-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expanding the Scope Beyond 'Authority'? #22
Comments
Does the governance of C2PA, DIACC, or others (e.g. Professional Engineers Ontario) cover "what does membership mean"? I ask as you need to know the context that you're asking the (XYZ) question in. If you're looking for "can Darrell sign this engineering drawing in Ontario?" the answer fits the XYZ question format. If the question is, "Is Darrell a P.Eng. in Ontario, and what does that mean?", you may be asking the wrong question OR you need additional capabilities beyond a very basic trust registry query. FYI- I retired my P.Eng. license last year so the answer is "no" to both! |
This is definitely important for future work:
On that note I recently posed a question under discussions that is somewhat related to this question: The question that I think you're asking is "how can we standardize our interactions with Trust Registries to go beyond the most basic queries?" Fair? @mathieuglaude |
Yes to your last comment about going beyond basic queries. |
If the C2PA list has all hardware/software providers with their keys and certificates, what type of list is this? And what do I query? "Was this picture taken by a C2PA compliant device?" So I'm still asking for authoritative information from the system of truth, but the type of question and data I pass to it in my query are different than let's say for an authoritative issuer query (i.e. is did x authorized to issue credential y under governance z) . Which is different than the question above. Make sense? |
The question makes sense but the burden on the system asking the question is to understand the ecosystem that they are dealing with. Each ecosystem may have very different approaches to things. |
The business question of "is this image real (enough)?" has very different ways of getting to a yes/no/maybe depending on what ecosystems you're part of. |
At the heart of it, trust registries serve a broader purpose than merely delineating authority; they act as a foundational source of truth, albeit sometimes reflecting authority. This distinction becomes crucial when we dive into the practical applications of trust registries across various scenarios.
Consider the case where we're trying to verify if a particular entity, let's call it Entity X, is authorized to perform a specific action (Y) under a defined governance model (Z). This framework is straightforward when we're discussing credential issuance. However, it becomes less clear when we extend the use case to, for example, verifying membership in a coalition or an association. The current language and structure of trust registries, while effective for credential issuance, fall short in addressing membership validations or affiliations with entities like the C2PA or the DIACC.
This limitation has led me to view trust registries not just as arbiters of authority but as comprehensive sources of truth, underpinned by a governance model. Such a perspective allows for a more versatile application of trust registries, accommodating a wider array of use cases beyond credential issuance. For instance, a trust registry could confirm membership, verify credential issuance capabilities, or even validate credential verification rights. This broader utility underscores the need for trust registries to be adaptable and inclusive of various governance models.
However, the concept of assurance levels within trust registries introduces a layer of complexity. The assurance or trustworthiness of information in a trust registry is inherently tied to its governance model. Yet, this doesn't imply a one-size-fits-all approach to integrity or trust. Different scenarios may necessitate different models of governance, thereby influencing the perceived level of assurance.
For example, a mining operation might be deemed trustworthy based on a set of criteria that includes permit status, adherence to regulatory standards, or even credentials issued by provincial authorities. This approach to defining trustworthiness highlights the need for flexibility in how trust registries are structured and utilized.
We've explored the idea that trust registries should not be confined to a rigid model. Just as lists of certified public accountants (CPAs), lawyers, or even doctor rating systems serve as sources of truth within their respective domains, trust registries should be capable of accommodating a diverse range of governance models. Each list, each registry, provides a source of truth based on its unique governance, whether it's a professional certification or a consumer rating.
The overarching theme of our exploration is the need for trust registries to evolve beyond their current scope. The language and structure used today are heavily geared towards credential issuance, yet the potential applications of trust registries are far more expansive. Whether or not to incorporate levels of assurance into this framework remains a topic for further discussion. Nonetheless, the imperative is clear: trust registries must be designed to support a multitude of use cases, each with its own set of requirements and governance models.
Note: just like Issue #21, I can move this to 'Discussions' if its better suited for over there @darrellodonnell.
The text was updated successfully, but these errors were encountered: