Given that there is an implied series of trust steps for SSI parties to establish trust (rough order, depending on the protocol)
- exchange of DIDs
- mutual proof of ownership of DIDs (controls PKI)
- biometrics proof that the operator of a device/communication channel is human and verified with the device or 3rd party (Human that owns operates device and is subject of VCs)
- exchange of credentials (VCs) relevant to the purpose of the interaction
-...
, then I'm not clear that those steps don't cover the issues in your reply.
Also, as an emerging issue; having AI interact on your behalf and prove a human controls that AI, which gets even more complicated if the Agent is actin on your behalf while you are asleep or otherwise offline.
Excellent point about AI agents operating while you’re offline! A delegation solution would go a long way towards making this connection. This challenge isn’t entirely unknown now, as there are the occasional OAuth clients needing to make “offline” API calls on your behalf when you don’t have a current session with the resource server.
The biometrics proof stage seems to be the critical one, as any kind of entity, human or not, can control a key pair. Such proof processes are having to get ever more sophisticated to battle deepfakes and synthetic identities. (That was one of the subjects treated in my webinar with Ping yesterday…) The DID and VC parts surrounding it are one delivery option. Is it the right one?
Digital Wallets are being built around decentralised SSI, DIDs and DID based communication (DIDComm, others), and W3C Verifiable Credentials.
OAuth & OIDC are adopting both (including proof of control via PKI)
Dan Bachenheimer (Accenture) who is deep into personal verification (especially biometrics) points to needing 3 (or more) different mechanisms required. For example: one or more credentials, biometrics, proof of device control, MFA, ...
Given that there is an implied series of trust steps for SSI parties to establish trust (rough order, depending on the protocol)
- exchange of DIDs
- mutual proof of ownership of DIDs (controls PKI)
- biometrics proof that the operator of a device/communication channel is human and verified with the device or 3rd party (Human that owns operates device and is subject of VCs)
- exchange of credentials (VCs) relevant to the purpose of the interaction
-...
, then I'm not clear that those steps don't cover the issues in your reply.
Also, as an emerging issue; having AI interact on your behalf and prove a human controls that AI, which gets even more complicated if the Agent is actin on your behalf while you are asleep or otherwise offline.
Excellent point about AI agents operating while you’re offline! A delegation solution would go a long way towards making this connection. This challenge isn’t entirely unknown now, as there are the occasional OAuth clients needing to make “offline” API calls on your behalf when you don’t have a current session with the resource server.
The biometrics proof stage seems to be the critical one, as any kind of entity, human or not, can control a key pair. Such proof processes are having to get ever more sophisticated to battle deepfakes and synthetic identities. (That was one of the subjects treated in my webinar with Ping yesterday…) The DID and VC parts surrounding it are one delivery option. Is it the right one?
Digital Wallets are being built around decentralised SSI, DIDs and DID based communication (DIDComm, others), and W3C Verifiable Credentials.
OAuth & OIDC are adopting both (including proof of control via PKI)
Dan Bachenheimer (Accenture) who is deep into personal verification (especially biometrics) points to needing 3 (or more) different mechanisms required. For example: one or more credentials, biometrics, proof of device control, MFA, ...