- From: Will Abramson <will@legreq.com>
- Date: Fri, 18 Jul 2025 10:11:06 +0100
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: Filip Kolarik <filip26@gmail.com>, Steve Capell <steve.capell@gmail.com>, Benjamin Young <byoung@digitalbazaar.com>, Adrian Gropper <agropper@healthurl.com>, Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CAPJWd2S0uEwaUDKnvhAG-xvPYbLPSuD0z9UzpgLSa_wHRkY0ZA@mail.gmail.com>
That's fair,
But even when swapping SIM cards there is an option to keep your number. In
the UK at least.
On Fri, Jul 18, 2025, 09:59 Melvin Carvalho <melvincarvalho@gmail.com>
wrote:
>
>
> pá 18. 7. 2025 v 10:26 odesílatel Will Abramson <will@legreq.com> napsal:
>
>> Apologies, I have not fully digested this thread.
>>
>> But I just wanted to say I find "pubkey as name" to be a pretty
>> suboptimal solution.
>>
>> People lose of want to change their keys regularly. I mean who all here
>> has lost there house keys right.
>>
>> Thing is I lose my house keys, I don't lose my house. Same here, I should
>> be able to change or lose my keys without losing my name.
>>
>> That is a big part of what DIDs are all about.
>>
>
> I think the argument is something of a strawman.
>
> Nobody uses DIDs to lock their house.
>
> On nostr, millions of users already rely on key-pairs for identity.
>
> There are several competing revocation options, and while the community
> hasn’t settled on one yet, they’re all compatible with did:nostr
>
> There’s still work to do, but instead of “moving house,” a better analogy
> is simply swapping SIM cards
>
>
>>
>> Thanks,
>> Will
>>
>> On Fri, Jul 18, 2025, 07:22 Melvin Carvalho <melvincarvalho@gmail.com>
>> wrote:
>>
>>>
>>>
>>> čt 17. 7. 2025 v 23:35 odesílatel Filip Kolarik <filip26@gmail.com>
>>> napsal:
>>>
>>>> On Thu, Jul 17, 2025 at 11:23 PM Steve Capell <steve.capell@gmail.com>
>>>> wrote:
>>>>
>>>>> I don’t see how dns is centralised. It’s a massively distributed
>>>>> lookup system technically. In a governance sense it empowers any beating
>>>>> heart to pick a domain name that isn’t already taken
>>>>>
>>>>
>>>> Technically, DNS is distributed, but governance is centralized. TLDs
>>>> are controlled by a small number of registries under government
>>>> jurisdiction. Recent domain bans and seizures (e.g. in Russia, Turkey, and
>>>> India) show how easily access can be revoked at the top. So yes, you can
>>>> pick a name, but you're still playing in someone else’s namespace.
>>>>
>>>
>>> There are open alternatives to DNS.
>>>
>>> The simplest way is to have a keypair. The user holds a private key,
>>> and then the public key becomes their "name" on the internet.
>>>
>>> Short names are another class of problems, and for that the key property
>>> is that it's a non-proprietary level playing field.
>>>
>>> There are some believers in the "zooko triangle" unproven thesis that
>>> short names are impossible, but in fact, all you need is a fair tie-breaker
>>> for two people that want the same short name. What did Zooko get wrong?
>>> He forgot about time, let people choose a name in time fairly, and then
>>> when two people choose the same name, the tie-breaker is which was earlier.
>>>
>>> I will implement these 2 strategies (pubkey as name, shortnames with
>>> tiebreaker) in addition to DNS, which I think gives users the choice and
>>> the best of all worlds.
>>>
>>>
>>>>
>>>> Best,
>>>> Filip, https://github.com/filip26
>>>>
>>>>
>>>>
>>>>>
>>>>> I must be missing something.
>>>>>
>>>>> On the other hand I’m deeply suspicious of anything that even smells
>>>>> like a blockchain. Private ledgers are tech vendor snake oil. Public
>>>>> ledgers are money laundering Ponzi schemes. Can’t see how they are
>>>>> anything but that.
