- From: Adrian Gropper <agropper@healthurl.com>
- Date: Sun, 26 Jan 2025 21:52:03 +0200
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: Steve Capell <steve.capell@gmail.com>, Drummond Reed <Drummond.Reed@gendigital.com>, Michael Burchill <mburchil@gmail.com>, W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CANYRo8jVFwAf56qA0-19wja6d8UWcstB45rC9XUTpBGs7j=-1w@mail.gmail.com>
Again, all of this seems abstract to me. Let me propose another practical use case and ask the experts how we envision the solution… Let’s say Adrian now has five Apple devices linked to my biometrics, identity and related bank accounts with Apple. These are: - iPhone - MacBook Pro - iPad - Apple Watch, and - AirPods Particularly as I face the prospect of agentic AI and then digital twins, I hope to avoid being locked-in to Apple’s walled garden. I don’t want to give up the advanced chip and other hardware benefits of Apple’s scale but I want either through market forces or regulation to get the opportunity to use non-Apple hardware in one or another of these five roles. Note that I have avoided “trust” as part of the use-case description. Also, I’m looking for insights that are not just focused on standards and trust ecosystems we wish we had but also on EU or US regulations we might advocate for to go along with the standards and ecosystems. - Adrian On Sun, Jan 26, 2025 at 6:49 PM Manu Sporny <msporny@digitalbazaar.com> wrote: > On Sat, Jan 25, 2025 at 11:18 PM Steve Capell <steve.capell@gmail.com> > wrote: > > Let me just offer an answer to “Why can't we just start with a list of > DIDs that a verifier software trusts and configure it locally? > > > > In many cases that could be perfectly satisfactory - but there are > several important use case where it is not practical or scalable. > > I agree with most everything you said, Steve. To clarify, I'm not > saying that centralized registries are not useful. I'm saying that not > focusing on the things that Daniel highlighted could end up putting us > in the same place we are today (with centralization being the only > real option). While centralized registries do solve a number of > important use cases, they don't address many of the use cases that > this community cares about. > > What I don't want to see is us saying: Welp, X509 and the Certificate > Authority approach solved these problems years ago, let's just re-use > that ... because while it might be technically possible to deploy X509 > in a more decentralized way, I've never seen it work out in practice > at scale. Centralization and high cost of operation define many X509 > deployments, there are all these certification requirements that kick > in that ramp up the costs for running your PKI. Now, in a fair number > of cases, that cost of operation and high bar is justified... but that > limits entrants into any trust registry that adopts the same high bar. > > Ultimately, you (or someone you trust) configure a piece of software > to trust other pieces of software. Sure, that software will be able to > point to centralized trust registries that have lists of DIDs... > however, if you cannot also add to that list, and still have a high > level of assurance, then we will have failed. > > Some might say that this is analogous to adding a Certificate > Authority to your browser list, and there is some truth to that. > However, CAs tend to be too abstract for most people to grasp. "Do you > want to trust StartCom certificates?" ... sure, I guess so? > > Take that case, versus connecting with a neighbor: "Jane Smith who > lives at 123 Main Street wants to connect with you. She has verified > her name and address using a government issued ID card (centralized > trust registry), do you want to add her to your address book? > (decentralized identifier provided)." > > The parentheticals show how I would hope we'd blend these trust > registries... the first registry has high assurance over identity... > the second registry addition could be a pairwise identifier (DID) > between you and Jane. Some of this is old news to a number of us on > the list, but some of the newer people to the community might not be > aware of this distinction, which is why I raise it. > > Yes, the world will have centralized trust registries, and local trust > registries, operated by large and small organizations... but we should > keep our eye on the prize, which is enabling individuals to be able to > safely (and affordably) mix and match these trust registries, adding > their own local trust registry to their software. > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > https://www.digitalbazaar.com/ > >
Received on Sunday, 26 January 2025 19:52:18 UTC