Re: Use Case: Transaction Identification (travel use cases) from Bohdan Andriyiv on 2018-07-11 (public-credentials@w3.org from July 2018)

From: Bohdan Andriyiv <bohdan.andriyiv@validbook.org>
Date: Wed, 11 Jul 2018 17:59:23 +0300
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Credentials Community Group <public-credentials@w3.org>
Message-ID: <CALqw9pWehvqQpyXJQEnuotrVDAt-QdE+WdCDvkHQuK7SrDSX+g@mail.gmail.com>

> VC's contain a "Terms of Use" field...
> ...Issuer and Holder  ...  can attach Terms of Use to the data and
digitally sign it such that their intent in sharing the [PII] data is clear.

At risk of stating the obvious, but to be clear - a "Terms of Use" field
does not solve the risks of improper PII usage by unreliable parties.
A "Terms of Use" field lessen the ability to use VC that contains PII, but
PII itself remains unprotected.

To solve the issue of  "sensitive PII in the hands of unreliable holder",
we will have to use the mix of - unlostable DIDs, e2ee, and hubs of
encrypted PII guarded by trusted intermediaries. See the logic described in
my previous email -
https://lists.w3.org/Archives/Public/public-credentials/2018Jul/0024.html.

Do you think this solution is too complex, unlikely? or you think a "Terms
of Use" field alone, will be enough in practise?

On Wed, Jul 11, 2018 at 4:36 PM, Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 07/11/2018 12:53 AM, Carlos Bruguera wrote:
> > One thing that's not clear to me yet, though, is how can DIDs/VCs
> > actually avoid the risks of improper personal information management
> > once credentials and personal data have been shared with a relying
> > party... Any opinions shared by the community on this regard?
>
> VC's contain a "Terms of Use" field:
>
> https://w3c.github.io/vc-data-model/#terms-of-use
>
> While the contents of that field are still under discussion, the idea is
> that both the Issuer[1] of the Verifiable Credential and the Holder[2],
> who creates Verifiable Presentations[3], can attach Terms of Use to the
> data and digitally sign it such that their intent in sharing the data is
> clear.
>
> This enables issuers to say things like: "This credential can only be
> used to prove citizenship."
>
> It also enables holders (us) to say things like: "I only authorize the
> use of this credential to establish an account with your service, you
> are not authorized to store, cache, or share the credential."
>
> ... but in a machine-readable way that makes processing and compliance
> with those statements automatic.
>
> -- manu
>
> [1] https://w3c.github.io/vc-data-model/#dfn-issuers
> [2] https://w3c.github.io/vc-data-model/#dfn-holders
> [3] https://w3c.github.io/vc-data-model/#presentations
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Veres One Decentralized Identifier Blockchain Launches
> https://tinyurl.com/veres-one-launches
>
>

Received on Wednesday, 11 July 2018 14:59:52 UTC