencies will probably just go
> with did:web (or any other web-based DID Method) for now, because they
> know how to secure a website and it ticks all the security boxes for
> their IT teams. It's probably also true that most government agencies
> have had a web domain for as long as their agency has existed as a
> presence on the Internet (.gov domain has been around for ~41 years).
>
> However, I think the need is stronger for individuals, who live for
> ~70+ years. More specifically, it's important for individuals to be
> able to have pairwise and ephemeral DIDs (for privacy reasons), but
> it's also important for individuals to have long-lived DIDs for public
> personas (reputation). That is, for things like your social media or
> other web-presence profiles (LinkedIn, X/Twitter, BlueSky, Instagram,
> Mastodon, etc.). There are dangers here -- like, never use your public
> DID when you have some expectation of privacy in the exchange and
> don't know how the other party will use your identifier over the long
> term -- it's dicey, and I don't mean to downplay the concern there.
>
> In any case, all that to say -- yes, long lived identifiers are needed
> for long-lived credentials... but perhaps the need is greater among
> individuals (who don't have control over the lifetime of VCs issued to
> them) than among organizations (who do have control over the lifetime
> of the VCs they issue). Then again, organizations don't have control
> over the VCs issued to them by individuals and other organizations, so
> perhaps this has more to do with "public personas" vs. private ones?
> There is, of course, a counter-argument that we should not be using
> long-lived identifiers at all... but I don't know how you can ZKP
> yourself through life -- at some point, people want to refer to you in
> a long-lived social context... and they prefer to use long-lived
> identifiers when doing so.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> https://www.digitalbazaar.com/
>
>
Received on Tuesday, 26 November 2024 20:47:08 UTC