- From: Andrew Hughes <andrewhughes3000@gmail.com>
- Date: Sat, 7 Jun 2025 20:46:33 -0700
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: public-credentials@w3.org
- Message-ID: <CAGJp9UY2KnfBserm6yY6hMkg1h2E2_2_SCU4KJt2R+_3o3MTBQ@mail.gmail.com>
Is anyone here fighting the good fight against over-identification? There’s a tiny glimmer of it in these threads - laws are changing to require authenticated internet access, with the presumption that government ID must be shown to get at more and more of the internet that used to be open and free. Age verification prior to access is the not-so-thin end of the wedge that leads further into the dystopia. Why do people assume that presentation of government ID like mDL will be a prerequisite for access? Isn’t that the major threat we all face? Andrew Hughes CISM m +1 250.888.9474 AndrewHughes3000@gmail.com https://www.linkedin.com/in/andrew-hughes-682058a On Sat, Jun 7, 2025 at 5:28 PM Manu Sporny <msporny@digitalbazaar.com> wrote: > On Thu, Jun 5, 2025 at 12:05 PM Andrew Hughes > <andrewhughes3000@gmail.com> wrote: > > This manifested itself as the principle that Readers should be able to > handle whatever mDL/mdoc showed up for verification. > > Then the ISO mDL WG optimized for vendor convenience over civil > liberties, which was (and still is) a terrible idea. > > Before going further, I'll note for those that don't know, that I've > known Andrew for a long time and think highly of him and respect him. > He's always tried to explain the motivations of the closed door > sessions in the ISO mDL WG to the vast majority of us that don't have > access, and for that we are thankful. > > There is, however, a part of this narrative that I find objectionable, > so please allow me to provide an alternate perspective. > > > Some people have chosen to criticize the motivations of people working > in the ISO WG - this is not only offensive, but very hurtful and not > conducive to collaboration > > If an authoritarian government flips the server retrieval switch, > it'll be people's lives at stake, not some technologist's feelings. > Please treat this seriously, Andrew, and let the ISO WG know to take > it seriously as well. > > What you are seeing is a step-up of efforts; the world is calling the > ISO mDL WG out (as well as any other WG that thinks that latent server > retrieval is a good idea). Look at the list of signatories to the "No > Phone Home" website: > > https://nophonehome.com/ > > These are global experts in privacy, civil liberties, cryptography, > and technological architecture. They're all sounding the alarm, > because years of efforts to suggest changes to ISO mDL have not had > the effect on the ISO mDL WG that we would have liked to see. > > > Generally, around the ISO WG table, we "don't like" server retrieval - > sure that means absolutely nothing in the real world, but it's true. > > Well, yes, those are hollow words. Those notions mean absolutely > nothing in practice because, despite the ISO mDL WG generally thinking > that server retrieval is a bad idea, it exists; to be toggled on and > off as a matter of policy. > > > This manifested itself as the principle that Readers should be able to > handle whatever mDL/mdoc showed up for verification. > > On the one hand it's optional, and on the other hand, you have to > implement it to handle whatever shows up for verification. Some are > saying they won't implement it, but it's not those folks we're worried > about -- we're worried about the ones that do implement it (because > they're the ones that are going to win the contract with the > government). > > > However, ISO truly has stakeholders from around the world, and has to > accommodate a wide range of requirements. There are real world requirements > for OpenID Connect style and other server retrieval / federated access > models - which have been pejoratively labelled "phone home". > > W3C also has global stakeholders, and if we tried to put something > like mDL server retrieval in the W3C VC specification, we would have > been formally objected into oblivion (and rightly so). This is why W3C > puts such a focus on WG transparency, horizontal review, public > review, and the formal objection process... but that's all a bit > beside the point. > > If the general feeling in the ISO mDL WG is that server retrieval is a > bad idea, and that there are better alternatives that don't contact > the issuer directly to receive the digital credential, then remove the > feature. You don't have to wait since it's been asserted that no one > has implemented it. Furthermore, if no one has implemented it, that's > a perfect reason to remove the feature. Again, at W3C, that feature > would have never survived its way to publication if no one implemented > it. > > None of us are "trying to kill mDL", as has been exaggerated on some > of the more heated social media threads about this topic -- we're > asking for server retrieval to be removed. That's it. Since you agree > with us, let us help you do it; how can we help? > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > https://www.digitalbazaar.com/ > >
Received on Sunday, 8 June 2025 03:46:49 UTC