W3C home > Mailing lists > Public > public-credentials@w3.org > March 2016

Re: Use-Cases - pseudo-anonymity examples

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Thu, 03 Mar 2016 01:32:44 +0000
Message-ID: <CAM1Sok3=9eYTgxp4xKWDwHMyyuZ9_yPgbhS5K69uNWK5yc3P4g@mail.gmail.com>
To: Dave Longley <dlongley@digitalbazaar.com>, Steven Rowat <steven_rowat@sunshine.net>, public-credentials@w3.org
High-risk vs. low-risk seems to be the wrong analogy.

What is the means for declaring security between 99.999999% secure to
0.0000001%. ??

Two gears, high and low, would likely isolate too many use cases and result
in setting the bar too low, as applaud to rationalising why some of the
higher end, life threatening stuff is difficult if not impossible to

On Thu, 3 Mar 2016 at 6:20 AM, Dave Longley <dlongley@digitalbazaar.com>

> On 03/02/2016 12:26 PM, Steven Rowat wrote:
> > On 3/1/16 9:41 PM, Anders Rundgren wrote:
> >> Pardon the naive question (I haven't followed the credentials work in
> >> detail), but how is link between the credential and the documents it is
> >> supposed to be associated with?
> >
> > I don't know. I was assuming in the new examples I provided (anonymous
> > Journalist, Scientist whistle-blower, pseudonymous Novelist) that:
> >    a)  it would turn out to be more or less the same code mechanism as
> > the existing "June and the bottle" example would need;
> >    b)  some mechanisms for doing this have been discussed in the past;
> and
> >    c)  the current goal is to get the Charter accepted (work protocol
> > time-lines and use-case goals), not specific data structures.
> >
> > So IMO the answer to your question lies in the work that would be done
> > after the Credentials technical group is underway.
> >
> > But I may misunderstand the process. Can anyone else comment?
> You understand the process correctly, but there is an element of this
> that is important in what user stories we tell in the use cases we're
> submitting for review.
> As you have pointed out, scenarios that involve the use of
> pseudo-anonymous credentials may differ quite differently in terms of
> risk. It isn't necessarily true that the same mechanism used to provide
> pseudo-anonymity in low-risk scenarios would be the same as the one used
> in high-risk scenarios.
> People reviewing the charter and use cases may look at high-risk
> scenarios and reason that the problem is too difficult to solve and
> decide to vote against the work proceeding. I myself think that there
> are high-risk pseudo-anonymity use cases that are not solved nearly as
> easily or via the same mechanisms as low-risk scenarios.
> I think it's a good idea to keep high-risk scenarios around as targets
> for future work, but I don't think we should say we need to solve them
> in our first attempt to get work started. I would prefer to keep such
> use cases in our community group's "vision document" or "larger set of
> use cases for the future". I think they could be a distraction and harm
> our chances to get work started.
> --
> Dave Longley
> Digital Bazaar, Inc.
> http://digitalbazaar.com
Received on Thursday, 3 March 2016 01:33:23 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 3 March 2016 01:33:24 UTC