- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sat, 25 Jan 2025 10:44:27 -0500
- To: W3C Credentials CG <public-credentials@w3.org>
On Sat, Jan 25, 2025 at 2:14 AM steve capell <steve.capell@gmail.com> wrote: > Lots of interesting posts on this topic that I’ve enjoyed reading. Yes, this has been a good thread; thought around this topic has matured over the past several years. Of the comments made, the ones that Daniel, Wayne, and Harrison's made around the solution being use case specific resonate the most. That said, our community didn't go through all this trouble of creating DIDs and VCs to re-establish centralized trust registries and re-entrench rent seeking behaviour. That is what concerns me with some of the "just use a Certificate Authority!" responses. No, that shouldn't be the default answer. In many cases, what you're talking about is a curated list of DIDs, and there doesn't need to be a single curator of that list. The closer we get to a single curator model, the higher the chances of rent seeking behaviour by that curator. There are some traditional PKI models that are exceedingly difficult to be a part of with high fees associated with participating that are then used as competitive barriers. If we fall back into that model, which is easy to do, then we've not really improved the state of the art. What Daniel said about this being just another VC resonates deeply. If you have a DID for an entity, and there is a way to look up more about that entity (such as did:webvh's /whois endpoint), then all you need is: 1. A list of DIDs or CIDs that you or some set of authorities have created. 2. Optionally, a /whois like service to pull VCs about those DIDs. Most importantly, the verifier software in the ecosystem needs to be able to make the decision of who to trust, and augment that list, at the verifier instance level. Don't make the mistake of assuming that this is "Just the Certificate Authority problem all over again."... because it's not, these DID/VC ecosystems are far more decentralized than what we (broadly) tend to use CAs and PKI for, which is global trust. The management of traditional CAs and PKIs can be eye-wateringly expensive. We don't have to make every solution for the DID/VC space have the same flaws; it will be difficult to keep the community from falling into that same trap due to the monied interests that are involved. At the risk of oversimplifying: Why can't we just start with a list of DIDs that a verifier software trusts and configure it locally? You build that list yourself, you get that list from an authority you trust, or a combination of the two. What doesn't scale with that approach? -- manu PS: I'd also like to join Wayne in asking again: What's the going market rate for a Brad Pitt DID, and can you please link to that article about the fake French Brad Pitt boyfriend? Clearly, we need to add "Defending Against Fake Brad Pitts" to the threat model. :P -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Saturday, 25 January 2025 15:45:07 UTC