[megadal]

> Most of the criticisms against Web 3.0 still apply to DID. It can be impossible to revoke, as the article stated. Which means if grandma’s wallet is hacked, she can be impersonated forever by the hacker, and not even the government can help her with this.

VCs have credentialStatus, the id property of which is supposed to be a URI resolving to an RDF defined object dictating the status.

This means the issuer can just update the entity living behind that URI to revoke bad credentials.

https://www.w3.org/TR/vc-data-model-2.0/#status

[jiggawatts]

If there's a central revocation list, then it's a centralised identity with a centralised authority.

That's the opposite if the "distributed" in DID, at least in the sense that the pro-Web-3.0 crypto fans are claiming.

[megadal]

Again, you're conflating DID with VC improperly.

VC is an extension built on top of DID. It's not decentralized Verifiable Credentials, it's just Verifiable Credentials.

The entire article is about VC, and refers to VC as DID (which is also what you're wrongly doing).

It's like criticizing the collective web standard based on REST. REST is not the web.

Also, the part that makes VC decentralized is the alternative (OIDC authorization code flow). VC doesn't require the issuer for verification. (So basically the user has control over attestation of information about their identity, not some third party)

That means even though the Gov issued you an ID they can't track every time you have your credentials verified.. it works exactly like a physical ID. It's issued by the government, but the government isn't there every time you need to show ID. Some might consider that an invasion of privacy if they were.