>>>>>
>>>>> Steven Capell
>>>>> Mob: 0410 437854
>>>>>
>>>>> On 17 Jul 2025, at 11:12 pm, Benjamin Young <byoung@digitalbazaar.com>
>>>>> wrote:
>>>>>
>>>>>
>>>>> On Thu, Jul 17, 2025, 5:00 PM Steve Capell <steve.capell@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Anytime I hear anyone say anything like “Bitcoin is a good thing” it
>>>>>> makes me shudder and want to vomit. As far as I can tell It’s a monstrous
>>>>>> Ponzi scheme that is good for money laundering and not much else
>>>>>>
>>>>>> Why do we perceive did:web (or its improved variants like did:webvh)
>>>>>> as “centralised”? What could be more decentralised than the web? Certainly
>>>>>> not any distributed ledger
>>>>>>
>>>>>
>>>>> DNS (as deployed) is the centralizing component of what most people
>>>>> call "the Web". An HTML-based ecosystem that (de)references things with
>>>>> universal identifiers (URIs) and locators (URLs) doesn't necessarily have
>>>>> that same constraint.
>>>>>
>>>>> In so far as did:web and did:webvh also have a strong dependence on
>>>>> DNS...they would sadly be centralized.
>>>>>
>>>>> However, if the are protocol (beyond HTTP) and/or naming (beyond DNS)
>>>>> agnostic, then they would still have some level of decentralization.
>>>>>
>>>>> But...like the Web...their dominant "expression" would likely be
>>>>> centralized (or at least entangled with a centralized system).
>>>>>
>>>>> (Obviously ignoring mDNS, /etc/hosts, and other means of local naming
>>>>> or DNS overriding)
>>>>>
>>>>> That's my understanding, anyway.
>>>>>
>>>>> Cheers,
>>>>> Benjamin
>>>>>
>>>>>>
>>>>>>
>>>>>> Steven Capell
>>>>>> Mob: 0410 437854
>>>>>>
>>>>>> On 17 Jul 2025, at 10:41 pm, Melvin Carvalho <
>>>>>> melvincarvalho@gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> čt 17. 7. 2025 v 22:24 odesílatel Adrian Gropper <
>>>>>> agropper@healthurl.com> napsal:
>>>>>>
>>>>>>> Nostr might be a good start for de-platforming social media on the
>>>>>>> basis of pseudonymity and relay-based discovery, but unless
>>>>>>> the architecture also supports untraceable payment the major surveillance
>>>>>>> platforms will persist.
>>>>>>>
>>>>>>
>>>>>> Nostr is tied to any payment system. But it is largely built by
>>>>>> people in the bitcoin community, so there have been some integrations with
>>>>>> bitcoin technologies, such as the lightning network.
>>>>>>
>>>>>> Innovation continues in this area. I think that integration with
>>>>>> Blockstream's Liquid [1] would be a good start.
>>>>>>
>>>>>> [1] https://blockstream.com/liquid/
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Adrian
>>>>>>>
>>>>>>> On Thu, Jul 17, 2025 at 3:58 PM Melvin Carvalho <
>>>>>>> melvincarvalho@gmail.com> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> čt 17. 7. 2025 v 21:38 odesílatel Adrian Gropper <
>>>>>>>> agropper@healthurl.com> napsal:
>>>>>>>>
>>>>>>>>> It's clearly time for a new architecture. One that benefits from
>>>>>>>>> our experience with SSI as an anti-pattern that is too easily inverted or
>>>>>>>>> ignored.
>>>>>>>>>
>>>>>>>>> I would suggest an architecture that sees platforms for payment
>>>>>>>>> and social media as the problem instead of focusing on identity. An
>>>>>>>>> architecture that, like cash and geocaches, defaults to anonymity by design.
>>>>>>>>>
>>>>>>>>> I would also suggest an architecture that ignores licensed
>>>>>>>>> professionals and things. With the benefit of hindsight, the premise that
>>>>>>>>> identity standards must span licensing and supply chains seems inane.
>>>>>>>>>
>>>>>>>>
>>>>>>>> We have a fairly advanced ecosystem working on all these problems
>>>>>>>> over at Nostr, with several million users, and several thousand DAU.
