- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 27 Aug 2020 10:28:44 -0400
- To: public-did-wg@w3.org
On 8/21/20 5:56 PM, Brent Zundel wrote: > The topic of this call will be *service endpoints*[2] Sending a few PROPOSALs for debate during the DID Special Topic call today so folks can think about them before the call: PROPOSAL: Remove Service Endpoints from the specification and rely on Verifiable Credentials (e.g., transmitted during DID Auth) to communicate Service Endpoints. Rationale: Service Endpoints pose a significant privacy risk to people and organizations. Certain ledger-based DID Method implementers can be held liable under GDPR-like regimes (e.g. CCPA) for publishing PII onto their ledger. PROPOSAL: Define a Service Endpoint for a GDPR-compliant service that supports Right to be Forgotten and is under the control of the DID controller. Rationale: We can provide service endpoints via a set of DID Method specified, GDPR-compliant "seeAlso" mechanisms. This enables the self-sovereign publication of service endpoints (people can choose among an acceptable subset) without the potential to run afoul of GDPR-like regulations. PROPOSAL: Strongly RECOMMEND the use of GDPR-compliant service endpoints. Rationale: Providing and option and strongly recommending that option are two different things. The first proposal on the topic says we should specify a GDPR-compliant option. The second proposal on the topic says that we should strongly recommend the use of that for the publication of service endpoints. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. blog: Veres One Decentralized Identifier Blockchain Launches https://tinyurl.com/veres-one-launches
Received on Thursday, 27 August 2020 14:28:58 UTC