W3C home > Mailing lists > Public > public-credentials@w3.org > June 2016

Re: Proof of possession

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Tue, 14 Jun 2016 13:14:29 -0400
To: David Chadwick <d.w.chadwick@kent.ac.uk>, public-credentials@w3.org
Message-ID: <57603B75.401@digitalbazaar.com>
On 06/14/2016 11:10 AM, David Chadwick wrote:
> On 14/06/2016 15:59, Manu Sporny wrote:
>> On 06/14/2016 10:34 AM, David Chadwick wrote:
>>> And if I do not want to register a subject ID, can I simply use
>>> my public key as my subject ID and submit the same string twice?
>> In theory, yes.
>> In practice, no one has built out that kind of system because it
>> doesn't address many of the use cases we have. Some see it as an
>> evolutionary dead end - it's great for pseudo-anonymity, but
>> doesn't address the vast majority of multi-origin use cases we
>> have.
> I agree that with multiple credential issuers (I assume that is what
> you mean by multi-origin) some sort of correlating handle is needed
> in order to prove that all the credentials belong to me.
> So I see why a registered globally unique ID is useful to solve this
> problem.
> But if I had a public key specifically minted for one
> requester/relying party, and all my issuers would bind my claims to
> this, then I could prove possession of all credentials to this
> requester/relying party. And I would not actually need to register
> this public key anywhere as I can always prove possession.

Yes, until you lose your key or it becomes obsolete. What you're
suggesting would work just fine with the data model and syntax we're
proposing, it just has trade offs in the approach.

Dave Longley
Digital Bazaar, Inc.
Received on Tuesday, 14 June 2016 17:14:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:53 UTC