5 Comments

Are PHCs reinventing the wheel?

If a person has any VCs (drivers licence, identity card, passport,...) then why can't some form of zero knowledge proof on some aspects of your personal profile not fulfill that role?

If I want to get a quick quote for a vacation, all the travel service needs to know is ZKP derived information of being a citizen of a country and my preferred airport (and used a temp or one-time DID to avoid DID tracking)

Expand full comment
author

That's a great question. It exposes that maybe we're talking about two entirely different meanings of "personhood". There's "this other data is attached to a real-world person and I'm not going to tell you exactly who it is", and there's "the entity interacting with this service right now is a sentient bag of protoplasm". If we want to know the latter, just deriving a ZKP from the former isn't enough because it's time-sensitive and relies on a slightly different binding chain – relying on liveness vs. just credential control. That said, they're often useful to know in combination.

Expand full comment

Given that there is an implied series of trust steps for SSI parties to establish trust (rough order, depending on the protocol)

- exchange of DIDs

- mutual proof of ownership of DIDs (controls PKI)

- biometrics proof that the operator of a device/communication channel is human and verified with the device or 3rd party (Human that owns operates device and is subject of VCs)

- exchange of credentials (VCs) relevant to the purpose of the interaction

-...

, then I'm not clear that those steps don't cover the issues in your reply.

Also, as an emerging issue; having AI interact on your behalf and prove a human controls that AI, which gets even more complicated if the Agent is actin on your behalf while you are asleep or otherwise offline.

Expand full comment
author

Excellent point about AI agents operating while you’re offline! A delegation solution would go a long way towards making this connection. This challenge isn’t entirely unknown now, as there are the occasional OAuth clients needing to make “offline” API calls on your behalf when you don’t have a current session with the resource server.

The biometrics proof stage seems to be the critical one, as any kind of entity, human or not, can control a key pair. Such proof processes are having to get ever more sophisticated to battle deepfakes and synthetic identities. (That was one of the subjects treated in my webinar with Ping yesterday…) The DID and VC parts surrounding it are one delivery option. Is it the right one?

Expand full comment

Digital Wallets are being built around decentralised SSI, DIDs and DID based communication (DIDComm, others), and W3C Verifiable Credentials.

OAuth & OIDC are adopting both (including proof of control via PKI)

Dan Bachenheimer (Accenture) who is deep into personal verification (especially biometrics) points to needing 3 (or more) different mechanisms required. For example: one or more credentials, biometrics, proof of device control, MFA, ...

Expand full comment