Re: committing fraud with credentials from Tim Bouma on 2019-05-09 (public-credentials@w3.org from May 2019)

From: Tim Bouma <trbouma@gmail.com>
Date: Thu, 9 May 2019 08:19:46 -0400
To: Daniel Hardman <daniel.hardman@evernym.com>
Cc: Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAPzZSkg4dLOryWxZMcBqTXxnOZa5c+X_TYmnTOA_BfMRpxKf+g@mail.gmail.com>

Daniel,

This is an excellent start! I'd be very keen to map these threats (fraud)
to our trusted process definitions, to yield a more generalized threat
model. You can see the trusted process definitions at the link below. Your
scenarios mostly map to the credential processes by may map to other
trusted process, as well. We have been focusing on what are the threats to
the identity trusted processes, and your efforts would make an excellent
complement toward a more generalized model, which could be the basis for a
#RWOT paper as well.

Best regards,

Tim


https://docs.google.com/spreadsheets/d/1oUkiAbBcZCzyO8q6pvOTM7IQ5sf7l49xt-HpUqYNup8/edit?usp=sharing



On Wed, 8 May 2019 at 15:40, Daniel Hardman <daniel.hardman@evernym.com>
wrote:

> At IIW last week, Rouven Heck called a session to explore the topic of
> committing fraud with link secrets. This was a very interesting session,
> and I think it generated some new knowledge and a set of follow-on topics.
> I then called a follow up session on the broader topic of committing fraud
> with credentials in general--both ZKP- and non-ZKP-based. We had a number
> of smart minds in the room, including good representation from the CCG's
> own Daniel Burnett.
>
> I intend to pursue this topic in greater detail. In the second IIW
> session, we began to create a matrix that lists particular attack scenarios
> as rows, and that shows remediations for particular credential types as
> columns. It is still quite sparse, but already has important info in it.
> Anybody can comment on the spreadsheet
> <https://docs.google.com/spreadsheets/d/1HALoNgZ7GTogw324squ7LRL4unfLSmPH_8B1ibxCQgE/edit#gid=0>;
> if you want edit access, ping me.
>
> I intend to pursue this topic more carefully, and hope to produce some
> kind of a whitepaper about it. If people would like to collaborate, let me
> know. We could do this under the auspices of the CCG, as an official work
> item, but I am not specifically proposing that here. I will probably
> publish something under my own name regardless.
>
> --Daniel
>


-- 
Follow me on Twitter: http://twitter.com/trbouma

Received on Thursday, 9 May 2019 12:20:22 UTC