- From: Brian Richter <brian@aviary.tech>
- Date: Sat, 25 Jan 2025 08:05:02 -0800
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CAPUZd8tXignOacJPj6H845F6sCOTSq86YVEg2vBtP8L+h8hG8w@mail.gmail.com>
Here’s the article https://www.bbc.com/news/articles/ckgnz8rw1xgo And I can set you up with a did:webvh on bradpitt.xyz for real cheap 😉 Brian On Sat, Jan 25, 2025 at 7:46 AM Manu Sporny <msporny@digitalbazaar.com> wrote: > On Sat, Jan 25, 2025 at 2:14 AM steve capell <steve.capell@gmail.com> > wrote: > > Lots of interesting posts on this topic that I’ve enjoyed reading. > > Yes, this has been a good thread; thought around this topic has > matured over the past several years. Of the comments made, the ones > that Daniel, Wayne, and Harrison's made around the solution being use > case specific resonate the most. > > That said, our community didn't go through all this trouble of > creating DIDs and VCs to re-establish centralized trust registries and > re-entrench rent seeking behaviour. > > That is what concerns me with some of the "just use a Certificate > Authority!" responses. No, that shouldn't be the default answer. In > many cases, what you're talking about is a curated list of DIDs, and > there doesn't need to be a single curator of that list. The closer we > get to a single curator model, the higher the chances of rent seeking > behaviour by that curator. There are some traditional PKI models that > are exceedingly difficult to be a part of with high fees associated > with participating that are then used as competitive barriers. If we > fall back into that model, which is easy to do, then we've not really > improved the state of the art. > > What Daniel said about this being just another VC resonates deeply. If > you have a DID for an entity, and there is a way to look up more about > that entity (such as did:webvh's /whois endpoint), then all you need > is: > > 1. A list of DIDs or CIDs that you or some set of authorities have created. > 2. Optionally, a /whois like service to pull VCs about those DIDs. > > Most importantly, the verifier software in the ecosystem needs to be > able to make the decision of who to trust, and augment that list, at > the verifier instance level. > > Don't make the mistake of assuming that this is "Just the Certificate > Authority problem all over again."... because it's not, these DID/VC > ecosystems are far more decentralized than what we (broadly) tend to > use CAs and PKI for, which is global trust. The management of > traditional CAs and PKIs can be eye-wateringly expensive. We don't > have to make every solution for the DID/VC space have the same flaws; > it will be difficult to keep the community from falling into that same > trap due to the monied interests that are involved. > > At the risk of oversimplifying: Why can't we just start with a list of > DIDs that a verifier software trusts and configure it locally? You > build that list yourself, you get that list from an authority you > trust, or a combination of the two. What doesn't scale with that > approach? > > -- manu > > PS: I'd also like to join Wayne in asking again: What's the going > market rate for a Brad Pitt DID, and can you please link to that > article about the fake French Brad Pitt boyfriend? Clearly, we need to > add "Defending Against Fake Brad Pitts" to the threat model. :P > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > https://www.digitalbazaar.com/ > >
Received on Saturday, 25 January 2025 16:05:20 UTC