>>>>>>>>
>>>>>>>> We also have a W3C Nostr Community Group [1] and have already begun
>>>>>>>> work on a did:nostr spec.
>>>>>>>>
>>>>>>>> [1] https://www.w3.org/community/nostr/
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Sorry,
>>>>>>>>> - Adrian
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, Jul 16, 2025 at 3:59 AM Christopher Allen <
>>>>>>>>> ChristopherA@lifewithalacrity.com> wrote:
>>>>>>>>>
>>>>>>>>>> I have occasionally posted a link to one of my blog articles to
>>>>>>>>>> this group, but I thought this article deserved a broader discussion by our
>>>>>>>>>> CCG community, so I'm sharing here.
>>>>>>>>>>
>>>>>>>>>> The original article is at
>>>>>>>>>> https://www.blockchaincommons.com/musings/gdc25/
>>>>>>>>>>
>>>>>>>>>> -- Christopher Allen
>>>>>>>>>>
>>>>>>>>>> Musings of a Trust Architect: When Technical Standards Meet
>>>>>>>>>> Geopolitical Reality
>>>>>>>>>> Digital Identity, Sovereignty, and the Erosion of Foundational
>>>>>>>>>> Principles
>>>>>>>>>> By Christopher Allen <ChristopherA@LifeWithAlacrity.com>
>>>>>>>>>> 2025-07-15
>>>>>>>>>>
>>>>>>>>>> *Reflections on recent conversations about digital identity,
>>>>>>>>>> sovereignty, and the erosion of foundational principles*
>>>>>>>>>>
>>>>>>>>>> Echoes from Geneva
>>>>>>>>>>
>>>>>>>>>> I wasn't present at the [Global Digital Collaboration](
>>>>>>>>>> https://globaldigitalcollaboration.org/) conference (GDC25), but
>>>>>>>>>> the observations shared by colleagues who attended have crystallized some
>>>>>>>>>> issues I've been wrestling with for years. I should note there's a
>>>>>>>>>> selection bias here: I'm the author of the [10 principles of self-sovereign
>>>>>>>>>> identity](
>>>>>>>>>> https://github.com/WebOfTrustInfo/self-sovereign-identity/blob/master/self-sovereign-identity-principles.md),
>>>>>>>>>> so my community tends to have strong opinions about digital identity.
>>>>>>>>>> Still, when multiple trusted voices independently report similar concerns,
>>>>>>>>>> patterns emerge that are worth examining. And these weren't casual
>>>>>>>>>> observers sharing these concerns. They were seasoned practitioners who've
>>>>>>>>>> spent decades building identity infrastructure. Their collective unease
>>>>>>>>>> speaks to something deeper than technical disagreements.
>>>>>>>>>>
>>>>>>>>>> It's hard to boil the problems at GDC25 down to a single issue,
>>>>>>>>>> because they were so encompassing. For example, there was a pattern of
>>>>>>>>>> scheduling issues that undercut the community co-organizing goal of the
>>>>>>>>>> conference and seemed to particularly impact decentralized talks. One
>>>>>>>>>> session ended up in a small, hot room on the top floor that was hard to
>>>>>>>>>> find. (It was packed anyway!) Generally, the decentralized-centric talks
>>>>>>>>>> were in bad locations, they were short, they had restricted topics, or they
>>>>>>>>>> were shared with other panelists.
>>>>>>>>>>
>>>>>>>>>> I think that logistical shuffling of events may point out one of
>>>>>>>>>> the biggest issues: decentralized systems weren't given much respect. This
>>>>>>>>>> may be true generally. There may be lip service to decentralized systems,
>>>>>>>>>> but not deeper commitments. Its value isn't appreciated, so we're losing
>>>>>>>>>> its principles. Worse, I see the intent of decentralization being inverted:
>>>>>>>>>> where our goal is to give individuals independence and power by reducing
>>>>>>>>>> the control of centralized entities, we're often doing the opposite —
>>>>>>>>>> still in the name of decentralization.
