Battle for the brand

By ANIL JOHN on | Permalink

First they ignore you, then they laugh at you, then they fight you, and then you win!

The W3C Verifiable Credentials standard enables secure, privacy respecting capabilities to allow individuals control over their personal data. The battle to appropriate this brand in order to market and sell non-standard-conforming products has begun.

Decentralized identity technologies based on W3C Verifiable Credentials (VC) are gaining global support due to their power and flexibility in meeting the needs of the open web and the public and private sector enterprise in a manner that is secure, privacy respecting and globally interoperable.

This in turn is generating allergic reactions from incumbent players who have often played the gatekeeper role in this domain, who after ignoring and laughing at the work for the longest time, are now becoming concerned about its success, traction and global adoption.

Their reactions are manifesting themselves in some specific ways:

  1. Seeking to reopen settled consensus decisions reached over many working group sessions that resulted in the current v1.1 of the W3C VC standard, that will break existing secure, privacy respecting and standards compliant implementations
  2. Slow down or divert, using a variety of process games, any new work to update and enhance the current v1.1 standard into other venues where the incumbents are the gatekeepers
  3. Trying to appropriate the term “Verifiable Credentials” to apply to specifications, protocols and standards that do not share the same security and privacy properties as W3C Verifiable Credentials

The first two are critical to understand and push back on, within the standards development process itself, by public and private sector organizations who value the existence of a truly competitive ecosystem built on a foundation of interoperability.

The last affects consumers and organizations in their understanding, acceptance and adoption of this technology, so for the purposes of this article, I want to put the focus on the third tactic.

Learning from history

This tactic is not new, and I remember being on the receiving end of the full treatment during the Service Oriented Architecture (SOA) phase of my professional life, when what SOA meant from a standard based and architecturally sound implementation got diluted and conflated with implementing the Enterprise Service Bus and Business Orchestration Servers being peddled by product vendors.

But a direct and more relevant example is to look at what happened with another technology that also held the promise of individual control and agency as it sought to move beyond v1.0.

All the hard-fought compromises on the mailing list, in meetings, in special design committees, and in back channels resulted in a specification that fails to deliver its two main goals – security and interoperability. In fact, one of the compromises was to rename it from a protocol to a framework, and another to add a disclaimer that warns that the specification is unlike to produce interoperable implementations. [...]

The resulting specification is a designed-by-committee patchwork of compromises that serves mostly the enterprise. To be accurate, it doesn’t actually give the enterprise all of what they asked for directly, but it does provide for practically unlimited extensibility. It is this extensibility and required flexibility that destroyed the protocol. With very little effort, pretty much anything can be called OAuth 2.0 compliant.

OAuth 2.0 and the Road to Hell by Eran Hammer

The same tactic, to dilute and expand the definition of what is meant by “Verifiable Credentials” to mean everything and nothing, so that the incumbents can claim support and compliance to the W3C VC standard in their products, is exactly what is happening again!

Verifiable Credential ≠ Digitally signed document

Verifiable Credentials means something that is fully conformant to the W3C Verifiable Credentials standard, and it IS NOT a generic term to describe any and all digitally signed documents and attestations!

These. Are. Not. Verifiable. Credentials:

  • A credential that is conformant to the ISO 18013-5 Mobile Driver’s License (mDL) Standard
  • A credential that uses the ISO mdoc (mobile document) specification
  • A digitally signed OIDC, SAML or OAUTH token
  • A credential that uses Authentic Chained Data Containers (ACDC)

All of the above are examples of standards and specifications that result in some manner of a digitally signed attestation, similar to how Verifiable Credentials also uses digital signatures. And that is where the similarity ends.

Anyone seeking to apply the term Verifiable Credentials to refer to the above or any other standard/specification is simply referring to a pretender to the throne seeking to wrap themselves in the royal purple that is the security and privacy aspects of the only, legitimate W3C Verifiable Credentials Standard!

newRecently: Cost of social switching

  • Social Quitting - “Switching costs are what you have to give up when you leave a service: if a service is siloed – if it blocks interoperability with rivals – then quitting that service means giving up access to the people whom you left behind. This is the single most important difference between ActivityPub-based Fediverse services like Mastodon and the silos like Twitter and Facebook – you can quit a Fediverse server and set up somewhere else, and still maintain your follows and followers. […]
    The Fediverse is designed to keep switching costs as low as possible, by enshrining the ‘right of exit’ into the technical architecture of the system. The ability to leave a service without paying a price is the best defense we have against the scourge of enshittification.”

  • Are Cities Too Reliant on Twitter? - “Social media platforms have become key communication tools for government agencies. The recent suspension of the DC Metrobus account shows the perils.”

  • analytics.usa.gov - “This data provide a window into how people are interacting with the government online. The data come from a unified Google Analytics account for U.S. federal government agencies known as the Digital Analytics Program. This program helps government agencies understand how people find, access, and use government services online. The program does not track individuals, and anonymizes the IP addresses of visitors. Not every government website is represented in these data. Currently, the Digital Analytics Program collects web traffic from around 400 executive branch government domains, across about 5,700 total websites, including every cabinet department.”

It is time for U.S. Government agencies to take ownership of their own public outreach platforms!

  • EU/EC NGI Info Session on Open Source funding - “The European Commission is organising an online webinar on the Horizon Europe call for Next Generation Internet topics on 26 January 2023, 14:00-16:00 CET. This event relates to the NGI Work Programme 2023 and particularly targets parties interested in using/implementing open source solutions developed/supported by NGI funding in a particular domain (for the pilots) and parties knowledgeable in open source policy (for the policy support action).”

  • EU/EC NGI Open Calls - “Through an agile and flexible process, following the Horizon Europe cascade funding mechanism, ongoing NGI Research and Innovation Actions (RIAs) provide support to projects from outstanding academic researchers, hi-tech startups and SMEs.”

  • Atkinson Hyperlegible Font - A new typeface, from the Braille Institute, that provides greater legibility and readability for low vision readers.

  • Generative Language Models and Automated Influence Operations: Emerging Threats and Potential Mitigations - A joint report with Georgetown University’s Center for Security and Emerging Technology, OpenAI, and Stanford Internet Observatory

  • Securing the Vote: Protecting American Democracy - “During the 2016 presidential election, America’s election infrastructure was targeted by actors sponsored by the Russian government. Securing the Vote: Protecting American Democracy examines the challenges arising out of the 2016 federal election, assesses current technology and standards for voting, and recommends steps that the federal government, state and local governments, election administrators, and vendors of voting technology should take to improve the security of election infrastructure. In doing so, the report provides a vision of voting that is more secure, accessible, reliable, and verifiable.”

Continue the Conversation

 Reply via Email  Discuss on Mastodon


Get the best cybersecurity research, resources and insights to help secure and safeguard the digital world; via 
No Spam. Unsubscribe Anytime.

© 2014-2023 Kylas Group, LLC