- From: David Chadwick <D.W.Chadwick@kent.ac.uk>
- Date: Sun, 25 Jun 2017 22:02:37 +0100
- To: public-credentials@w3.org
On 25/06/2017 19:52, Joe Andrieu wrote: > Good discussion. I've done my best to trim my response. > My apologies for its length. > > On Sun, Jun 25, 2017, at 05:37 AM, David Chadwick wrote: >> To be more precise, verification comprises authentication and >> identification. > > I appreciate where you're coming from, but I think authentication > is explicitly out of scope for VCs. Sorry but I have to disagree with you. Authentication is the process of verifying the identity of an entity, so this is definitely within scope. Issuers have to be identified and their VCs authenticated. (Actually when you read on I think you will find in many cases we agree on the substance but not on the labels we give them). > > I'll restate see if I'm understanding what you meant, prefixing with =>. > >> In order to verify a claim I think that the following >> procedure is needed: >> >> 1. The inspector needs to first identify the issuer and the subject. > > => The inspector needs to correlate the issuer and subject in the claim > with entity representations in its own model, either relating them to > entities already known or bootstrapping new entities to associate > with the identifiers. For the subject yes, but I think the inspector would be hard pressed to bootstap a new trusted issuer at the time of receiving the VC. There has to be a trust relationship between the issuer and the inspector, and creating this dynamically at the time of receipt of a VC makes the eco-system overly complex in my opinion (at least in the first version of our work). It would require some sort of TTP to verify the trustworthiness of some (currently unknown) issuer. I suggest that this is left for further study and version 2 of the VC ecosystem if we can get version 1 accepted by people first. > > This is innate to applying the claim to the internal model of > the inspector. An important step, but not one particularly facilitated > by the VC architecture. It certainly is facilitated, as the VC data model contains the IDs of both the issuer and the subject (as URIs). If they were absent from the data model then the verification process would not work. > In fact, selective and minimal disclosure > will make it more challenging as identifiers increasingly become > unique, pair-wise, and self-sovereign. I don't believe so. The subject can be identified solely by their URI identifier, which is nothing to do with selective disclosure as the ID is in the VC. The issuer cannot be selectively disclosed either. It has to be fully disclosed whatever cryptography you are using, otherwise the inspector cannot authenticate the VC. > > For example, verifiable claims don't depend on a centralized > registry for looking up public keys for well-known entities. This, IMO, > is fundamental to the principle that anyone can issue a claim about > anything. There is no PKI or DNS to anchor a root identity authority> > However, there is also nothing keeping an issuer from using PKI, > DNS, or DIDs from publishing well-known IDs and associated keys > for use in Verifiable Claims. I think the above points are not particularly relevant to identification, since the VC contains the IDs of both the subject and the issuer. > >> 2. The inspector then needs to authenticate that the VC was issued by >> the identified issuer and has not been revoked since issuance. > > => Given the cryptographic signature, the id of the issuer and a > potential external revocation method, the inspector determines > whether or not the statement is legitimate. This is the process of authentication. So you appear to agree with me that the VC needs to be authenticated. Perhaps it is solely the use of terminology where we differ, and not in the substance of the point. > > This is what I consider verification in the sense we mean it in > verifiable claims. That is, this is what "verifiable" means. Sorry but I disagree with you on this point. There is a big difference between an authentic claim and a valid claim. The inspector is interested in receiving valid claims, not just authentic ones. A claim can be authentic but invalid e.g. paper money issued by Sadam Hussein's regime is authentic but not valid anywhere for purchasing anything. My driver's licence is authentic but if you presented it, it would be invalid. Issuers are interested in verifying valid claims, and will discard all invalid claims, whether authentic or not. So the first step of verification is to ensure the claim is authentic, then the next step is to ensure it is valid. Both are part of the verification process. > >> 3. The inspector then needs to verify that the issuer is trusted to >> issue the contents of the claim. > > => The inspector then judges the merit of a claim based on the > contents of the claim and its own trust model of the issuer > for the statement in the claim. > > This is true of any data acquired by the inspector. > Fundamentally, the inspector has to decide who to trust for > what types of assertions. So we agree on the substance of this point. This in my terminology is the process of validating the claim and is part of the verification process. > >> 4. If the subject is 'any/bearer' the verification procedure now ends. > > => In the case of a bearer claim, no further action necessary. So again we agree, which is good. > >> 5. Otherwise the inspector needs to authenticate the presenter. If the >> presenter is the subject the verification procedure ends. > > => The inspector then needs to ascertain if the presenter is who they > think it is. Again, this is a definition of authentication (if you replace 'think' with 'say'). > If the subject and presenter are the same entity, stop. > > This is only true in cases where the presenter is semantically relevant > to the statement. If the statement is that the "The president > denies the allegations of misconduct." and the issuer is > authenticated as the White House Press Secretary, then it > doesn't matter who presents the claim. Sorry, but my statement is always true. You are saying that when the subject and presenter are different you may also stop, but this does not negate the fact that when they are the same you definitely do stop. In fact I would argue that your example is one that requires moving