This repository contains documents related to RWOT8, the eighth Rebooting the Web of Trust design workshop, which will run in Barcelona, Spain on March 1st to 3rd, 2019. The goal of the workshop was to generate five technical white papers and/or proposals on topics decided by the group that would have the greatest impact on the future.

Visit http://rwot8.eventbrite.com for more information and to purchase tickets.

Event details for attendees (schedule, hotels, transportation) (pdf 14MB)

In advance of the design workshop, all participants produced a one-or-two page topic paper to be shared with the other attendees on either:

• A specific problem that they wanted to solve with a web-of-trust solution, and why current solutions (PGP or CA-based PKI) can't address the problem?
• A specific solution related to the web-of-trust that you'd like others to use or contribute to?

NOTE: To add a paper, create a pull request to this repo with your contribution (preferably .md file or PDF), along with updates to the README.md here and in the Topics and Advanced Readings folder with a link to your paper and your name. Please also include a byline with contact information in the paper itself.

Here are the advanced readings to date:

These primers overview major topics which are likely to be discussed at the design workshop. If you read nothing else, read these. (But really, read as much as you can!)

• DID Primer — Decentralized Identifiers (extended version also available)
• Functional Identity Primer — A different way to look at identity
• Verifiable Credentials Primer — the project formerly known as Verifiable Claims
• Glossary of Terms — A terse lexicon of Web of Trust words

• A DID for Every Thing: Driving Event Data Chain

  • by Carsten Stöcker and Michael Rüther
  • "Our broader objective is to establish a scalable digital twin protocol and a technology layer for autonomous things."
  • #verifiableclaims #reputation #IoT

• Identity Manager Concept

  • by André Cruz, João Santos, and Pedro Teixeira
  • The Identity Manager is a unified identity wallet that aims to support multiple DIDs and multiple DID-methods
  • #DID #VC #DID-Auth #apps #UI #UX #wallet
  • Specification

• DID Namespace Records

  • by Drummond Reed
  • "Besides discoverability of different decentralized networks, DID namespace linking also enables building bridges between different governance frameworks and trust assurance models—key building blocks of a global web of trust."
  • #reputation

• Peer-to-peer DIDs

  • by Brent Zundel
  • "Work on a DID Method spec for P2P DIDs as a special subset of DIDs that are not universally resolvable on some ledger or central storage infrastructure, but only within the group where they are used."
  • #ledgerless
  • Specification

• Universal ID Framework

  • by Shigeya Suzuki
  • "One of the ways to support references for multiple ID scheme everywhere is developing a general Universal ID Reference scheme, which covers not only the references to DID but also Distinguish Name-based scheme or possibly others."
  • #PKI #interoperability

• Identity Containers. Blockchain implementation proposal with DIDs & ERC725

  • by Alex Puig
  • "Long story short, We suggest to store just a Merkle Root of the keys and claims being holded by an entity (user, organization..,) and set a list standard endpoints to query and interact between entities. This way most of the information is transferred off-chain and the whole system should be GDPR compliant."
  • #VC #ERC725 #DKPI #GDPR
  • Full Proposal

• Digital Trust Protocol

  • by Carsten Keutmann and Tim Pastoor
  • "The Digital Trust Protocol (DTP) is a solution for the handling of trust in the digital space. The protocol is broadly designed to work with all aspects of trust; this includes identity, reputation, and security. The Protocol allows anyone, including software, to issue their own cryptographic identities, for the use of trust and reputation and be able to verify those of others, without the need for a trusted third party."
  • #VC #DPKI #reputation

• Current Status of the DID Specification

  • by Amy Guy and Dmitri Zagidulin
  • A summary of open issues and discussion topics for moving the DID Specification forward.
  • #DID #W3C #CCG

• Universal DID Operations

  • by Markus Sabadello and Nader Helmy
  • "Interest in building blockchain-agnostic SSI solutions is increasing, so let's expand the concept of the Universal Resolver to more DID operations, like Create, Update and Revoke."
  • #DID #DPKI

• Staying Anonymous With DIDs

  • by David Stark
  • If we use DIDs and Verifiable Credentials how can we make sure that users are not being tracked across the web.

• Decentralized Identity Fee Market

  • by Yancy Ribbens
  • Micro-payments and DID (Decentralized Identities) can enable a user to curate their online identity, request payment or mark data private. This article proposes allowing a fee market to develop around what information a user chooses to reveal about their identity in the context of verifiable credentials.

