[introduction] Goverments do not "issue identity"

[wip-abramson]

I think we should find a better framing for this sentence

Human identities are a very special case, particularly those issued by governments.

Governments issue a set of claims that an individual may present to contribute to an identity in the eye of the verifier.

I feel we should move away from the idea that government issuance is a pre-requisite to identity in any context.

[simoneonofri]

hi @wip-abramson , thank you for the comment.

In that phrase, it can be useful to specify that I intended the identities as a set of attributes (ISO definition) or credential as a set of claims (W3C definition).

In the end, governments recognize the identity (as an abstract concept) by releasing a credential (e.g., birth certificate) and some identifiers (e.g., tax-id) which are used in their domain/context.

[xiyao]

Many real-world application scenarios in China require the use of government-issued identities, resulting in a large number of identity leaks and identity impersonation. although W3C-standardized identities are useful in the online world, most identities in real-world systems require a real name. has there been any consideration of how to link real-name identities and DID identifiers in various countries?

[simoneonofri]

@xiyao thank you.

Identity leakage and impersonation are threats in each identity system, and we're tracking all the threats in the Threat Model. It can be useful to consider them in this context.

For DID, each government first chooses whether to use it and whether to use an existing method or create a specific one according to its needs.

As W3C, we require that anyone developing a DID method perform a security analysis according to RFC 3552 and document all security aspects.

However, that kind of threat concerns not only DID but, in general, the whole architecture (the five layers in the report), and it is an issue that should be analyzed on the specific implementation.