- From: David Chadwick <d.w.chadwick@truetrust.co.uk>
- Date: Sun, 26 Jan 2025 11:05:33 +1300
- To: public-credentials@w3.org
- Message-ID: <79510a0e-b4b7-4ec6-8ad4-62783197b0e3@truetrust.co.uk>
Surely you remember PGP and its model for decentralised trust. Unfortunately it did not work. Why Johnny Cant Encrypt is a good read for those new to this topic. Kind regards David On 26/01/2025 04:44, Manu Sporny wrote: > On Sat, Jan 25, 2025 at 2:14 AM steve capell<steve.capell@gmail.com> wrote: >> Lots of interesting posts on this topic that I’ve enjoyed reading. > Yes, this has been a good thread; thought around this topic has > matured over the past several years. Of the comments made, the ones > that Daniel, Wayne, and Harrison's made around the solution being use > case specific resonate the most. > > That said, our community didn't go through all this trouble of > creating DIDs and VCs to re-establish centralized trust registries and > re-entrench rent seeking behaviour. > > That is what concerns me with some of the "just use a Certificate > Authority!" responses. No, that shouldn't be the default answer. In > many cases, what you're talking about is a curated list of DIDs, and > there doesn't need to be a single curator of that list. The closer we > get to a single curator model, the higher the chances of rent seeking > behaviour by that curator. There are some traditional PKI models that > are exceedingly difficult to be a part of with high fees associated > with participating that are then used as competitive barriers. If we > fall back into that model, which is easy to do, then we've not really > improved the state of the art. > > What Daniel said about this being just another VC resonates deeply. If > you have a DID for an entity, and there is a way to look up more about > that entity (such as did:webvh's /whois endpoint), then all you need > is: > > 1. A list of DIDs or CIDs that you or some set of authorities have created. > 2. Optionally, a /whois like service to pull VCs about those DIDs. > > Most importantly, the verifier software in the ecosystem needs to be > able to make the decision of who to trust, and augment that list, at > the verifier instance level. > > Don't make the mistake of assuming that this is "Just the Certificate > Authority problem all over again."... because it's not, these DID/VC > ecosystems are far more decentralized than what we (broadly) tend to > use CAs and PKI for, which is global trust. The management of > traditional CAs and PKIs can be eye-wateringly expensive. We don't > have to make every solution for the DID/VC space have the same flaws; > it will be difficult to keep the community from falling into that same > trap due to the monied interests that are involved. > > At the risk of oversimplifying: Why can't we just start with a list of > DIDs that a verifier software trusts and configure it locally? You > build that list yourself, you get that list from an authority you > trust, or a combination of the two. What doesn't scale with that > approach? > > -- manu > > PS: I'd also like to join Wayne in asking again: What's the going > market rate for a Brad Pitt DID, and can you please link to that > article about the fake French Brad Pitt boyfriend? Clearly, we need to > add "Defending Against Fake Brad Pitts" to the threat model. :P >
Received on Saturday, 25 January 2025 22:05:42 UTC