>>>>>>>>>>
>>>>>>>>>> The Echo Chamber Paradox
>>>>>>>>>>
>>>>>>>>>> The problems at GDC25 remind me of Rebooting the Web of Trust
>>>>>>>>>> (RWOT) community discussions I've been following, which reiterate that this
>>>>>>>>>> is a larger issue. We debate the finer points of zero-knowledge proofs and
>>>>>>>>>> DID conformance while missing the forest for the trees. Case in point: the
>>>>>>>>>> recent emergence of "[`did:genuineid`](
>>>>>>>>>> https://genuinein.com/DIDMethod)" — a centralized
>>>>>>>>>> identifier system that fundamentally contradicts the "D" in DID.
>>>>>>>>>>
>>>>>>>>>> Obviously, decentralization is a threat to those who currently
>>>>>>>>>> hold power (whether they be governments, corporations, billionaires, or
>>>>>>>>>> others who hold any sort of power), because it tries to remove their
>>>>>>>>>> centralization (and therefore their power), to instead empower the
>>>>>>>>>> individual. But if we can't even maintain the semantic integrity of
>>>>>>>>>> "decentralized" within our own technical community, devoted to the ideal,
>>>>>>>>>> how can we fight for it in the larger world?
>>>>>>>>>>
>>>>>>>>>> The Corpocratic Complication
>>>>>>>>>>
>>>>>>>>>> GDC25 was held in Geneva, Switzerland. 30+ standards
>>>>>>>>>> organizations convened to discuss the future of digital identity.
>>>>>>>>>> Participants spanned the world from the United States to China. There was
>>>>>>>>>> the opportunity that GDC25 was going to be a truly international
>>>>>>>>>> conference. Indeed, Swiss presenters were there, and they spoke of privacy,
>>>>>>>>>> democratic involvement, and achieving public buy-in. It was exactly the
>>>>>>>>>> themes that we as decentralized technologists wanted to hear.
>>>>>>>>>>
>>>>>>>>>> But from what I've heard, things quickly degraded from that
>>>>>>>>>> ideal. Take the United States. The sole representative of the country as a
>>>>>>>>>> whole attended via teleconference. (He was the only presenter who did so!)
>>>>>>>>>> His talk was all about Real ID, framed as a response to 9/11 and rooted in
>>>>>>>>>> the Patriot Act. It lay somewhere between security-theatre and
>>>>>>>>>> identity-as-surveillance, and that's definitely not what we wanted to hear.
>>>>>>>>>> (The contrast between the US and Swiss presentations was apparently
>>>>>>>>>> jarring.)
>>>>>>>>>>
>>>>>>>>>> And with that representative only attending remotely, the United
>>>>>>>>>> State's real representatives ended up being Google and Apple, each
>>>>>>>>>> advancing their own corpocratic interests, not the interests of the people
>>>>>>>>>> we try to empower with decentralized identities.
>>>>>>>>>>
>>>>>>>>>> This isn't just an American problem. It's a symptom of a deeper
>>>>>>>>>> issue happening across our digital infrastructure. It's likely the heart of
>>>>>>>>>> the inversions of decentralized goals that we're seeing — and likely
>>>>>>>>>> why those logistical reshufflings occurred: to please the gold sponsors. In
>>>>>>>>>> fact, the conference sponsors tell the story: Google, Visa, Mastercard, and
>>>>>>>>>> Huawei were positioned as "leading organizations supporting the advancement
>>>>>>>>>> of wallets, credentials and trusted infrastructure in a manner of global
>>>>>>>>>> collaboration."
>>>>>>>>>>
>>>>>>>>>> While Huawei's presence demonstrates international diversity — a
>>>>>>>>>> Swiss conference bringing together Europe and Asia — it also raised
>>>>>>>>>> questions about whose vision of "trust" would ultimately prevail. When
>>>>>>>>>> payment platforms and surveillance-capable tech giants frame the future of
>>>>>>>>>> identity infrastructure, we shouldn't be surprised when the architecture
>>>>>>>>>> serves their interests first.
>>>>>>>>>>
>>>>>>>>>> This echoes my concerns from ["Has SSI Become Morally Bankrupt?"](
>>>>>>>>>> https://www.blockchaincommons.com/musings/musings-ssi-bankruptcy/).
