Web Credentials Wallet questions

[bblfish]

I watched this very informative talk by Drummond Reed from October 29 2020 The Trust Over IP Stack: Achieving Global Interoperability with Self Sovereign Identity. He gives a certainly very ambitious overview of where they are going with wallets and DIDs.

Initial questions it raises for me are:

1. How can our HyperApps interact with a Universal Wallet.
2. Is there a way for the user to set policies on a wallet so that the wallet does not have to ask the user for an ID every time the client goes off to fetch a resource on the web?
3. What is the protocol for requesting a Credential?
4. What does a WebID self signed credential look like?
5. Do we really need a key for every server? Or can we bypass that? (what are the privacy implications? Especially if one is trying to create a decentralised social network where one wants a way to connect to people by presenting a WebID. So there will be some cases where it will make sense (age credentials) others where it gives no benefit (WebID linking)).

On first glance (having looked at other specs) it looks very compatible otherwise with the HTTP Signatures and Credentials proposal I put forward. (It is easier to view here). But clearly answers to the above question will help me adapt the PR.

[bblfish]

Drummond Reed in his talk mentions the book Manning book Self Sovereign Identity that should be finished in April. It is very useful as it gives an overview of the whole ecosystem, which is a view that is impossible to get just by reading specifications, especially as there a large number of actors with differing views on how to use the technologies as well as still differing philosophies on how they should be used and what should be used.

Solid for example fall in the RESTful deployment side. But on that side we are on the P2P side of things (Pods 2 Pods), whereas the chapters in that book I have read, mentions mostly client server uses. (And indeed P2P HTTP may open new doors on that side).

There are many links to specs from all the communities involved. So for example p115 in the Credential exchange protocols links to Credential Handler API, which I understand - after a glance of the spec - to be a JS in browser API. This would make it easily compatible with the Http Signatures proposal. So provisionally I will affirm: Answer to (1) is yes.

New questions:
2.1. Can one integrate Zero Knowledge Proofs in the HTTP-Sig proposal? (very likely one can. Can one make it really simple and LD-RESTful?).
2.2. Can think of Solid Pods as (simple) Identity Hubs? We have the LDP with mechanism for posting, editing and deleting claims. The P2P HTTP could allow the client to become a server and simplify the access control problem for claims: access to VCs (or zero proofs thereof) is only allowed on the same connection as that opened by the client.

[bblfish]

@dmitrizagidulin a couple of years asked a question of integrating did and solid. Reading the SSI book led me to a few ways to see how these could be integrated. see issue 217 of specification github