- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sat, 10 May 2025 17:57:46 -0400
- To: Alan Karp <alanhkarp@gmail.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
On Fri, May 2, 2025 at 5:17 PM Alan Karp <alanhkarp@gmail.com> wrote: > I'm not sure your examples need a phone home. In your first and easiest case, the first responder needs to be able to prove the credential's legitimacy without phoning home in case communications are down. Ah, it seems that I didn't include enough detail in my initial email. I'll try to fill in the gaps below: All of this technology stuff is optional and secondary... people's lives matter first and foremost and first responders will do everything in their capacity to save that person if they can do so with an acceptable level of risk. Not checking someone's badge /at all/ can become an acceptable level of risk. If there is a flood, and you're standing in the only boat in the area, but forgot your phone or badge in the truck... you're going out to get that person first, and check in later (if there is no perimeter set up). It is absolutely a requirement that the base solution works in offline situations. For example, a first responder that is operating in the initial hours after a hurricane or wildfire cannot depend on public cellphone network towers being operational. So, verification has to work in an offline capacity. This means that even if there is a revocation list associated with the VC, if there is no network, it won't be checked. The badge will light up "yellow" noting that it's valid, but revocation status is unknown because the network is down and the status list wasn't pre-cached. There are varying degrees of functionality at the verifier here: 1. Verification has to be able to do a bare minimum cryptographic verification in offline mode. 2. If the network is up, the credential status can be checked in a pseudonymous way. 3. If the network is up, a ping-back could be performed by the verifier. > Even the tracking beacon only needs to know how many first responders went into a dangerous area, not necessarily which ones. Well, the tracking beacon use case could operate by not identifying the first responder, but then the concern is bad actors acquiring and throwing tracking beacons into dangerous areas to create "fake" responders in need... which could then put other responders in danger as they try to rescue the fake responder. I think one of the misconceptions here is that emergency response is this highly coordinated thing. It is to some degree at the fire station or police station level, but it becomes organic and decentralized very quickly when it's a large scale disaster -- wildfire, hurricane, tsunami, terrorist attack -- that's where these VCs are of most use, because you have a situation where thousands of people are dynamically converging on a set of locations, most of them don't know each other and have never worked with each other, and you need to organize and deploy them quickly. People show up, there are plans, but there is a lot of having to figure things out as they go. So, pseudonymous tracking is probably a bad idea in the first responder use case. The other misconception here seems to be this idea that first responders have the sort of budget to do a tracking beacon on every first responder. Or that they all have the same gear. or that some of them even have gear (civil engineers are responders, not in the first line, but they do go in after earthquakes to check out buildings and could become trapped). In addition, these outfits just don't have the kind of budget to put tracking beacons on every first responder. Remember, there are A LOT of volunteer fire departments and many of them are grossly underfunded. First responders tend to have mobile phones, the idea is to try to see if we can get the mobile phone to be multipurpose, because we can almost guarantee that every first responder has one... and a data connection, and GPS, and they show up to work with that device each and every day. So, perhaps a first responder tracking app on their phone... but what happens when they forget to turn theirs on? That's why activating the beacon upon site check in is of interest -- reduce the cognitive load on the first responder. > What additional value would phone home add? > Of course, families of first responders may want to know who. Their colleagues want to know exactly who's out there, insurance companies want to know who's out there, incident commanders want to know who's out there. It matters a lot if a rookie is caught in a particular situation vs. a veteran of many years. Each individuals training matters and you want to account for everyone, both at the beginning of the day and the end of the day. You also want to make sure your responders are going to where they're supposed to be rather than the wrong location. The people deploying and managing aren't always onsite, and there is not one single centralized system that all the information is going into and coming out from. Again, these activities are massively decentralized, so the question is around "How do you account for everyone in a decentralized situation?" The person doing the check in can have no connection with the person checking in. A team from Florida is controlling the perimeter and a team from South Carolina is entering -- these organizations would have zero IT systems in common, but the personnel manager in South Carolina wants to know that their team showed up where they were supposed to show up and have all checked in (or checked out) to/from their current mission. They want to make sure that insurance is covering during that time, they want to make sure their timesheets are accurate for the time they're deployed, and most of all they want to know that they're safe at the end of each shift. > The place where you want some form of phone home is for resource allocation. You need to know if all the doctors showed up at the same place so you can get them to where they are needed. Even then you may not need to know which doctors showed up, just how many, and the resource allocation can be independent of the issuing organization. Yes, but keep in mind that there are multiple organizations that are tracking resource allocation. There's at least incident command on site that's managing local resources, but then there is the place from which those people were deployed, which might be many hundreds of miles away from the incident. > First responders may want a phone home feature so they can get paid for showing up. Yep, that's another reason they want to provide their whereabouts. Making sure they're covered by insurance is another. Auditing personnel (to make sure the right teams and composition showed up) is another reason. > You may also want to check for revoked credentials, but there are ways to do that anonymously. Yes, correct. This isn't about how to check to see if a credential is revoked -- we know how to do that in a privacy preserving way and none of that is changing for this particular use case. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Saturday, 10 May 2025 21:58:28 UTC