- From: Drummond Reed <Drummond.Reed@gendigital.com>
- Date: Sun, 26 Jan 2025 02:17:17 +0000
- To: Michael Burchill <mburchil@gmail.com>, Manu Sporny <msporny@digitalbazaar.com>
- CC: W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <DM6PR13MB3131B21685BC495C2E795A4D9DED2@DM6PR13MB3131.namprd13.prod.outlook.com>
Clear back in 2017, when SSI first started to become “a thing”, it always brought the question, “But how will you trust a VC? Who would be the trust roots?” Our high-level answer was, “Well, with DIDs, we can finally have decentralized PKI!” Only none of us really knew what DPKI would look like. We just knew we’d have to build it. But until we had actual working VCs and digital wallets to put them in, it was not a priority. Now, with whole nations starting to build digital wallets and VCs, it’s finally becoming a priority. And I personally love the answer, “It’s DIDs all the way down.” Because that means the most important question becomes, “Where do you start?” With DPKI, that answer is: “With you! With whatever set of DIDs you personally trust.” That 100% supports Manu’s answer, “Why can't we just start with a list of DIDs that a verifier software trusts and configure it locally?” Earlier in this thread, Steve Capell proposed that those DIDs fell into two broad categories: 1. Very well-known government-run trust lists (i.e., much like current conventional PKI). • “top-down”, most centralized 2. Local P2P trust models based on eigenvector<https://en.wikipedia.org/wiki/Eigenvector_centrality>-style analysis of adjacent trust graphs • “bottom-up”, most decentralized I agree with Steve about both of those categories. But I think there’s a third — a “middle way” — that for DPKI will be at least as important—and potentially more important—than the other two. Call it the “ecosystem model” because it’s based on the same organic model as real-world ecosystems, only applied to digital trust ecosystems<https://glossary.trustoverip.org/#term:digital-trust-ecosystem>. The ecosystem model is described in this Ayra white paper<https://ayra.forum/ayra-ecosystem-of-ecosystems-whitepaper/>. But the key point for this discussion is how it fits architecturally with Steve’s other two categories. Here’s simple way to put it: 1. ~10,000 = Estimated number of very well-known government-run trust lists (rounding up from Steve Capell’s estimate of “a few thousand”). 2. 10,000,000 = Potential number of digital trust ecosystems (in a mature world of digital wallets and VCs) 3. 8,000,000,000 = Potential of individual P2P DID trust list starting points I want to emphasize that this middle ground of digital trust ecosystems does NOT compete with either end — the top-down model or the bottom-up model. None of these are mutually exclusive. Rather the ecosystem model makes both the top-down and bottom-up models better. It’s the “glue” in the middle. Anyway, consider all of this as a preface to the talk about Ayra that several of us from the Ayra team will be giving on the CCG call on Feb 4. =Drummond (who loves Brad Pitt, but right now is off to see Adrian Brody in The Brutalist). From: Michael Burchill <mburchil@gmail.com> Date: Saturday, January 25, 2025 at 5:17 PM To: Manu Sporny <msporny@digitalbazaar.com> Cc: W3C Credentials CG <public-credentials@w3.org> Subject: Re: [EXT] Current solutions to prove an issuer is who they claim they are This has been a very good thread, in fact this is the first time I’ve wanted to contribute. At the risk of oversimplifying: Why can't we just start with a list of DIDs that a verifier software trusts and configure it locally? You build that list yourself, you get that list from an authority you trust, or a combination of the two. What doesn't scale with that approach? I don’t think this is an oversimplification; this approach covers many use cases that VCs could be solving right now. Since mid-2024, trust has been top of mind for the clients I am interacting with. Two things are clear: · Depending on the use case, there may be a need for external, centrally managed trust registries. · Many private entities would prefer to keep control over the majority of their trust relationships to avoid the nightmare that certificates and certificate authorities have created for them. So far, what this community has created is very much in the spirit of an open, decentralized, and accessible internet. I don’t think we should discourage centralized trust registries. If they provide value, then they’re justified. However, it’s not something we should be forcing down people’s throats. Let’s not give new names to old problems. PS: I'd also like to join Wayne in asking again: What's the going market rate for a Brad Pitt DID, and can you please link to that article about the fake French Brad Pitt boyfriend? Clearly, we need to add "Defending Against Fake Brad Pitts" to the threat model. :P I think George Clooney already has the Brad Pitt DID. regards, Michael Burchill
Received on Sunday, 26 January 2025 02:17:24 UTC