A solution for a healthy credential ecosystem should have the following capabilities:
A credential should allow an entity to make any given claim about that entity.
Such claims, as they describe the real world, rather than an abstraction, are not context free.
Because use cases for credentials will vary between populations and industries, said populations and industries should be able to drive the formatting and vocabularies used in their own claims.
Attempting to provide a format and specification to the nature of all possible claims in all possible use cases in all possible cultures and governmental systems is an exercise in futility that would ultimately only restrict the usability of the credentialing system.
while initial formats and vocabularies will be recommended, it is a capability of the system that it is able to encode any byte string as a credential as this ensures the global ecosystem of Issuers and Consumers can find a means of communicating the information they need.
A Public Key Infrastructure allows agents in the system to authenticate certificate's issuers using digital signatures.
The Identity Provider system will provide users with a means of maintaining a public key in association with their identity, revoking and re-establishing it in case of compromise.
This mechanism will allow Issuers and Consumers to verify messages are from the indented recipient.
A users should be able to choose from a market of identity providers, change identity providers with minimal interference, and even manage their own identity should they choose to do so.
This requires that only the user must establish trust with the Identity providers, such that Issuers and Consumers are unaffected by a users choice of Identity Provider.
This will allow for a health market of Identity Providers and disincentivizes Identity Providers from abusing users.
A publicly maintained Decentralized infrastructure will provide a method of mapping identifiers to Identity Providers, such that users can change Identity Providers without action of the previous identity provider.
The system should provide a means for a user to present a Consumer with a certificate, that while authenticatable to that user, does not compromise that users identity or any qualities of the user beyond those expressed in the certificate.
Said system should preserve a user's privacy such that only obtaining records from both the Issuer and Consumer in the transaction would provide proof of the user's involvement.
This potential security flaw is designed such that the Credentials system can be reasonably compatible with as many Legal and governmental systems as possible while still maximizing personal potential for privacy as such records should reasonably require legal process to obtain and correllate.
Overall, looks good - some minor nitpicks:
A credential MUST allow an entity to make a claim about any entity, including itself.
Don't quite understand what this means.
Too computer science-y, make this grokkable by your least technology savvy family member.
Need to understand why or your concerns.
It's not the IdP that ultimately provides this functionality, rather it's the DHT.
spelling issue: intended
the goal is no interference.
sp: healthy
We should stay away from "user". It's too generic and could confuse people.
Language is too flowery, get to the point using plainer language.