- From: Jeffrey Burdges <jeffrey.burdges@inria.fr>
- Date: Fri, 28 Jul 2017 01:14:56 +0200
- To: public-vc-wg@w3.org
- Message-ID: <1501197296.3605.336.camel@inria.fr>
On Thu, 2017-07-27 at 14:48 -0400, Tristan Hoy wrote: > The current draft architecture for Verifiable Claims describes a > single point of privacy failure: the identifier registry. I'm not up to speed on the current proposals, or exchange, but it's likely much worse than this. Just the nonces, and even hash of the message, in most signature schemes already wreck any sort of privacy. To do this sort of thing ethically, the specification should mandate specific named secure privacy preserving scheme that verifies the whole certificate chain in zero-knowledge, and requires that issuers get entirely new certificates. After that, you must somehow magically ask the CA to be able to attest for the validity of a "claim" where nobody but the claim holder can even know who the issuer is. Good luck with selling that! As I've said previous, doing "claims" correctly remains an area for cryptographic research that is not likely to be ready for standardization anytime soon. I mentioned a couple recent examples of claims done well here : https://github.com/w3c/verifiable-claims/issues/1 Jeff
Received on Thursday, 27 July 2017 23:15:24 UTC