- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sun, 26 Jan 2025 11:46:45 -0500
- To: Steve Capell <steve.capell@gmail.com>
- Cc: Drummond Reed <Drummond.Reed@gendigital.com>, Michael Burchill <mburchil@gmail.com>, W3C Credentials CG <public-credentials@w3.org>
On Sat, Jan 25, 2025 at 11:18 PM Steve Capell <steve.capell@gmail.com> wrote: > Let me just offer an answer to “Why can't we just start with a list of DIDs that a verifier software trusts and configure it locally? > > In many cases that could be perfectly satisfactory - but there are several important use case where it is not practical or scalable. I agree with most everything you said, Steve. To clarify, I'm not saying that centralized registries are not useful. I'm saying that not focusing on the things that Daniel highlighted could end up putting us in the same place we are today (with centralization being the only real option). While centralized registries do solve a number of important use cases, they don't address many of the use cases that this community cares about. What I don't want to see is us saying: Welp, X509 and the Certificate Authority approach solved these problems years ago, let's just re-use that ... because while it might be technically possible to deploy X509 in a more decentralized way, I've never seen it work out in practice at scale. Centralization and high cost of operation define many X509 deployments, there are all these certification requirements that kick in that ramp up the costs for running your PKI. Now, in a fair number of cases, that cost of operation and high bar is justified... but that limits entrants into any trust registry that adopts the same high bar. Ultimately, you (or someone you trust) configure a piece of software to trust other pieces of software. Sure, that software will be able to point to centralized trust registries that have lists of DIDs... however, if you cannot also add to that list, and still have a high level of assurance, then we will have failed. Some might say that this is analogous to adding a Certificate Authority to your browser list, and there is some truth to that. However, CAs tend to be too abstract for most people to grasp. "Do you want to trust StartCom certificates?" ... sure, I guess so? Take that case, versus connecting with a neighbor: "Jane Smith who lives at 123 Main Street wants to connect with you. She has verified her name and address using a government issued ID card (centralized trust registry), do you want to add her to your address book? (decentralized identifier provided)." The parentheticals show how I would hope we'd blend these trust registries... the first registry has high assurance over identity... the second registry addition could be a pairwise identifier (DID) between you and Jane. Some of this is old news to a number of us on the list, but some of the newer people to the community might not be aware of this distinction, which is why I raise it. Yes, the world will have centralized trust registries, and local trust registries, operated by large and small organizations... but we should keep our eye on the prize, which is enabling individuals to be able to safely (and affordably) mix and match these trust registries, adding their own local trust registry to their software. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Sunday, 26 January 2025 16:47:25 UTC