A governance framework (also called a trust framework in some contexts) is a set of rules that establish trust about processes (and indirectly, about outcomes) in a given context. –Daniel Hardman
Governance frameworks… embodied in formal data structures, so it's possible to react to them with software, not just with human intelligence. –Daniel Hardman
A jurisdiction can publish a file that contains a machine-readable version of the governance applied to its ecosystem
Organize the ecosystem by codifying rules, conventions, and standards
Benefits of Governance Framework Files
Available to all parties
Everyone can understand how things should work
Issuers and verifiers can behave according to policy
Holder agents can assist the user
Benefits of Governance Framework Files
Supports offline interactions
Governance framework file can be cached locally
Avoid the phone home problem
Benefits of Governance Framework Files
Decouple (most) business logic from code
Provide flexibility to accommodate change and avoid having to frequently re-release or update agents
What Can You Do with It?
Establish roots of trust
Define roles and permissions
Specify workflows
Establish Roots of Trust
The key problem is:
How can you know if you can trust another agent?
Turtles All the Way Down?
With a credential issued by a trusted party
How can you trust that issuer?
How to Bootstrap Trust?
There are many jurisdictions where trust must be established
Not all of them are geo-political (e.g. companies and organizations)
How can a jurisdiction get started without some outside party?
How to Bootstrap Trust?
List trusted participants and their DIDs
Define Roles and Permissions
Once you have a list of participants…
Define the roles that can be played
Assign each verified participant the role(s) they will fill
Specify Workflows
Describe actions the agents can take
Assign actions to roles
Create a flowchart or tree of linked steps
How Are Governance Files Different from Trust Registries?
There seem to be a variety of definitions for trust registries which don't appear to mean exactly the same thing. Here are some I have heard of:
A live service that agents must call to determine trust status
How Are Governance Files Different from Trust Registries?
A tool for creating and publishing machine readable governance framework files
A system for discovering, listing, searching, and/or sharing governance framework files
Machine-Readable Governance In Real Life
Trials
Built two VC trials with SITA in Aruba
Helping the island recover from the shock and changes introduced by COVID
Machine-Readable Governance In Real Life
Goals
Prove that verifiable credentials would work for the health and tourism needs of Aruba
Prove that governance could be nimble when dealing with the dynamic COVID situation
Machine-Readable Governance In Real Life
Results
Applied Cardea lab result and vaccine schemas
First used on-island and then off-island health data
Machine-Readable Governance In Real Life
Results
Established roots of trust for the island's tourism ecosystem
Implemented procedures and rules in a way that could be easily updated (and were on three different occasions)
Machine-Readable Governance In Real Life
Summary: Governance framework files were effective in establishing a trusted digital ecosystem for health and travel credentials and workflows in Aruba
What Needs to Be Done?
RFC for work to date
Improve creation of governance files
Work out signing and publishing
Begin working on methods for disclosing, sharing, discovering