• A Self-Sovereign Identity Framework/Thought Model proposal

  • by Rieks Joosten
  • "The SSIF provides a thought model and corresponding terminology that allows us to think in a precise manner about SSI within the context of its purpose(s) - which for us is the generic enablement of electronic support for (administrative) business transactions."
  • #commonlanguage
  • Model

• Aligning SSI with European Union identity legislation (aka eIDAS Regulation)

  • by Nacho Alamillo and Santi Casas
  • "This paper aims to advance the alignment of SSI solutions with the eIDAS Regulation regarding electronic identification."
  • #DID #eIDAS

• On Interpersonal Data
  • by Philip Sheldrake
  • "It turns out that there is very few data that may be described as purely personal data. That lunch date, that genome map, those photos, that joint bank account — all turn out to be interpersonal data."
  • #data #reputation
• Structures of Identity
  • by Ethan Brown
  • Graphical explorations of current identity structures and alternatives.
  • #namespace

• Legal Frameworks for Humanity in the Digital Age
  • by Elizabeth M. Renieris
  • "We are allowing the tides of technology and commerce to haphazardly turn everything into commodifiable data. But will we allow ourselves to be reduced to data points and, worse yet, commodified? If we are not deliberate about designing the correct legal frameworks for humanity in the data-driven age, we risk losing sight of our fundamental rights as humans."
  • #data #rights

• PSDAD - Data Format with Secure Semantics

  • by Sandro Hawke
  • "Existing data serialization formats like JSON, JSON-LD, XML, and even ASN.1 (with its various encoding rules) work well enough for conventional computing environments, but they fall short when high levels of both trust and decentralization are required. PSDAD (plaintext self-describing assertional data) is a proposed new approach which uses natural language strings simultaneously as identifiers, delimiters, and documentation, resulting in a surprisingly simple and robust system with distinct advantages over known approaches in certain environments."
  • #data
  • Specification

• The Universal Ledger Agent: a Logical Result of Rabobank's Journey in Blockchain-based self-sovereign identity

  • by David Lamers
  • "The universal ledger agent (ULA) is a component that is implemented by the app and the verifier. The ULA makes it possible to retrieve credentials from issuers, independently which standards and blockchain they use. Also, a verifier can accept and verify credentials from multiple standards."
  • #DID #VC #GDPR #ERC780

• OIDC Profile for SSI

  • by Oliver Terbu and Andres Junge
  • "The goal is to continue the work on an OIDC profile for SSI based on [NS18] and [II18], and finalize the first version of it."
  • #VC

• Introductory Capability DHT Concept

  • by James Foley
  • Considering the concept of a DHT for Introductory Capability Routing for object capability based decentralized applications.

• Zero-knowledge proofs in identity systems

  • by Jordi Baylina and David Suarez
  • "Privacy is key to identity systems, and Zero-knowledge proofs (ZKP) are core to maintain confidentiality over user data, but still being able to transact by receiving claims and proving these to a third party."

• A New Approach to Social Key Recovery

  • by Christopher Allen and Mark Friedenbach
  • "The goal of social key recovery is for the user to specify groups of individuals that together possess the ability to recover the root secret of a wallet."
  • #shamirsecretsharing #sss #keymanagement #masterseed #keyrecovery

• Security Considerations of Shamir's Secret Sharing

  • by Peg
  • "Issues with private key management often pose barriers to the adoption of empowering decentralised technologies and this is exactly what this project aims to address. ... Threshold-based secret sharing schemes provide a powerful tool to address the private-key custody problem. There are promising solutions to the issues explored in this article. However, we have focussed here mainly on technical limitations of such schemes."
  • #reputation #shamirsecretsharing #keymanagement

• Bringing the Dependencies of a BTCR Wallet to the Swift Ecosystem

  • by Wolf McNally for Blockchain Commons
  • "While all the code to implement something as complex as a DID resolver or registrar could be written entirely in Swift, it makes sense to leverage code already written in other languages, and use Swift as a top-level language used to tie heterogenous modules into a unified application, whether it be a mobile application or server. This document surveys programing languages and technologies of interest, discusses issues of interoperating with Swift, and lists software packages of note."
  • #Swift #UX #iOS #DID

• Digital Identity for the Homeless

  • by Mike Varley and Matthew Wong
  • "The focus of this topic is how to apply existing decentralized digital ID solution to help individuals experiencing homelessness in the city (Toronto). E.g. how to reserve services such as overnight shelters with digital ID, keep track of certificate offered by free public organized re-training programs, and built credibility via repeat use the the same digital ID with varies services run by non-profit organizations in the city etc."
  • #reputation

• Designing an Educational Credentialing Ecosystem

  • by Kim Hamilton Duffy, J. Philipp Schmidt, and Joe Andrieu
  • "One goal of this exercise was to understand whether (1) certain emerging SSI standards -- including Verifiable Credentials (VCs), Decentralized Identifiers (DIDs) -- and (2) blockchain anchoring are essential to the simplified digital verifiable credentialing system. If so, we wanted to trace them to specific requirements. An additional goal was defining a threat model, to understand which aspects could be handled by the system, and which must be addressed by other systems. ... Our concern is that an effective digital credentialing ecosystem would make fraud within an issuing organization more appealing, so our final goal of this paper is to raise awareness among the broader SSI community."
  • #DID #VC

• Assist underrepresented groups when entering the labour market through self sovereign identity

  • by Karolin Siebert
  • "As a consequence of increasing migration we have workers educated by a wild mix of educational systems, this should not be limiting them from approaching and receiving positions that they actually would like to work in and would be suitable for. Official diplomas and certificates, proving previous studies and work experience, are not necessarily recognised, available in physical form or easily translatable in a certified manner. In addition to that and estimate of the World Bank states that 1 Billion of people are without a formal identity. Being assigned one would give them better access to the work market since just their physical presence and knowledge is not enough in many cases, but rather we require proof for education and experience."
  • #DID #VC

• Where's the UX?

