You are probably familiar with RWOT initiative. In RWOT4 Paris and RWOT5 Boston there have been mentions of WebID and in RWOT9 Prague SolidVC by @kezikewas presented.
I was wondering how Solid sees itself in relation to this initiative, especially since I read the following in the cancelled (corona) RWOT10 papers:
The Linked Data community has also developed a personal identity mechanism on top of HTTP for that purpose, combining it with some authentication mechanism based on certificates, called WebID.
However, the problems with HTTP based personal identification are known and were among the main issues leading to the DID work: decentralization, persistency, or authentication/verifiability. I.e., DID should become an alternative to HTTP based identifications on the Semantic Web, too; but that can only happen if the four principles of Linked Data, as quoted above, can be upgraded to the DID case as well. What exactly happens if one replaces the term āHTTPā with āDIDā in these four statements?
(A side issue: WebID did not really āmade itā as a personal ID even among people who are not driven away by the Semantic Web. Personally, I believe one of the reasons is the extreme unfriendliness of all setups, creations, management, etc., of certificates, which is at the heart of WebID. This should be a warning to all things DID: there should be very user-friendly tools around very quickly to allow for everyday users to use this; technology is not enoughā¦)
PS. Though I really like the idea of self-sovereign identity I have misgivings about the role of blockchain in some (not all) of the solution being worked on.
AFAIK WebID-TLS has been āabandonedā due below reason
Several browser vendors (Chrome, Firefox) have removed support for the KEYGEN element, on which WebID-TLS relied for in-browser certificate generation.
Also, great piece of information to check about this is the Motivation for WebID-OIDC
Hi @aschrijver! Thank you for the question. (I hope you donāt mind, I transferred the issue to the External Interop panel repo, since itās the one that tends to deal with questions of āhow does Solid relate to X outside project?ā).
As youāve mentioned, the Solid community has a history of interaction with the Rebooting Web of Trust conference community, both in terms of mentions in the papers, and in attendance from the Solid community. In addition to the items you mentioned, our very own Solid Manager @MitziLaszlo was present at the Rebooting 8 in Barcelona. And there is a crossover of members that participate both in the Solid spec and some of the standards groups from the Rebooting community, such as the W3C Credentials Community Group (in which Decentralized Identifiers and Verifiable Credentials were incubated) and the Secure Data Storage Working Group.
For example, I am one of the organizers of Rebooting Web of Trust, as well as an Editor of the core Solid spec.
So, how does Solid see itself in relation to the Rebooting Web of Trust community?
I cannot speak for the Solid community as a whole, but I think itās fairly accurate to say - Solid sees itself as compatible and complementary to the issues that RWoT is working on.
Many of the technologies that are core to the Rebooting community (DIDs, VCs, and so on) are making their way into the Solid ecosystem. For example, take a look at some of the related issues:
Please, reconsider pushing linked data signatures for user interactions. This will be a disaster as it will enable unprecendented possibilities for harassment (āI can prove to anyone that you said this to meā).
Hi @divoplade. I appreciate that youāre thinking carefully about the potential downsides of all this tech weāre working on. That way of thinking is definitely hugely important, and will be required of both users and engineers.
I donāt have time at the moment to dive into a long answer (and hopefully, we can continue this discussion on a separate topic thread, since Rebooting the Web of Trust is just a conference, one of the many places digital signatures are being worked on).
But Iāll add a couple of quick thoughts.
One, Iād like to assure you that I think the vast majority of the engineers and designers and lawmakers that are working on Verifiable Credentials and digital signatures are painfully aware of the possible downsides and potentials for abuse that you describe. Eternal vigilance! (Professor Moody from Harry Potter would be proud.)
Two, I think itās very important to keep in mind (in this discussion and others on the forum), that both Solid and the rest of the decentralized identity community, explicitly differentiates verified public identities and private pseudonymous ones. We think that both things are true ā itās necessary to be able to āproveā (which is not that easy, btw, see next comment) the source and provenance of statements from official/public identities. AND, the ability to communicate pseudonymously, and to be able to say things without harassment, is also very important.
Threeā¦ proving anything (even when digital signatures and verifiable credentials are involved) is incredibly difficult. And I say this while working on a demo of Credible Web technology (an excellent W3C Community Group concerned with this very topic).
I appreciate that you are aware of the problem, but I also hope you consider my point that āto āproveā the source and provenance of statements from official/public identities and the ability to communicate without [the described case of] harassmentā is already solved by the current architecture of the web.
I think I might be missing something. The whole point behind the formation of the Credible Web group, and the efforts that went into the Verifiable Credential spec, is that the current web architecture emphatically does not solve that problem.
This is why I donāt really understand the need for all of this.
The official/public identities publish their statements in official sources, and then these statements get linked. It is not possible for a random person to publish forged statements on https://www.who.int
The described case of harassment is not possible because all the evidence you can provide currently is a screenshot of a website (this is easy to forge) or a log file (easy too).