W3C home > Mailing lists > Public > public-credentials@w3.org > September 2017

Re: Verifiable Text-based Claims

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Fri, 15 Sep 2017 10:19:22 -0400
To: David Chadwick <D.W.Chadwick@kent.ac.uk>, Adam Sobieski <adamsobieski@hotmail.com>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <3950dedd-8c98-d6cf-75dd-502248f8da01@digitalbazaar.com>
On 09/15/2017 05:51 AM, David Chadwick wrote:
> Hi Adam
> 
> the revocation statement should not contain details of the VC that has
> been revoked as this is privacy invasive. There are no ACLs on
> revocation lists (usually). All it should contain is the ID of the VC
> that has been revoked, signed by the issuer (in a similar way to an
> X.509 CRL). In this was an inspector who has the VC, has the unique ID
> and can therefore check if the VC was revoked or not

Another privacy-protecting mechanism can be to return a VC from the
revocation service that says your VC is not revoked, thereby allowing
you to fetch this yourself and include it with your VC when you submit
it to the relying party. This prevents the relying party from having to
hit the revocation service at all (leaking that information to it).
Instead they simply require an up-to-date "not revoked" VC from you
along with whatever you're sending.

> 
> regards
> 
> David
> 
> On 15/09/2017 02:52, Adam Sobieski wrote:
>> David,
>>
>> Updated the sketchpad per your recommendation:
>> https://w3c-ccg.github.io/verifiable-news/sketchpad.html#revocation-of-statements .
>>
>>
>> Best regards,
>> Adam
>>
>> *From:* David Chadwick <mailto:D.W.Chadwick@kent.ac.uk>
>> *Sent:* ‎Thursday‎, ‎September‎ ‎14‎, ‎2017 ‎6‎:‎33‎ ‎PM
>> *To:* public-credentials@w3.org <mailto:public-credentials@w3.org>
>>
>> Hi Adam
>>
>> On 14/09/2017 02:50, Adam Sobieski wrote:
>>> David,
>>>
>>> Thank you. At
>>>
>> https://w3c-ccg.github.io/verifiable-news/sketchpad.html#http-based-revocation ,
>>> I describe a system where Not found (404, 410) means revoked and Ok
>>> (200) means not revoked. I see what you’re saying about Not found
>>> meaning not revoked and Ok with a credential ID meaning revoked as well
>>> as the feature of retrieving lists of revoked credentials. I think that
>>> we should have both HTTP-based approaches. I updated the document with
>>> these ideas.
>>>
>>
>> In order to make the revocation more secure we placed a digitally signed
>> CRL at the revoke URL. In this way a hacker is not able to hack the web
>> site and get it to return OK with a message, because he does not have
>> access to the issuer's private key
>>
>> regards
>>
>> David
>>>
>>> Best regards,
>>> Adam
>>>
>>> *From:* David Chadwick <mailto:D.W.Chadwick@kent.ac.uk>
>>> *Sent:* ‎Wednesday‎, ‎September‎ ‎13‎, ‎2017 ‎3‎:‎21‎ ‎PM
>>> *To:* public-credentials@w3.org <mailto:public-credentials@w3.org>
>>>
>>> Hi Adam
>>>
>>> I notice that you are also including a revocation mechanism in your
>>> claims. I produced an IETF draft 10 years ago which proposed something
>>> very similar for X.509 certificates
>>> ( See https://www.ietf.org/archive/id/draft-chadwick-webdav-00.txt).
>>> Conceptually they are the same: the credential contains the URL where
>>> the revocation information can be found. If Not found is returned the
>>> credential has not been revoked, otherwise Ok is returned along with a
>>> CRL of length 1 containing the ID of the revoked credential. My ID
>>> contains other features as well, such as the ability to retrieve all the
>>> revoked credentials of a particular issuer. You might wish to consider
>>> this as well
>>>
>>> regards
>>>
>>> David
>>>
>>> On 12/09/2017 22:13, Adam Sobieski wrote:
>>>> I’m exploring and sketching some ideas with regard to verifiable
>>>> text-based claims.
>>>>
>>>> https://w3c-ccg.github.io/verifiable-news/sketchpad.html
>>>>
>>>> Questions, comments and suggestions welcomed.
>>>>
>>>>
>>>> Best regards,
>>>> Adam Sobieski
>>>>
>>>
>>
> 


-- 
Dave Longley
CTO
Digital Bazaar, Inc.
http://digitalbazaar.com
Received on Friday, 15 September 2017 14:19:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:13 UTC