Re: Goals and Requirements for DID Method Standardization? from Andres Olave on 2024-11-29 (public-credentials@w3.org from November 2024)

From: Andres Olave <andres.olave@velocitycareerlabs.com>
Date: Fri, 29 Nov 2024 22:30:13 +0000
To: Manu Sporny <msporny@digitalbazaar.com>, Steve Capell <steve.capell@gmail.com>
CC: W3C Credentials CG <public-credentials@w3.org>
Message-ID: <8145bebb-1920-41a1-9d8d-76663b813b45@Spark>

I eagerly concur with you Steve.

Long-lived VCs are inherent to employment and education credentials that Velocity Network issues for as well.  Something like 595,000 companies close annually, and even though the numbers are lower in the education space, around 10-20 colleges close annually. This is a real problem that DID-based ecosystems need to solve.

regards,

Andres Olave
CTO
Velocity Career Labs

[cid:5D5736D78749467184F93207CE6AC23C]
Building the Internet of Careers™
velocitynetwork.foundation<http://www.velocitynetwork.foundation/>|velocitycareerlabs.com<http://www.velocitycareerlabs.com/>
M+61 436 350390|andres.olave@velocitycareerlabs.com<mailto:dror.gurevich@velocitycareerlabs.com>
(GMT+11) Monday - Friday

Download the Velocity Career Wallet App:

[Graphical user interface Description automatically generated with medium confidence]<https://apps.apple.com/us/app/velocity-career-wallet/id1587589679> [A picture containing text Description automatically generated] <https://play.google.com/store/apps/details?id=io.velocitycareerlabs.holderapp>

On 27 Nov 2024 at 07:45 +1100, Steve Capell <steve.capell@gmail.com>, wrote:
Thanks Manu

I agree 100% that there is no intrinsic need for a DID to be long lived.  So long as I can link my DID to a trusted identity framework (see https://uncefact.github.io/spec-untp/docs/specification/DigitalIdentityAnchor for example) then I can churn through as many DIDs as I like

The problem we encounter in UNTP is exactly the one you highlight - some VCs have a very long life.  In our case these are trade & industry credentials not personal ones.  Agri-food VCs are  typically only relevant for a few weeks (until the fresh food is eaten or processed into longer lived processed products but even then (apart from fine wines) it’s usually months. The construction industry on the other hand is interested in verifiable data throughout the lifetime of the built environment which is usually many decades.

So the business problem is - what happens to the verification of a long lived VC when the underlying DID is gone ?

Steven Capell
Mob: 0410 437854

On 27 Nov 2024, at 1:53 AM, Manu Sporny <msporny@digitalbazaar.com> wrote:

On Mon, Nov 25, 2024 at 3:02 PM Steve Capell <steve.capell@gmail.com> wrote:
Long lived VCs need long lived DIDs.  Domain names change, ledgers come and go, hosted DiD web issuers go bust, … lots of reasons why a business or government agency might need to “move” a DID without invalidating previously issued VCs

Thank you, Steven, I've added your requirement here (and invite others
to add theirs to the issue tracker):

https://github.com/decentralized-identity/did-methods/issues/10#issuecomment-2500827870


I do agree that your requirement is important, but possibly for
different reasons:

There is one perspective here where government agencies, or
businesses, might not need long-lived DIDs. Their DIDs only need to
exist as long as the refresh cycles on their VCs (which might only be
a few years). There is a need for them to report their new DID to some
sort of trust framework that verifiers use, but one could make the
argument that government-based DIDs only need to last a few years (as
long as their longest credential). So, maybe the need isn't as strong
for government agencies, which have strong control over their domain
and refresh cycles?

Now, the reality is that government agencies will probably just go
with did:web (or any other web-based DID Method) for now, because they
know how to secure a website and it ticks all the security boxes for
their IT teams. It's probably also true that most government agencies
have had a web domain for as long as their agency has existed as a
presence on the Internet (.gov domain has been around for ~41 years).

However, I think the need is stronger for individuals, who live for
~70+ years. More specifically, it's important for individuals to be
able to have pairwise and ephemeral DIDs (for privacy reasons), but
it's also important for individuals to have long-lived DIDs for public
personas (reputation). That is, for things like your social media or
other web-presence profiles (LinkedIn, X/Twitter, BlueSky, Instagram,
Mastodon, etc.). There are dangers here -- like, never use your public
DID when you have some expectation of privacy in the exchange and
don't know how the other party will use your identifier over the long
term -- it's dicey, and I don't mean to downplay the concern there.

In any case, all that to say -- yes, long lived identifiers are needed
for long-lived credentials... but perhaps the need is greater among
individuals (who don't have control over the lifetime of VCs issued to
them) than among organizations (who do have control over the lifetime
of the VCs they issue). Then again, organizations don't have control
over the VCs issued to them by individuals and other organizations, so
perhaps this has more to do with "public personas" vs. private ones?
There is, of course, a counter-argument that we should not be using
long-lived identifiers at all... but I don't know how you can ZKP
yourself through life -- at some point, people want to refer to you in
a long-lived social context... and they prefer to use long-lived
identifiers when doing so.

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/

Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Attachments

image/jpeg attachment: 5D5736D78749467184F93207CE6AC23C.jpeg
image/png attachment: 5B6444CBD56B4A30B242A387C1412692.png
image/png attachment: 4E97F317E1904321BE980BC8F84AC6FB.png

Received on Friday, 29 November 2024 22:30:21 UTC