Re: A question on best practices for dependent claims from Adrian Gropper on 2020-07-29 (public-credentials@w3.org from July 2020)

From: Adrian Gropper <agropper@healthurl.com>
Date: Wed, 29 Jul 2020 19:32:06 -0400
To: steve capell <steve.capell@gmail.com>
Cc: W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CANYRo8jc2Octe-oCBkEs=NaV3_sUptR=MjRpE0gkj9_ZEBPtTQ@mail.gmail.com>
At least for medical, and maybe veterinary, practice the solution is not as
complicated as it would seem if we make best use of existing regulations
and practices. The problem arises when we try to overwhelm the existing
chains of trust with excess digital innovation.

For example:

   - Licensed physicians have public credentials that can be used to hold
   them accountable if their actions are logged in non-repudiable way.
   - Because these credentials are public, it makes no difference how they
   are held or even if they are published by an oracle like a state board.
   - Many state and federal boards already offer APIs that can serve as
   oracles.
   - A simple DID credential that links an official oracle with the DID can
   be self-signed or co-signed by a notary who also reviews a driver's license.
   - DID wallets can also support a non-repudiable digital signature at
   least as good as the ink on paper ones.
   - Paper signatures in medicine are often accepted by verifiers based on
   "Trust On First Use" with out-of-band verification.
   - Timestamping signatures on public blockchains is easy and may almost
   be a commodity.
   - Licensed physicians and verifiers are typically subject to records
   retention regulations that combine with digital timestamps to close the
   loop on non-repudiation and enforcement.

In this example and many like it, the technology and standards related to
SSI are almost entirely in the control of the physician herself. Yes she
has to install a relatively simple DID wallet. Yes, she has to go through
the one-time credential issuance process. The economic benefit to the
physician of a self-sovereign professional identity pays off handsomely in
terms of not sharing power or revenue with hospitals that provide them with
an administrative identity.

The oracles already exist and don't need to know about SSI or VCs.

The last thing left is hosting the digital transaction that brings patient
and doctor together and gets the document timestamped. This convener does
have to be SSI-aware and trusted as an intermediary by the patient, the
doctor, and the verifier. Nice thing is, these conveners can be almost
anywhere and don't themselves need to keep any patient data related to the
transaction, limiting both security and privacy risks.

Wouldn't this be the fastest way to gain mass adoption of SSI?

- Adrian



On Wed, Jul 29, 2020 at 6:37 PM steve capell <steve.capell@gmail.com> wrote:

> Hi all,
>
> I'm hoping some of you will have some sage advice for me on how best to
> handle a common pattern that we need to solve here in Australia.  The
> generalised case is that a certificate (ie credential) issued by X has
> little value to verifier Y unless backed up by an accreditation (ie
> credential) issued by recognised authority Z that says X is authorised to
> issue this type of claim.  Some real world examples
>
>    - Business identity ABN123 issues a claim that a consignment of wine
>    is genuine penfolds.  But without another claim from IP Australia that
>    ABN123 is the holder of trademark "Penfolds" then it's of little value.
>    - Veterinary surgeon John Smith issues an animal health certificate
>    about snoopy the dog.  But without a supporting claim from
>    https://www.anzcvs.org.au/ that john smith is an accredited vetinary
>    surgeon, the certificate is useless.
>    - And there are hundreds of others....
>
> Some initial thinking
>
>    - If these are totally separate credentials then there is a problem
>    with identity linking.  The subject of one claim (john smith is a vet) must
>    be identical to the issuer of the other claim (snoopy is healthy).  even if
>    the identifiers are the same, there are lots of john smiths in the world so
>    how to be sure that the one issuing the cert about snoopy is the one that
>    was accredited?  Does John smith first create a self-sovereign identity and
>    get https://www.anzcvs.org.au/ to issue the claim to that identity?
>    - Another approach is that the accreditation authority runs a service
>    that counter-signs each certificate.  so john issues the health cert and
>    then authenticates to https://www.anzcvs.org.au/ and gets it
>    counter-signed.  the verifier can trace the authority through a single
>    health certifiate.  This implies some real-time infrastructure capability
>    on the part of all accreditation authorities that might be a bit
>    impractical.
>    - Another is that the accreditation authorities maintain public lists
>    of accredited identities via some public ledger protocol. verifiers can
>    check the issuer id in the health claim and then check the public list.
>    Maybe the lists need to be anonymised via some kind of zero knowledge
>    proof.
>    - and so on...
>
> Looking for best practice advice that is both cryptographically secure and
> practical to implement for large number of accreditors and certifiers.
>
> Thanks in advance!
>
> --
> Steve Capell
> +61 410 437854
>
>
Received on Wednesday, 29 July 2020 23:32:33 UTC