  • by Alberto Elias
  • "I've been doing some user testing with both developers and non-technical folks and every single one of them has complained about the authentication and registration flows. We all agree that this work is for nothing if people don't end up using them. This community is definitely human-focused, but initial DID implementations haven't nailed the user experience yet."
  • #DID #VC #socialkeyrecovery

• Designing Identity for People & Places

  • by Venn Agency - Sam Chase, Joni McKervey, and Benji Miller
  • "This paper will explore how we may architect a more complete individual sovereignty via privacy and place identity as a person moves between private and public physical locations (home, transit, work etc). ​ By mapping our rights and reasonable expectations to privacy across different contexts and comparing with the rights of devices in our spaces, we’ll seek to outline systems of access and control that work in accordance with the rights and needs of both sides."
  • #DID #IoT

• Journalistic use-cases for SSI: signatures, verified claims, and canonical-text registries

  • by Juan Caballero and Jefferson Sofarelli
  • "Our long-term proposal is to design an SSI-platform-agnostic DID widget or middle-ware system for CMSs such that at the time of committing a canonical version of a published piece on a given publication's CMS, that canonical version could be hashed and signed, with signature and hash being stored in an immutable, external record against which the signature could later be checked (i.e., making a verifiable claim of authorship linking the article's original published form to a DID controlled by its author)."
  • #DID #VC #reputation

• Financing a Self-sovereign Technology Stack

  • by Adrian Gropper
  • Business models for autonomy through self-sovereign identity and self-sovereign technology are experimental. The standards are just starting to gel. Business structures for sustainable decentralized and potentially autonomous systems are still to be invented.
  • #agent #business

• Designing Trust in Identity Systems

  • By Bentley Farrington & Bart Suichies
  • Putting the ID holder at the center of an identity system comes with great opportunity, but also introduces new risks and barriers to adoption. Many of these are non-technical and such, should be explored in multi-disciplanary way. We propose a human centered design approach to tackle some of these issues and help shift the focus to not just the technical feasibility, but also inclusive usability. This is a prerequisite to creating an identity system which combines technical and human trust elements.
  • #UX #trust #adoption #design

• EU Digital Signature vs. VC Model

  • by L. Boldrin
  • To some extent a pdf signed document (or xml, json...) can be used to make trustworthy information about me available to a verifier. People ask: Why do we need VCs? What is the additional value they bring? This note provides an initial hyoothesis which I would like you to challenge: VCs without ledger provide, as added value, subject confirmation and anonymity/pseudonimity support. VCs with ledger provide, as a further value, just VC revocation."
  • #digitalsignature

• How Do We Bootstrap the Web of Trust for VC

  • by Matt Stone and Dan Burnett
  • "In the world of Verifiable Credentials, it is essential that Verifiers can trust Issuers. To this end, there must be a common understanding of the 'functional identity' of the Issuer. How do humans establish the appropriate level understanding to trust the artifact with conviction? i.e. how does one link 'this key' to 'that real world entity (person, company, etc)'"
  • #DID #reputation

• Multi-Factor Attribute Trust

  • By Will Abramson
  • "Developing flexible mechanisms for judging the trust of an attribute presentation is going to be essential to driving the network affects needed for widespread adoption of Verifiable Credential based identity networks."

• Verifiable Claims for Postal Address

  • by Moses MA
  • "This is a proposal to facilitate the collaborative drafting of a technical paper that describes the principles and key design considerations for a use case for verifiable physical address claims. Individuals within the global postal network now seek to understand the “decentralization revolution” and help to develop game-changing, blockchain-powered new business models for the world."

• Using Immutable Data Objects by Ken Ebert

  • by Ken Ebert
  • "Verifiable Credentials are strengthened by providing immutable data objects that provide a full definition of the data being signed. This is particularly true for objects with ZKP style signatures, where a more granular description of the data is required in order to support disclosure and predicate proofs on a per-property basis."
  • #VC #Schema #ZKP

• Multiformat Superfriends (The Multibase, Multihash, and Hashlink Specifications)

  • by Manu Sporny and Ganesh Annan

• Current Status of the DID Specification

  • by Amy Guy and Dmitri Zagidulin
  • A summary of open issues and discussion topics for moving the DID Specification forward.
  • #DID #W3C #CCG

• Identity Manager Specification

  • by Adin Schmahmann, André Cruz, and Pedro Teixeira
  • A draft specification of the Identity Manager components, interfaces and protocols
  • #spec #DID #VC #DID-Auth #apps #wallet

• Peer-to-peer DID Specification

  • by Brent Zundel

• PSDAD Specification

  • by Sandro Hawke

• Verifiable Displays: secure presentation of Verifiable Credentials in HTML

  • by Bohdan Andriyiv
  • A rough outline of the specification for tamper-proofed, future-proofed, “anywhere renderable”, "truly portable" Verifiable Displays of Verifiable Credentials in HTML format.
  • #VerifiableDisplays, #VerifiableCredentials, #Hashlink, #HTML