W3C home > Mailing lists > Public > public-credentials@w3.org > June 2016

Re: Proof of possession

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Tue, 14 Jun 2016 16:10:42 +0100
To: public-credentials@w3.org
Message-ID: <e82531b1-d9cf-3d8d-db03-43208efe179b@kent.ac.uk>

On 14/06/2016 15:59, Manu Sporny wrote:
> On 06/14/2016 10:34 AM, David Chadwick wrote:
>> And if I do not want to register a subject ID, can I simply use my 
>> public key as my subject ID and submit the same string twice?
> In theory, yes.
> In practice, no one has built out that kind of system because it doesn't
> address many of the use cases we have. Some see it as an evolutionary
> dead end - it's great for pseudo-anonymity, but doesn't address the vast
> majority of multi-origin use cases we have.

I agree that with multiple credential issuers (I assume that is what you
mean by multi-origin) some sort of correlating handle is needed in order
to prove that all the credentials belong to me.

So I see why a registered globally unique ID is useful to solve this

But if I had a public key specifically minted for one requester/relying
party, and all my issuers would bind my claims to this, then I could
prove possession of all credentials to this requester/relying party. And
I would not actually need to register this public key anywhere as I can
always prove possession.


> What would need to be done to achieve what you are saying is:
> 1. A terse public key identifier/fingerprint format
> 2. A digital signature suite that uses the public key fingerprint
>    as the creator of the signature.
> 3. A protocol that uses #1 and #2 above.
> #1 and #2 are not difficult. #3 is a lot of work, but is do-able.
> -- manu
Received on Tuesday, 14 June 2016 15:11:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:53 UTC