– Let’s Encrypt For Basic Verifiable Credentials

From IIW Let’s Encrypt for Basic Verifiable Credentials; Also, DiD-OAuth2

Wednesday 8I

Convener(s): Wayne Chang

Notes-taker(s): Gregory Rocco

Tags for the session - technology discussed/ideas considered:

DID, OAuth2, Verifiable Credentials

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

  • Centralized server and issuer that issues W3C verifiable credentials to anyone
  • Based on a Google account and phone number, everything was wrapped into a verifiable credential
  • The idea is to donate the code to the DIF and figure out how to decentralize the governance of it and figure out the issuance component.
  • If you’re a user and you would want to use it somewhere, you would need a wallet, to begin with. Until wallet infrastructure is built, then it’s usable.
  • OAuth2 is widespread, and what if we allowed anyone with an OAuth2 account an implied DID automatically. The caveat is that they’re centrally controlled.
  • How do you show control? You would check with the issuer – but you can issue to anyone with an account with other services
  • This is called a verifiable credential – if I have a phony facebook account and phone number, what am I really being verified for?
o   You can check that signed the data packet. They would need to sign in with the user’s OAuth2 account.
o   If you phish them, and had the credentials to log in with their account –
  • If you get hacked, it’s similar to losing your private key. I think it’s a fair point – you can do that today with compromising individual accounts.
  • I think we should classify DID methods – if there was a garbage category it would go in there.
o   Can you remove the PII?
  • Yeah we can salt and hash it
  • The purpose here is to bootstrap everyone on existing systems to use DIDs – what if you used a user-controlled DID in conjunction with this? You can then migrate your set of claims off these providers. We’re not just going to hop on our decentralized Noah’s ark and go to a brave new world – this is a stab at a bridge.

Associated link: