- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sat, 7 Jun 2025 20:24:06 -0400
- To: public-credentials@w3.org
On Thu, Jun 5, 2025 at 12:05 PM Andrew Hughes <andrewhughes3000@gmail.com> wrote: > This manifested itself as the principle that Readers should be able to handle whatever mDL/mdoc showed up for verification. Then the ISO mDL WG optimized for vendor convenience over civil liberties, which was (and still is) a terrible idea. Before going further, I'll note for those that don't know, that I've known Andrew for a long time and think highly of him and respect him. He's always tried to explain the motivations of the closed door sessions in the ISO mDL WG to the vast majority of us that don't have access, and for that we are thankful. There is, however, a part of this narrative that I find objectionable, so please allow me to provide an alternate perspective. > Some people have chosen to criticize the motivations of people working in the ISO WG - this is not only offensive, but very hurtful and not conducive to collaboration If an authoritarian government flips the server retrieval switch, it'll be people's lives at stake, not some technologist's feelings. Please treat this seriously, Andrew, and let the ISO WG know to take it seriously as well. What you are seeing is a step-up of efforts; the world is calling the ISO mDL WG out (as well as any other WG that thinks that latent server retrieval is a good idea). Look at the list of signatories to the "No Phone Home" website: https://nophonehome.com/ These are global experts in privacy, civil liberties, cryptography, and technological architecture. They're all sounding the alarm, because years of efforts to suggest changes to ISO mDL have not had the effect on the ISO mDL WG that we would have liked to see. > Generally, around the ISO WG table, we "don't like" server retrieval - sure that means absolutely nothing in the real world, but it's true. Well, yes, those are hollow words. Those notions mean absolutely nothing in practice because, despite the ISO mDL WG generally thinking that server retrieval is a bad idea, it exists; to be toggled on and off as a matter of policy. > This manifested itself as the principle that Readers should be able to handle whatever mDL/mdoc showed up for verification. On the one hand it's optional, and on the other hand, you have to implement it to handle whatever shows up for verification. Some are saying they won't implement it, but it's not those folks we're worried about -- we're worried about the ones that do implement it (because they're the ones that are going to win the contract with the government). > However, ISO truly has stakeholders from around the world, and has to accommodate a wide range of requirements. There are real world requirements for OpenID Connect style and other server retrieval / federated access models - which have been pejoratively labelled "phone home". W3C also has global stakeholders, and if we tried to put something like mDL server retrieval in the W3C VC specification, we would have been formally objected into oblivion (and rightly so). This is why W3C puts such a focus on WG transparency, horizontal review, public review, and the formal objection process... but that's all a bit beside the point. If the general feeling in the ISO mDL WG is that server retrieval is a bad idea, and that there are better alternatives that don't contact the issuer directly to receive the digital credential, then remove the feature. You don't have to wait since it's been asserted that no one has implemented it. Furthermore, if no one has implemented it, that's a perfect reason to remove the feature. Again, at W3C, that feature would have never survived its way to publication if no one implemented it. None of us are "trying to kill mDL", as has been exaggerated on some of the more heated social media threads about this topic -- we're asking for server retrieval to be removed. That's it. Since you agree with us, let us help you do it; how can we help? -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Sunday, 8 June 2025 00:24:46 UTC