> The process of binding a DID to something in the physical world, such as a person or an organization — for example, by using verifiable credentials with the same subject as that DID — is contemplated by this specification and further defined in the Verifiable Credentials Data Model [VC-DATA-MODEL].
The idea there is that identity providers and other authorities (governments, credit agencies, etc) issue credentials after the person authenticates with them.
This isn't much different than how it works today with, for example, a cookie on the Experian website, but the idea is that I can now take this cookie, show it to a third party and the third party can verify the credential's validity.
Still pie-in-the-sky, but I still think we've been low ambition & not had good decentralized-identity-preconditions to begin exploring web-of-trust models. Past behavior is a huge indicator, one we can judge, & which many others will have judged. Trying to filter those other judges, decide what trust anchors we have & what biases to give, is a place where humanity would have a lot of freedom to tweak & explore, if we had these modest adequate technical underpinnings to begin to explore from.
But we just lost a decade to blockchain mania & consensus computing, rather than exploring anything actually genuinely distributed & decentralized & non-consensus. Also worth admitting AI just got good enough to convincingly fake being an online person fairly well, which can potentially massively outperform any attempt at moderation & seeking truth/genuineness that humans might ever make; said explicitly, bad/business-motivated actor's ability to fuck up anything but an ultra-conservative/paranoid web-of-trust has gone up orders of magnitudes in the past couple years.
Hi John. Where has it been done distributedly ever and at any decent size of adoption?
To me, the premise that we start with some self soverign moderation opens to the door to endless creatives refinements & betterments we can collaboratively explore? Afaik Earth has never had that privilege, has never really tried this at any degree. We've had some keysigning parties but actual reputation & moderation... no.
Im not sure what evidence we have to stick a fork in this one & call it done. Doesnt feel to me like we hardly ever began.
Perhaps TLS client certificates are unpopular because pretty much everyone uses some sort of anti-ddos or caching server in front of their services (cloud load balancers, fastly, akamai, cloudflare) so any TLS client certificate authentication and validation has to be baked into the service[0] (another possibility could be the service encoding the client's information and shipping it to the origin server via headers).
Another options for companies is only signing request bodies and validating a request signature in the header like discord does[1].
TLS client certs were unpopular way before external TLS termination became popular.
Besides, it would be fairly easy to implement at a cdn layer. Just give it a list of valid CAs, and have it set some header.
The real reason is that UI challenges for client certs are really hard. You can see it in the fact that people actual do use client certs in server to server communication (e.g. like between cache and backend)
https://www.w3.org/TR/did-core/#proving-control-and-binding
Here is the diagram:
https://www.w3.org/TR/vc-data-model/#lifecycle-details
The idea there is that identity providers and other authorities (governments, credit agencies, etc) issue credentials after the person authenticates with them.
This isn't much different than how it works today with, for example, a cookie on the Experian website, but the idea is that I can now take this cookie, show it to a third party and the third party can verify the credential's validity.