W3C home > Mailing lists > Public > public-credentials@w3.org > June 2016

Re: Proof of possession

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Tue, 14 Jun 2016 15:34:06 +0100
To: public-credentials@w3.org
Message-ID: <50a5e669-ea87-4044-4e39-55b2f0b52461@kent.ac.uk>
And if I do not want to register a subject ID, can I simply use my
public key as my subject ID and submit the same string twice?



On 14/06/2016 14:50, Manu Sporny wrote:
> On 06/14/2016 03:13 AM, David Chadwick wrote:
>> Having read the latest architecture document
>> http://w3c.github.io/webpayments-ig/VCTF/architecture/v4/
>> I note that there is no explicit mention of proof of possession
>> (PoP).
> PoP is an implementation detail based on the "Subject Identifier" and
> the contents of the "Digital Signature of Issuer":
> http://w3c.github.io/webpayments-ig/VCTF/architecture/v4/#verifiable-claim
> We have tried very hard to not inject implementation details into the
> architecture diagram. Implementation details are what the Verifiable
> Claims Working Group are supposed to determine.
>> Is this because the group has not discussed this topic, or has
>> already decided to recommend or prohibit the use of
>> bearer tokens, public keys of subjects, or subject identifiers
> None of those have been "prohibited from use" in phase I of the
> Verifiable Claims Working Group charter work. Phase I is about
> establishing a data model and set of syntaxes for expressing verifiable
> claims.
> One deployment may choose bearer tokens (for the purposes of
> implementation ease or pseudo-anonymity), another may use public keys of
> subjects (if Subject and Holder are the same), another may use public
> keys of holders (if Subject and Holder are different).
>> I tend to get the impression that subject identifiers seem to be the 
>> implicit way of providing PoP. Is this correct?
> Yes, more or less. This is what an entry in the Identifier Registry
> looks like today:
> https://authorization.io/dids/did:76d0cdb7-9c75-4be5-8e5a-e2d7a35ce907
> "id" is the Subject Identifier
> "publicKey" is the Subject Identifier's public key
> One way the registry could be implemented in the long term is storing
> this information in a Kademlia+ hardened DHT with a
> Blockchain/Generalized Ledger storing the history for each Subject
> Identifier. Note that I said ONE way that it could be implemented, there
> are many - each with their benefits and drawbacks.
> Also note that this is an implementation detail and we don't need to
> solve this problem for the Phase I work. It's discussed in the
> architecture so that folks have a better idea of the type of system that
> we're trying to build.
> -- manu
Received on Tuesday, 14 June 2016 14:34:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:53 UTC