Re: Proof of possession

On 06/14/2016 11:10 AM, David Chadwick wrote:
>
>
> On 14/06/2016 15:59, Manu Sporny wrote:
>> On 06/14/2016 10:34 AM, David Chadwick wrote:
>>> And if I do not want to register a subject ID, can I simply use
>>> my public key as my subject ID and submit the same string twice?
>>
>> In theory, yes.
>>
>> In practice, no one has built out that kind of system because it
>> doesn't address many of the use cases we have. Some see it as an
>> evolutionary dead end - it's great for pseudo-anonymity, but
>> doesn't address the vast majority of multi-origin use cases we
>> have.
>
> I agree that with multiple credential issuers (I assume that is what
> you mean by multi-origin) some sort of correlating handle is needed
> in order to prove that all the credentials belong to me.
>
> So I see why a registered globally unique ID is useful to solve this
> problem.
>
> But if I had a public key specifically minted for one
> requester/relying party, and all my issuers would bind my claims to
> this, then I could prove possession of all credentials to this
> requester/relying party. And I would not actually need to register
> this public key anywhere as I can always prove possession.

Yes, until you lose your key or it becomes obsolete. What you're
suggesting would work just fine with the data model and syntax we're
proposing, it just has trade offs in the approach.


-- 
Dave Longley
CTO
Digital Bazaar, Inc.
http://digitalbazaar.com

Received on Tuesday, 14 June 2016 17:14:54 UTC