Entities and Parties

[RieksJ]

In a comment on PR #1172, @jandrieu commented on the VCDM-definition of entity (a thing with distinct and independent existence, such as a person, organization, or device that performs one or more roles in the ecosystem), and the term party that the PR proposes to introduce, which is about entities that have 'a mind of their own' (see the PR for the definition), that would include people and organizations, but not IT components/equipment.

Joe says: "This is a fascinating gap. I'd always thought the definition "entity" was meant to cover the same scope as "party"

I hope this issue serves to clarify the underlying concepts.

First, the definition of entity that Merriam-Webster puts it has is in line with the current definition of something having a distinct existence. However, the third meaning refers to organizations, which could explain Joe's take. But these are different concepts: not all "things that have an independent, separate, or self-contained existence" are "organizations (such as a business or governmental unit) that have an identity separate from those of its members", whereas the converse is obviously true.

I think that if we think both concepts are relevant for the further development of the VCDM, we should use different terms to refer to them, so we can be phrase what we mean without being ambiguous.

I also think the current definition of entity (a thing with distinct and independent existence) is relevant for us. It is the term one would use to state that something exists which can then be further attributed with characteristics to define what we're talking about, as in: an entity that has a 'mind of its own'. The term entity is for definitions/terminology what an atom is for molecules.

Joe says

Personally, I see the entity definition as an error, because I do not recognize devices (or things) as entities with respect to the roles of holders, issuers, and verifiers.

That's a consequence of not using the term 'entity' in the way it is defined, but rather his using the term in the way he seems to be used to. Joe is not alone in this. I've mentioned various times that people would make better contributions to the VCDM if they would make an effort to use terms only in the meaning as defined therein when contributing (when doing other stuff, they can use the terms in other meanings).

Joe continues by saying

The roles, of course, must be filled by an entity capable of exercising will. I'd probably favor language that relied on legal personhood and legal accountability. That is, a "party" is a legal entity capable of acting on its own volition.

While I agree that the issuing, holding and verification of VCs need to be placeable in legal contexts, for which legal personhood and legal accountability must be addressed, I think it is outside the scope of the VCDM, because the VCDM is a data model, no less, and certainly no more. However, it would be very relevant to address this stuff in some other document, perhaps a use-case document, or some introductory texts.

Another observation is that the concepts of 'legal entity', 'legal personhood' etc. are very much bound to a jurisdiction. If something is a legal entity in one jurisdiction, that doesn't imply it is also a legal entity in another jurisdiction. Being a legal entity is also not something that has an independent existence, like a human being does. It is a property that a person or organization can have, and pretty much every jurisdiction can do this, and would have rules (laws) that state when this is, or is not, the case. A single organization may be many (different) legal entities in equally many jurisdictions. And if a jurisdiction ceases to exist, so does that property, while the organization remains alive.

The property of being a legal entity, or having legal personhood, is quite distinct from being an entity that 'have a mind of their own' (i.e., a party - see the proposed definition if you haven't yet done so). While jurisdictions may limit legal personhood, or being a legal entity to entities that also qualify as parties, the converse is not always true. A dead person no longer has a mind of its own, but could still be accountable (liable) in some jurisdiction. Also, people that aren't registered in a jurisdiction do have a mind of their own, but may not be recognized as a legal entity.

So what do we need in the context of the VCDM? I would say that we need a concept that captures entities that are autonomous as they

• decide about which objectives they want to pursue,
• create and maintain data (e.g., identifiers, claims, credentials),
• decide on the semantics (i.e., the meaning) of all data that they author
• gather, store, process, and disseminate data (whether received, or created by themselves)
• manage their own logic, and decide what is, and what is not, true, valid, trustworthy, and what to reuse (e.g., in terms of shared vocabularies and contexts that other parties have produced,
• etc.

Entities with these characteristics (let's call them 'parties') are what we need in the VCDM context. Whether or not they are also legal entities, or have legal personhood, is irrelevant for the work in this context (not for work in other contexts, but that's their concern).

Joe also said:

I don't believe we have any legitimate roles that are fulfilled by devices, so can we update the entity definition to cover the points @RieksJ is bringing up?

I agree with Joe in that devices do not not qualify as a party, and thus could not fulfill the roles in the way that Joe envisaged when he made this comment.

I think it is a very, very important point to get right: entities that can do things (let me call them 'actors') are not necessarily entities that have a mind of their own (parties). This doesn't mean that actors could not issue a credential. In fact, the actual collection of claims, stuffing them into a (JSON or other) object, and signing it is what they could typically do. Parties can't do that: neither people nor organizations can digitally sign stuff - they need IT equipment to do that on their behalf. This is more elaborately explained in the 'parties, actors and action' model of eSSIF-Lab.

It may be beneficial to produce some texts, either within the VCDM or somewhere else, that introduce the concept of actor (an entity that can do things), explains how parties need actors to do things on their behalf, and what this means for issuing, holding and verifying credentials. One example would be that a verifier component (an actor) may need to identify not only the holder component (another actor) that it is talking to, but also to learn about that other actors qualifications (to establish its trustworthiness), and about the party on whose behalf that actor is talking.

[TallTed]

It occurred to me while reading this that pets (many if not most of whom definitely have minds of their own) satisfy the initial, simple definition of party, but do not satisfy all the detailed bullets, so the simple definition should probably get some tweak(s). (I will also note that sometimes such pets may be legal entities (e.g., when inheriting real property), and sometimes not, and this probably also needs to be touched on, somewhere.)