>>>>>>>>>> We've allowed the narrative of self-sovereignty to be co-opted by the very
>>>>>>>>>> platforms it was meant to challenge. The technical standards exist, but
>>>>>>>>>> they're being implemented in ways that invert their original purpose. Even
>>>>>>>>>> [UNECE sessions acknowledged](
>>>>>>>>>> https://unece.org/trade/events/global-digital-collaboration-conference-international-trade-identity-across-borders)
>>>>>>>>>> the risk of "diluting the autonomy and decentralization that SSI is meant
>>>>>>>>>> to provide."
>>>>>>>>>>
>>>>>>>>>> The Sovereignty Shell Game
>>>>>>>>>>
>>>>>>>>>> Google was partnered with German Sparkasse on ZKP technology and
>>>>>>>>>> that revealed a specific example of this co-opting.
>>>>>>>>>>
>>>>>>>>>> Google's open-sourcing of its Zero-Knowledge Proof libraries,
>>>>>>>>>> announced July 3rd in partnership with Germany's network of public savings
>>>>>>>>>> banks, was positioned as supporting privacy in age verification. Yet as
>>>>>>>>>> [Carsten Stöcker pointed out](
>>>>>>>>>> https://www.linkedin.com/posts/dr-carsten-st%C3%B6cker-1145871_opening-up-zero-knowledge-proof-technology-activity-7348195852085067776-nKDB),
>>>>>>>>>> zero-knowledge doesn't mean zero-tracking when the entire stack runs
>>>>>>>>>> through platform intermediaries. Carsten noted that Google has "extensive
>>>>>>>>>> tracking practices across mobile devices, web platforms and advertising
>>>>>>>>>> infrastructure." Meanwhile, the Google Play API makes no promises that the
>>>>>>>>>> operations are protected from the rest of the OS.
>>>>>>>>>>
>>>>>>>>>> The Google ZKP libraries ("longfellow-sk") could be a great
>>>>>>>>>> [building block](
>>>>>>>>>> https://news.dyne.org/longfellow-zero-knowledge-google-zk/) for
>>>>>>>>>> truly user-centric systems, as they link Zero-Knowledge Proofs to legacy
>>>>>>>>>> cryptographic signature systems that are still mandatory for some hardware.
>>>>>>>>>> But they'd have to be detached from the rest of Google's technology stack.
>>>>>>>>>> Without that, there are too many questions. Could Google access some of the
>>>>>>>>>> knowledge supposedly protected by ZKPs? Could they link it to other data?
>>>>>>>>>> We have no idea.
>>>>>>>>>>
>>>>>>>>>> The European Union's eIDAS Regulation, set to take effect in
>>>>>>>>>> 2026, encourages Member States to integrate privacy-enhancing technologies
>>>>>>>>>> like ZKP into the European Digital Identity Wallet, but integration at the
>>>>>>>>>> platform level offers similar dangers and could again invert the very
>>>>>>>>>> privacy guarantees ZKP promises.
>>>>>>>>>>
>>>>>>>>>> Historical Echoes, Modern Inversions
>>>>>>>>>>
>>>>>>>>>> Identity technology's goals being inverted, so that identity
>>>>>>>>>> becomes a threat rather than a boon, isn't a new problem. In ["Echoes of
>>>>>>>>>> History"](
>>>>>>>>>> https://www.blockchaincommons.com/articles/echoes-history/), I
>>>>>>>>>> examined how the contrasting approaches of Lentz and Carmille during WWII
>>>>>>>>>> demonstrate the life-or-death importance of data minimization. Lentz's
>>>>>>>>>> comprehensive Dutch identity system enabled the Holocaust's efficiency;
>>>>>>>>>> Carmille's deliberate exclusion of religious data from French records saved
>>>>>>>>>> lives. Even when they're decentralized, today's digital identity systems
>>>>>>>>>> face the same fundamental questions: what data should we collect, what
>>>>>>>>>> should we reveal, and what should we refuse to record entirely?
