Solid and Rebooting the Web of Trust

You are probably familiar with RWOT initiative. In RWOT4 Paris and RWOT5 Boston there have been mentions of WebID and in RWOT9 Prague SolidVC by @kezike was presented.

I was wondering how Solid sees itself in relation to this initiative, especially since I read the following in the cancelled (corona) RWOT10 papers:

The Linked Data community has also developed a personal identity mechanism on top of HTTP for that purpose, combining it with some authentication mechanism based on certificates, called WebID.

However, the problems with HTTP based personal identification are known and were among the main issues leading to the DID work: decentralization, persistency, or authentication/verifiability. I.e., DID should become an alternative to HTTP based identifications on the Semantic Web, too; but that can only happen if the four principles of Linked Data, as quoted above, can be upgraded to the DID case as well. What exactly happens if one replaces the term ā€œHTTPā€ with ā€œDIDā€ in these four statements?

(A side issue: WebID did not really ā€œmade itā€ as a personal ID even among people who are not driven away by the Semantic Web. Personally, I believe one of the reasons is the extreme unfriendliness of all setups, creations, management, etc., of certificates, which is at the heart of WebID. This should be a warning to all things DID: there should be very user-friendly tools around very quickly to allow for everyday users to use this; technology is not enoughā€¦)

PS. Though I really like the idea of self-sovereign identity I have misgivings about the role of blockchain in some (not all) of the solution being worked on.

PS2. Note that ActivityPub is also represented in various RWOT papers, and discussion here looks at how AP and Solid can be combined.

2 Likes

@codenamedmitri

I copied my post to the authorization-and-access-control-panel panel:

ā€¢ Ā Issue #69: Solid and Rebooting the Web of Trust

Wait, WebID does not require client certificates. What about webid-oidc? Do they know about that?

Actually Solid implements WebID-OIDC spec

AFAIK WebID-TLS has been ā€˜abandonedā€™ due below reason

Several browser vendors (Chrome, Firefox) have removed support for the KEYGEN element, on which WebID-TLS relied for in-browser certificate generation.

Also, great piece of information to check about this is the Motivation for WebID-OIDC

Hi @aschrijver! Thank you for the question. (I hope you donā€™t mind, I transferred the issue to the External Interop panel repo, since itā€™s the one that tends to deal with questions of ā€œhow does Solid relate to X outside project?ā€).

As youā€™ve mentioned, the Solid community has a history of interaction with the Rebooting Web of Trust conference community, both in terms of mentions in the papers, and in attendance from the Solid community. In addition to the items you mentioned, our very own Solid Manager @MitziLaszlo was present at the Rebooting 8 in Barcelona. And there is a crossover of members that participate both in the Solid spec and some of the standards groups from the Rebooting community, such as the W3C Credentials Community Group (in which Decentralized Identifiers and Verifiable Credentials were incubated) and the Secure Data Storage Working Group.

For example, I am one of the organizers of Rebooting Web of Trust, as well as an Editor of the core Solid spec.

So, how does Solid see itself in relation to the Rebooting Web of Trust community?
I cannot speak for the Solid community as a whole, but I think itā€™s fairly accurate to say - Solid sees itself as compatible and complementary to the issues that RWoT is working on.
Many of the technologies that are core to the Rebooting community (DIDs, VCs, and so on) are making their way into the Solid ecosystem. For example, take a look at some of the related issues:

Does that answer your question?

1 Like

Please, reconsider pushing linked data signatures for user interactions. This will be a disaster as it will enable unprecendented possibilities for harassment (ā€œI can prove to anyone that you said this to meā€).

Yes, completely, thank you very much!

Hi @divoplade. I appreciate that youā€™re thinking carefully about the potential downsides of all this tech weā€™re working on. That way of thinking is definitely hugely important, and will be required of both users and engineers.

I donā€™t have time at the moment to dive into a long answer (and hopefully, we can continue this discussion on a separate topic thread, since Rebooting the Web of Trust is just a conference, one of the many places digital signatures are being worked on).

But Iā€™ll add a couple of quick thoughts.

One, Iā€™d like to assure you that I think the vast majority of the engineers and designers and lawmakers that are working on Verifiable Credentials and digital signatures are painfully aware of the possible downsides and potentials for abuse that you describe. Eternal vigilance! (Professor Moody from Harry Potter would be proud.)

Two, I think itā€™s very important to keep in mind (in this discussion and others on the forum), that both Solid and the rest of the decentralized identity community, explicitly differentiates verified public identities and private pseudonymous ones. We think that both things are true ā€“ itā€™s necessary to be able to ā€œproveā€ (which is not that easy, btw, see next comment) the source and provenance of statements from official/public identities. AND, the ability to communicate pseudonymously, and to be able to say things without harassment, is also very important.

Threeā€¦ proving anything (even when digital signatures and verifiable credentials are involved) is incredibly difficult. And I say this while working on a demo of Credible Web technology (an excellent W3C Community Group concerned with this very topic).

Thanks for bringing up this topic!

Cheers,
Dmitri

2 Likes

I appreciate that you are aware of the problem, but I also hope you consider my point that ā€œto ā€œproveā€ the source and provenance of statements from official/public identities and the ability to communicate without [the described case of] harassmentā€ is already solved by the current architecture of the web.

I think I might be missing something. The whole point behind the formation of the Credible Web group, and the efforts that went into the Verifiable Credential spec, is that the current web architecture emphatically does not solve that problem.

This is why I donā€™t really understand the need for all of this.

The official/public identities publish their statements in official sources, and then these statements get linked. It is not possible for a random person to publish forged statements on https://www.who.int

The described case of harassment is not possible because all the evidence you can provide currently is a screenshot of a website (this is easy to forge) or a log file (easy too).

Note: I just posted a related topic on the AuthZ side of things: WAC vs. Object capabilities.