- From: Lukasz Olejnik <notifications@github.com>
- Date: Fri, 02 Oct 2020 02:37:33 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/556/702629028@github.com>
Since there's no security/privacy questionnaire yet, I would kindly ask to compare the current status quo to the one with DID, including in terms of - what some stakeholders (i.e. government) may or may not do with this technology. Specifically, can this lead to fragmentation of the internet/web itself? If so, that would sound quite harmful to me. It seems to me that specificity of the identifiers may be used to classify content, so perhaps even make content easier to block. Mandating this kind of technology would bring great responsibility to W3C. I hope that these problems will be sufficiently analysed. A side question to the authors: can DIDs be used to deploy a China-style social credit system to the web? I'm simply worried what this may lead to, if not immediately than in the medium or long term. I do not think this is even limited to security/privacy issues, though. It seems to be that the below innocuous use case scenario can be inverted to invite harm: > Sam is a long term immigrant to the United States who just received notice of Permanent Resident status from the United States Customs and Immigration Services (USCIS). Along with his notice is directions for downloading and using a digital version of his physical card, including a one-time activation code. After getting a digital wallet, he visits the USCIS website, signs in, and uses his activation code to get a digital credential. His wallet provides a DID to the website and demonstrates control over the DID to prove to USCIS that the identifier is under Sam's control. USCIS issues a newly minted digital credential with the subject identifier set to the provided DID. > > Now, Sam can use that digital credential anywhere by demonstrating the same proof of control to provide a specific level of identity assurance, anchored in the cryptography of the proof-of-control ceremony. Verifiers of that credential can cryptographically verify both the authenticity and origin of the credential itself—it can be proven that it was issued by USCIS and unchanged since then—AND it can verify that the presenter of the credential still controls the identifier. > I believe this specification is triggering many human rights concerns. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/556#issuecomment-702629028
Received on Friday, 2 October 2020 09:37:46 UTC