- From: Ward, David <dward@pcgus.com>
- Date: Fri, 12 Nov 2021 19:23:57 +0000
- To: "public-vc-edu@w3.org" <public-vc-edu@w3.org>
- Message-ID: <17950978b239f254f44318c6349a6e2185fe8c54.camel@pcgus.com>
Email addresses are often used as identifiers in the real world, so being able to use them as identifiers in VCs would make interoperating with existing systems easier. Both mailto: and did:tag: URIs are useful depending upon the requirements. If a DID document is required then something like the did:tag: method could be used, where if just an identifier that can fairly easily be tied back to an individual is required then mailto: is good enough. On Fri, 2021-11-12 at 17:38 +0000, David Chadwick wrote: In either case, the verifier still needs to prove that the holder is the subject and controls the email address before accepting the VP. So a standard procedure for doing this will be of benefit to the community in my opinion. No, there are many use cases where the holder is not the subject. The verifier may only need to prove that the issuer issued the VC to the subject and that it trusts the issuer before accepting the VP. Systems need to be able to resolve the subject identifier as identifying a known (or new and unknown) individual to the satisfaction of the systems' requirements. An email address as identifier can work quite well for that. David -- On Fri, 2021-11-12 at 17:38 +0000, David Chadwick wrote: On 12/11/2021 16:38, Bob Wyman wrote: Kerri, My did:tag proposal is, I believe, the only proposed DID Method that addresses the use of email addresses and email as a resolution method: See: https://github.com/bobwyman/did_method_tag<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbobwyman%2Fdid_method_tag&data=04%7C01%7Cdward%40pcgus.com%7C2b2ff42860be4a10bddf08d9a60360ae%7Cd9b110c34c254379b97ae248938cc17b%7C0%7C0%7C637723355719045915%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ceU8mCxG7iAKZ91iVoj7qfYf4HlxRJCL9UBIAqyPnxw%3D&reserved=0> I like the idea of using email addresses as IDs because the vast majority of people are familiar with them, they understand them, and many people I know have had the same email address for decades. So they often can be semi-permanent (as permanent as you want them to be). I also like Bob's idea of asynchronously communicating via Emails to prove possession. What I dont like is making this a did. mailto:you@server.com<mailto:you@server.com>is a perfectly good URI and fulfils this requirement for a subject ID. Sure, its not as secure as the subject ID being a public key (directly or indirectly) but we all rely on the security of emails today for many things, including resetting our passwords. So for many non-high security use cases using email addresses is good enough, and is used millions of times daily right now. Not every VC use case needs to be gold star bullet proof. So all that is needed, in my opinion, is a standard mechanism that a verifier can use to prove that the subject has possession of the email address that identifies him/her. Note that the email address could either be the subject id (as above) or the VC could be a bearer credential with no subject id, and where the issuer has proven that the subject "owns" the email address and is willing to insert this as a verifiable subject property. In either case, the verifier still needs to prove that the holder is the subject and controls the email address before accepting the VP. So a standard procedure for doing this will be of benefit to the community in my opinion. Kind regards David There are quite a number of issues with using email addresses as identifiers, or parts of identifiers, and I'm hoping that discussion and development of the did:tag method will illuminate those issues and potentially find solutions for them. Some of these issues include: * How are DID documents resolved? (In did:tag, I propose that they should be resolved asynchronously by sending an email message to the indicated address and receiving a DID Document as an attachment to a response. The response could be generated manually, or with the assistance of a wallet that monitors incoming email messages. Alternatively, the DID Document could specify an "AltResolution" service that could be used to provide resolution via non-email methods.) * What happens when the assignment of the email address is changed? (i.e. if "bob@example.com<mailto:bob@example.com>" is now a different "bob" than the Bob that created the DID. In this case, did:tag adopts the tagURI syntax of mixing a date with the email address to indicate a date during which the DID creator had control of the email address. Thus,did:tag:bob@example.com<mailto:did%3Atag%3Abob@example.com>,2021:living_room_tv anddid.tag:bob@example.com<mailto:did.tag%3Abob@example.com>,2021-11-12:living_room_tv could be recognized as being distinct.) * In general, email as a transport creates many opportunities for man-in-the-middle attacks unless some form of secure email is being used. However, since "email" addresses are the most widely used identifiers today, it is important to work out the issues in order to expand the range of people who are able to create and manage DIDs. * etc. Please take a look at did:tag and provide whatever comments, issues, etc. that you might be able or willing to provide. The proposal is still very fresh and needs a great deal of work. Your assistance will be appreciated. bob wyman On Fri, Nov 12, 2021 at 11:08 AM Kerri Lemoie <klemoie@concentricsky.com<mailto:klemoie@concentricsky.com>> wrote: Hello all, There’s been an ongoing discussion in the Open Badges community about using email addresses as an identifier when a wallet is not being used. This is a dilemma particularly in the Open Badges community because it has been using email addresses as recipient identifiers. Over the years using emails as identifiers has been problematic in numerous ways especially considering that the recipients don’t have control over their email addresses and in the past has led to lost badges. Even still, it’s a challenging topic especially because DIDs are a new concept and not as easy to understand as email yet. The VC spec indicates that if an identifier is used in the credentialSubject that it should be a URI. An email could be described by a URI and also, from what I can tell, it wouldn’t be a huge stretch to use did:web to point to an account that has an email address associated with it. Please note that I personally don’t support using email addresses or even references to email addresses as identifiers (on the fence about the did:web accounts approach as a bridge) but I’m curious to hear the community's thoughts on this and wonder if there are any wallets that would consider supporting email identifiers in some form should Open Badges recipients want to move their badges to a wallet at a later time? Thanks, K. -------- Kerri Lemoie, PhD Director, Digital Credentials Research & Innovation badgr.com<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Finfo.badgr.com%2F&data=04%7C01%7Cdward%40pcgus.com%7C2b2ff42860be4a10bddf08d9a60360ae%7Cd9b110c34c254379b97ae248938cc17b%7C0%7C0%7C637723355719055876%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LmgEj4MFsD3LjQiUqtFO0Nu%2BmVpMgtV3Pe7kzkN69MU%3D&reserved=0> | concentricsky.com<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fconcentricsky.com%2F&data=04%7C01%7Cdward%40pcgus.com%7C2b2ff42860be4a10bddf08d9a60360ae%7Cd9b110c34c254379b97ae248938cc17b%7C0%7C0%7C637723355719060851%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2B%2FXnItDgFXh3BX63rRn1lx4KRN6wZWjXO966NDTlIxQ%3D&reserved=0> she/her/hers
Received on Friday, 12 November 2021 19:24:15 UTC