- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Thu, 18 Feb 2016 13:29:30 -0500
- To: Timothy Holborn <timothy.holborn@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>
On 02/18/2016 12:50 PM, Timothy Holborn wrote: > So, > > I assume apple[1] can decrypt it. I think that's a big assumption. Have they said that? I don't know how they do their encryption, but if they are using symmetric encryption where the key is derived from a password only the user knows, then, no, they can't decrypt it. Unless the password is easily guessable, it's not feasible to brute force attack the encryption. > So, the issue is how to trust gov? Locally or internationally? > > Couldn't a bunch of approved credentials be used to present something > at the phone that in-turn allows that device to say, recognise the > president said - executive orders - open it. You could do two forms of encryption: one for the user and one using a public key owned and protected by the government. Of course, then the government can read everyone's private data. I suppose you could require a credential from a court (signed by the court's public key) indicating a court order was granted to the government in order to use their key to read the data ... but it's all a little unclear as to whether or not these protections would actually be followed, or rather, if they weren't, that a violation of them could be easily detected. -- Dave Longley CTO Digital Bazaar, Inc. http://digitalbazaar.com
Received on Thursday, 18 February 2016 18:29:57 UTC