>>>>>>>>>>
>>>>>>>>>> But we're adding a new layer of complexity. Not only must we
>>>>>>>>>> consider what data to collect, but who controls the infrastructure that
>>>>>>>>>> processes it. When Google partners with Sparkasse on "privacy-preserving"
>>>>>>>>>> age verification, when eIDAS mandates integration at the operating system
>>>>>>>>>> level, we're not just risking data collection: we're embedding it within
>>>>>>>>>> platforms whose business models depend on surveillance. Even if the data is
>>>>>>>>>> theoretically self-sovereign, the threat of data collected is still data
>>>>>>>>>> revealed — just as happened with Lentz's records.
>>>>>>>>>>
>>>>>>>>>> The European eIDAS framework, which I analyzed in a [follow-up
>>>>>>>>>> piece to "Echoes from History"](
>>>>>>>>>> https://www.blockchaincommons.com/articles/eidas/), shows how
>>>>>>>>>> even well-intentioned regulatory efforts can accelerate platform capture
>>>>>>>>>> when they mandate integration at the operating system level. As I wrote at
>>>>>>>>>> the time, a history of problematic EU legislation that had the best of
>>>>>>>>>> intentions but resulted in unintended consequences has laid the groundwork,
>>>>>>>>>> and now identity is straight in that crosshairs. One of the first, and most
>>>>>>>>>> obvious problems with eIDAS is the mandate "that web browsers accept
>>>>>>>>>> security certificates from individual member states and the EU can refuse
>>>>>>>>>> to revoke them even if they’re dangerous." There are many more — and
>>>>>>>>>> I'm not [the only voice](
>>>>>>>>>> https://news.dyne.org/the-problems-of-european-digital-identity/)
>>>>>>>>>> on eIDAS and EUDI issues.
>>>>>>>>>>
>>>>>>>>>> Supposedly self-sovereign certificates phoning home whenever
>>>>>>>>>> they're accessed is another recent threat that demonstrates best intentions
>>>>>>>>>> gone awry. This not only violates privacy, but it undercuts some of our
>>>>>>>>>> best arguments for self-sovereign control of credentials by returning
>>>>>>>>>> liability for data leaks to the issuer. The [No Phone Home](
>>>>>>>>>> https://www.blockchaincommons.com/news/No-Phone-Home/)
>>>>>>>>>> initiative that Blockchain Commons joined last month represents one attempt
>>>>>>>>>> to push back on that, but it feels like plugging holes in a dam that's
>>>>>>>>>> already cracking. It all does.
>>>>>>>>>>
>>>>>>>>>> The Builder's Dilemma
>>>>>>>>>>
>>>>>>>>>> What troubles me most is the split I see in our community. On one
>>>>>>>>>> side, technology purists build increasingly sophisticated protocols in
>>>>>>>>>> isolation from policy reality. On the other, pragmatists make compromise
>>>>>>>>>> after compromise until nothing remains of the original vision.
>>>>>>>>>>
>>>>>>>>>> The recent debates about [`did:web` conformance](
>>>>>>>>>> https://github.com/w3c-ccg/did-method-web) illustrate this
>>>>>>>>>> perfectly. Joe Andrieu correctly notes that `did:web` can't distinguish
>>>>>>>>>> between deactivation and non-existence — a fundamental security
>>>>>>>>>> boundary. Yet `did:web` remains essential to many implementation strategies
>>>>>>>>>> because it bridges the gap between ideals and adoption. It provides
>>>>>>>>>> developers and users with experience with DIDs, but in doing so undercut
>>>>>>>>>> decentralized ideals for those users. We're caught between philosophical
>>>>>>>>>> purity and practical irrelevance.
>>>>>>>>>>
>>>>>>>>>> In my recent writings on [Values in Design](
>>>>>>>>>> https://www.blockchaincommons.com/musings/ValuesDesign/) and the
>>>>>>>>>> [Right to Transact](
>>>>>>>>>> https://www.blockchaincommons.com/musings/RightToTransact/),
>>>>>>>>>> I've tried to articulate what we're fighting for. But values without
>>>>>>>>>> implementation are just philosophy, and implementation without values is
>>>>>>>>>> just surrender.