[TallTed]

Also... Current W3 documents are inclining toward discussing social agents which include people, organizations, and the like, distinct from software agents or technological agents or similar which include web browsers, other apps, devices (by which they usually mean the software that runs on the device), etc. These labels might be useful to us, too.

[RieksJ]

@TallTed You're right. This topic can easily become a very large one if we really take it on. But that would also be beside the point of having a terminology (if that's how you say that): we should stick to terms that we need within the scope of the work that we are doing, and use criteria as definitions that have the property that everyone in the group has the same understanding, and the distinction it makes is relevant within the scope of our work. That's what makes terminology practical, and to the point.

Under such assumptions, I would consider the discussion of

• whether pets (or rivers, for that matter) would classify as a party to be out of the scope of our work, and hence should be discussed elsewhere.
• what is, or is not, a legal entity, also out of scope (that's something for individual jurisdictions to decide). What might be in scope is to have an idea what rights/duties legal entities typically would be accountable for, e.g., as related to a digital signature, which might imply we need to define 'jurisdiction', as it is relevant for assigning rights and duties. And all that is because we do have 'proofs' and may want to have them play a part there.
• if 'agency' means something like one party or actor doing something on behalf of some party, coming to grips with that could well be within scope, because we might want VCs to be able to have claims saying that their subjects are an agent for a particular party (signed by that party).

Such discussions warrant their own github issues/discussions.

[OR13]

I don't think we need these terms.

We have roles that define the 3 party model, we don't care if a role is performed by an entity, or an actor, or an agent, or a cat...

We care that it's an issuer, a holder or a verifier.

[David-Chadwick]

The model is currently broken because the issuer gives the VC to some entity, but who this entity is is not recorded anywhere in the model (or the VC), then some other entity gives the VC to the verifier, identifies itself as the holder, but the verifier has no defined way of knowing if the holder was the original recipient, or an authorised delegate of the original recipient, or someone how stole the VC from the original recipient, or someone who found the VC posted on a public notice board etc.

[RieksJ]

I don't think we need these terms.

Possibly. But 'we' (whoever they are) do need the distinctions that they make. The latest version of proposed changes in eIDAS imply that verifiers must be able to determine whether or not a holder acts on its own behalf, or on behalf of another person or organization. Not being able to distinguish between an entity that does something, and the entity on whose behalf this something is done (and can be held accountable for that), means that such discussions become meaningless and fruitless.

[TallTed]

[@David-Chadwick] The model is currently broken because the issuer gives the VC to some entity, but who this entity is is not recorded anywhere in the model (or the VC)

The model is not currently broken, though it is imperfect, and probably will remain so for some years, yet.

The issuer gives the VC to some holder, who you have previously asked be recorded as the issuee, but you have not (yet) persuaded (enough of) the WG of the value of this specialization (a/k/a subclass) of holder for it to become part of the VCDM.

There is nothing stopping any issuer(s) from including issuee in the attributes they use to describe their VCs, nor any verifier(s) from requiring that attribute be present. Such issuers and verifiers would need to figure out what mechanism they would use (or accept) in testing the value of this attribute against the holder (specialized now to presenter) who presents a VC.

[jandrieu]

So, how do we distill this down to proposed normative changes?

It may be that if we redefine who can fulfill roles it will affect the specification in normative ways.

@RieksJ Do you expect that the changes you are asking for to have normative impact? If so, that might help us focus the conversation so we can try to find consensus for any changes before CR.

[iherman]

The issue was discussed in a meeting on 2023-07-19

• no resolutions were taken

View the transcript

2.3. Entities and Parties (issue vc-data-model#1173)

See github issue vc-data-model#1173.

Manu Sporny: post-CR.

Brent Zundel: 1173 - I'll label it as post-CR if there aren't any objections.

Orie Steele: https://www.w3.org/TR/prov-o/.

Sebastian Crane: I have been in extensive discussions in another WG about this, and my opinion is that PROV-O provides the clearest representation of this.

Joe Andrieu: I think this may require normative changes, and so should not be labelled as post-CR.

[RieksJ]

@jandrieu I don't expect the changes I propose in the PR #1172 to have normative impact, i.e. we're not going to do different things, although it might affect the perspective that people have on that.

The only impact I intend to realize is that readers (which are not just technical people) have a better understanding of what it is we're doing and trying to achieve will be improved.

Your comment on PR #1172 is a nice illustration of this.

[David-Chadwick]

@TallTed said "The model is not currently broken, though it is imperfect, "
I would say "incomplete" (as well as imperfect).
Whilst it is true that any issuer can add any property to a VC to say who it gave this VC to, this will be a non-standard mechanism. This is not an optimal way to propose for a standard. Rather standardise how the issuer MAY do this, and make it an optional property, so that those issuers who wish to do have a standardised way of doing it (rather than relying on a proprietary mechanism)

[RieksJ]

The discussion in #1235 had it dawn on me that there is a difference in perspective. The perspective I seem to be running into in discussions here are rooted in RDF and other technical means for representing meaning in data, whereas my person perspective is focused on people/things with 'a mind of their own', that acquire, process, store and express information, which is rather different.

Thanks to @TallTed's comment, that made me realize this.

As the vc-data-model is about data/rdf-like things, I'm happy to refocus there and close this issue.