- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 7 Jan 2020 14:07:06 -0500
- To: public-credentials@w3.org
On 1/7/20 1:22 PM, Oliver Terbu wrote: > Note, that JSON-only processors won't have that issue and you can > replace "government" with any type of issuers that have an interest > in the online behavior of the user. JSON-only processors that don't have an extensibility mechanism will fail to enable diverse industries to create their own credential types and will fail in the market. What am I missing? This isn't purely a JSON vs. JSON-LD issue -- it's a more specific version of the phone home problem and there are mechanisms (as Orie deftly outlined in the previous email) that can prevent phone home if a URL is going to be used to retrieve external information as a part of the verification process. Note that the spec talks about this very attack: https://www.w3.org/TR/vc-data-model/#validity-checks There are also multiple solutions to this specific concern (among the ones that Orie has already mentioned), but the easiest ones at a higher level are: * Wallets should mark VCs as potentially being used to track them if the JSON-LD Contexts are not well known. * Verifiers should reject VCs containing contexts that are not well known and/or loaded from a cache. ... and in the very worst case: * Industry launches a mix-net caching proxy for JSON-LD contexts if this really becomes an issue. Does that answer your question, Oliver? -- manu -- Manu Sporny (skype: msporny, twitter: manusporny) Founder/CEO - Digital Bazaar, Inc. blog: Veres One Decentralized Identifier Blockchain Launches https://tinyurl.com/veres-one-launches
Received on Tuesday, 7 January 2020 19:07:10 UTC