onto step 6. In your example, the presenter is authorised to present the claim, because everyone in the world has been authorised to present it, by the very nature of the claim. > Perhaps you could > say statements of this kind are "bearer claims" but that seems > odd to me. It is an independent claim. Maybe that's a better > term for claims independent of the presenter. I would say your example is one of a 'public claim' that anyone can present. Public claims are quite different to the VCs we normally consider, since there is no privacy protection required in a public claim. > > Your argument suggests that claims about the presenter imply > consent. When claims contain PII, then the subject does need to give consent for the information to be given to the inspector. This is part of the EU data protection legislation (recently strengthened in the GDPR). The fact that the presenter (subject) has freely given his/her VC to the inspector shows they have consented to the release. So the VC model actually supports the GDPR quite nicely. > That's valid, but the inverse is not. Just because the > claim is not about the presenter doesn't imply a separate > consent from the subject is necessary. If it does, we have a lot > more work to do. If the claim is a public claim (as in your example) then no consent is needed as the subject's privacy has not been invaded by copying public information. But if the claim contains some PII of the subject, then the subject does need to give consent for the presenter to present it to the inspector. If the presenter cannot show consent, then in Europe at least, the presenter can be prosecuted for violating the privacy of the subject. > > This begs the question "Are VCs designed to be dependent > on the presenter?" Nowhere in our literature do we make that > assertion, but I think it is an expectation underlying many of > comments in the terminology discussion. > > My interpretation is that there is no innate semantic assertion > about the presenter when presenting a claim about a different > subject.This is the crux of the disconnect. There is no consensus > language about the meaning of presenting a claim. There is > agreement that the presenter need not be the subject, > but not about what they *do* need to be. If you read my earlier exchange with Steven Rowat, you might find that he has addressed this topic quite nicely. > >> 6. If the presenter is not the subject then the inspector needs to >> verify that the presenter is authorised to present the claim. This can >> be done in a variety of ways e.g. a pre-established trust relationship >> between the inspector and presenter; a VC delegating authority from the >> subject to the presenter; a recognised procedure for certain classes of >> subject and presenter; etc. > > => If the presenter and subject are distinct entities, the inspector must > ascertain if the presenter is authorized to present the claim. > > In some cases, this is entirely appropriate. However, this process > of authorization is, IMO, a part of the inspectors role in evaluating > the merits of a given claim. So far, we don't have hooks for > limiting who the presenter can be nor defining how authorization > of a presenter would be handled. In my view, this is part of claim verification, so is part of the VC work. In order to fully specify the lifecycle of a VC we need to say how an inspector verifies a claim. > > To wit, nowhere in the data model do we mention an identifier > for the presenter. > > However, we probably do need to make sure a TOS field is > available for credentials, claims, and profiles. > https://github.com/w3c/vc-data-model/issues/48 > > This could be the hook that enables authentication and > authorization of a presenter, but to date we have no language > addressing this requirement. > >> You seem to think that the VC verification model should stop at step 3. >> I would argue that these steps are necessary but not sufficient for >> verifying VCs. The VC verification process should comprise all steps >> necessary for the inspector to determine whether to keep the VC or >> discard it as untrustworthy. > > That's right. "Verifiable" in the sense of Verifiable Claims is > specifically limited to the mathematical proof of the cryptographic > signature combined with the procedural proof of non-revocation. > > That's it. > > Authentication, authorization, evaluation for merit, are all outside > the scope of Verifiable Claims data model. Yes, these are vital > for understanding how Verifiable Claims are going to be used > in practice and our use cases should explore these requirements, > however, they are not embedded in the promise of "verifiable". > > I think it is important that a VC can be "verified" without dependence > on the quality of the authentication, authorization, and merit > determinations of the inspector. The quality of those processes are > outside our remit. > > What we can control is how one verifies that a given statement was > legitimately made by a given issuer. > > That's hugely powerful. I think we should avoid implying benefits > beyond that. > > So, while I agree that the extra steps you describe are likely tasks > for many use cases, they are not innate to VC and as such, should > not drive terminology. > > Which is to say, defining the claimant/holder/presenter as > "presenter of profiles" or "presenter of claims" is the most rigorous > option, without attempting to require any rights or privileges > with respect to said presentation. What's important is that > they do the presenting, not that such presentation is appropriate, > authorized, or allowed. > > If it is inherent in VCs that all presenters are authenticated and > authorized, we have a ton of work to do on the data model before > its ready for FPWD. > > If I'm off base on my understanding of what VCs are designed to > do, I'm open to being corrected. We have clearly identified one disconnect between us, and that is the scope of the verification of VCs. So this is definitely something that needs to be resolved before we proceed much further, as I suggest it will impact on the terminology we use, and perhaps the data model as well. regards David > > -j > > -- > Joe Andrieu, PMP > joe@joeandrieu.com <mailto:joe@joeandrieu.com> > +1(805)705-8651 > http://blog.joeandrieu.com >
Received on Sunday, 25 June 2017 21:03:17 UTC