W3C home > Mailing lists > Public > public-web-security@w3.org > February 2015

Re: [WebCrypto.Next] Linking web identities with real-world identities

From: Eduardo Robles Elvira <edulix@agoravoting.com>
Date: Sat, 14 Feb 2015 11:55:50 +0100
Message-ID: <CAHwZu3cO=42Kgiq8noOSVQcZOkrA19BvihXpoOfM0BhgTkiaRw@mail.gmail.com>
To: Dave Raggett <dsr@w3.org>
Cc: "Mike O'Neill" <michael.oneill@baycloud.com>, public-web-security@w3.org, public-privacy@w3.org
Hello Dave:

This sounds interesting to me. I work on an electronic voting system
and identity verification is, as you can imagine, a very important
issue. Some thoughts:
 - This kind of thing might be useful for payments, but of course can
be very handy in many other use cases.
 - how does this relate to HOBA? [2] (HOBA provides auth credentials
and implements a verification procedure)
 - In e-voting, having a somehow standardized yet powerful/flexible
procedure would be useful. Sometimes we need to verify age, others we
have verify postal codes, and I can only wonder what would be the next
thing they might need to verify.
 - Mention of the idea of using coordinate cards (as some banks use)
as a challenge/verification procedure.

[2] https://github.com/razevedo/hoba-authentication
Eduardo Robles Elvira     @edulix             skype: edulix2
http://agoravoting.org       @agoravoting     +34 634 571 634

On Sat, Feb 14, 2015 at 11:31 AM, Dave Raggett <dsr@w3.org> wrote:
> On 13 Feb 2015, at 21:22, Mike O'Neill <michael.oneill@baycloud.com> wrote:
> I agree that an identity verification protocol based on explicit consent
> should be a standard component of the web platform, but I think it should be
> designed so there would no need for a fixed “real-world” identity.
> The third-party entities could validate an arbitrary set of attributes, some
> of which may identify a legal person i.e. passport or birth certificate, but
> others could be anonymous attributes such as membership of a club, a child’s
> age, an anonymous audience category, or any attribute that the parties need
> and agree to without the necessity to inform any of the parties, including
> the validating parties, of other identifying attributes.
> These refer to additional use cases, e.g. to prove that I am a child for
> access to a safe site for children.  I would encourage you to describe the
> use cases, since this is important for justifying work on a standard. There
> are no major technical barriers to pseudo-anonymous identity verification,
> so this is mostly about consensus building.
> I built a demo for this kind of approach some years back around a use case
> where you need to prove you are a current student at a given university to
> gain access to a site run by students for students. The demo uses a Firefox
> extension for idemix. More details are given at:
>      http://people.w3.org/~dsr/blog/?p=95
> It might be easier, however, to start with work on a standard for simple
> comparisons against attributes, where the website/app already knows your
> name and address etc., and wants to verify that the web identity you are
> logged in with corresponds to that real-world identity. This doesn’t involve
> a loss of privacy since the website and the identity agent being asked to
> perform the verification already know your real-world identity.
> —
>    Dave Raggett <dsr@w3.org>
Received on Saturday, 14 February 2015 10:56:49 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 14 February 2015 10:56:49 UTC