>>>>>>>>>>
>>>>>>>>>> The Global Digital Collaboration highlighted this tension
>>>>>>>>>> perfectly. International progress on digital identity proceeds apace:
>>>>>>>>>> Europe, Singapore, and China all advance their frameworks, but there are
>>>>>>>>>> still essential issues that invert our fundamental goals in designing
>>>>>>>>>> self-sovereign systems. Meanwhile, the U.S. remains even more stalled, its
>>>>>>>>>> position represented only by the platforms that benefit from the status
>>>>>>>>>> quo. Alongside this, technical standards discussions proceed in isolation
>>>>>>>>>> from the policy, regulatory, and social frameworks that will determine
>>>>>>>>>> their real-world impact.
>>>>>>>>>>
>>>>>>>>>> Where Do We Go From Here?
>>>>>>>>>>
>>>>>>>>>> I find myself returning to first principles. When we designed
>>>>>>>>>> [TLS 1.0](https://datatracker.ietf.org/doc/html/rfc2246), we
>>>>>>>>>> understood that technical protocols encode power relationships. When we
>>>>>>>>>> established the [principles of self-sovereign identity](
>>>>>>>>>> https://github.com/WebOfTrustInfo/self-sovereign-identity/blob/master/self-sovereign-identity-principles.md),
>>>>>>>>>> we knew that architecture was politics. Ongoing battles, such as those
>>>>>>>>>> between Verifiable Credentials and ISO mDLs, between DIDComm and OpenID4VC,
>>>>>>>>>> demonstrate disagreements over these power relationships made visible in
>>>>>>>>>> technological discussions.
>>>>>>>>>>
>>>>>>>>>> The question now is whether we can reclaim our ideals before
>>>>>>>>>> they're completely inverted by the side of centralized power and controlled
>>>>>>>>>> architecture.
>>>>>>>>>>
>>>>>>>>>> The path forward requires bridging the gaps Geneva revealed:
>>>>>>>>>>
>>>>>>>>>> - Between corporate platform dominance and global digital
>>>>>>>>>> sovereignty
>>>>>>>>>> - Between the promise of decentralization and the reality of
>>>>>>>>>> recentralization
>>>>>>>>>> - Between technical standards and policy reality
>>>>>>>>>> - Between privacy absolutism and implementation pragmatism
>>>>>>>>>>
>>>>>>>>>> A Personal Note
>>>>>>>>>>
>>>>>>>>>> After three decades of building internet infrastructure, I've
>>>>>>>>>> learned that the most dangerous moment isn't when systems fail, it's when
>>>>>>>>>> they succeed in ways that invert their purpose. We built protocols for
>>>>>>>>>> human autonomy and watched them become instruments of platform control. We
>>>>>>>>>> created standards for decentralization and saw them twisted into new forms
>>>>>>>>>> of centralization.
>>>>>>>>>>
>>>>>>>>>> This conversation continues in private Signal groups, in
>>>>>>>>>> conference hallways, in the space between what we built and what we've
>>>>>>>>>> become. The [Atlantic Council warns](
>>>>>>>>>> https://dfrlab.org/2024/10/01/analysis-a-brave-new-reality-after-the-uns-global-digital-compact/)
>>>>>>>>>> of power centralizing "in ways that threaten the open and bottom-up
>>>>>>>>>> governance traditions of the internet." When critics from across the
>>>>>>>>>> geopolitical spectrum — from sovereignty advocates to digital rights
>>>>>>>>>> groups — all sense something amiss, it suggests a fundamental
>>>>>>>>>> architectural problem that transcends ideology.
>>>>>>>>>>
>>>>>>>>>> Perhaps it's time for a new architecture: one that acknowledges
>>>>>>>>>> these inversions and builds resistance into its very foundations.
>>>>>>>>>>
>>>>>>>>>> But that's a longer conversation for another day.
>>>>>>>>>>
>>>>>>>>>> ---
>>>>>>>>>>
>>>>>>>>>> *Christopher Allen has been architecting trust systems for over
>>>>>>>>>> 30 years, from co-authoring TLS to establishing self-sovereign identity
>>>>>>>>>> principles. He currently works on alternative approaches to digital
>>>>>>>>>> identity through [Blockchain Commons](
>>>>>>>>>> https://www.blockchaincommons.com/).*
>>>>>>>>>>
>>>>>>>>>
Received on Friday, 18 July 2025 09:11:26 UTC