W3C home > Mailing lists > Public > public-credentials@w3.org > June 2020

Re: My Testimony before the CA Assembly Re: Authorizing use of Verifiable Credentials

From: Tony Rose <tony@proofmarket.io>
Date: Mon, 8 Jun 2020 23:17:00 -0700
To: Credentials Community Group <public-credentials@w3.org>, Christopher Allen <ChristopherA@lifewithalacrity.com>
Message-ID: <97668214-5703-4308-aa58-bd86fe69f618@Spark>
Hi -

Just to clarify, CA AB 2004 passed the CA House today - it is not final. Also, it is limited in scope to Covid-19 test results. The next step is the CA Senate in 3-4 weeks. In between now and then we are incorporating all of the feedback from various parties including the Privacy Committee, CA Medical Board, the community, and other interested parties. My focus as a member of the SSI community has been to seek guidance from experts in our community and provide a definition that encapsulates what a verifiable credential is: Private, Secure, Portable, Verifiable, and Non Correlate able.

Tony


--
Tony Rose
CEO | Proof Market Inc
MedCreds.com
+1 650 504 5154

Book a meeting!

The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
On Jun 8, 2020, 10:26 PM -0700, Christopher Allen <ChristopherA@lifewithalacrity.com>, wrote:
> A final version of this Verifiable Credentials bill passed today.
>
> First bill I know of authorizing the use of Verifiable Credentials.
>
> A short video:
> https://share.medcreds.com/WnubKWwO
>
> Bill:
> http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB2004
>
> — Christopher Allen
>
> > On Tue, May 5, 2020 at 1:58 PM Christopher Allen <ChristopherA@lifewithalacrity.com> wrote:
> > > I testified virtually today (Tuesday, May 5th, 2020) in CA Assembly Room 4202, with qualified support of:
> > >
> > > > quote_type
> > > > ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION (Ed Chau, Chair) on AB 2004 (Calderon) – As Amended March 12, 2020
> > > > quote_type
> > > > SUBJECT: Verifiable credentials: medical test results
> > > > quote_type
> > > > SUMMARY: This bill would permit an issuer of COVID-19 test results or other test results to use verifiable credentials, as defined by the World Wide Web Consortium (W3C), for the purpose of providing test results to individuals. The bill would also require that verifiable credentials issued for this purpose follow the open source W3C Verifiable Credentials Data Model, including incorporation of decentralized identifiers, verifiable credentials, and JavaScript Object Notation for Linked Data (JSON-LD).
> > > >
> > > Video at https://share.privatemedcreds.com/lluDExQ8
> > >
> > > After the testimony, this bill passed this committee to move forward to the next stage for additional deliberation & amendments.
> > >
> > > There were some problems with audio quality, so here is the full text of what I wanted to present.
> > >
> > > — Christopher Allen
> > >      510-908-1066
> > >
> > > My name is Christopher Allen, and I am the founder of Blockchain Commons, a benefit corporation supporting security infrastructure, software development, and research. I also speak on behalf of the broader international standards W3C Credentials Community Group where I am a co-chair. My past achievements include being co-author of SSL/TLS, the broadest deployed security standard in the world, and the basis upon which most Internet traffic moves securely.
> > >
> > > As regards the subject matter of this bill, I am not a lawyer, regulatory expert, or lobbyist, but I am one of the leading experts on the new security architecture known as Verifiable Credentials and Decentralized Identifiers, the first being now an International Standard through the World Wide Web Consortium, the second in late stages of the international standardization process after 5 years of incubation.
> > >
> > > As far as any questions in regards to these underlying technologies themselves for the use by the State of California I do not have reservations — these new technologies offer a number of privacy by design features and address security issues that legacy credential and identity technologies do not. Organizations around the world including the US Department of Homeland Security, the Canadian government, Taiwan, New Zealand, and a number of EU nations are committed to moving toward solutions using these new architectures.
> > >
> > > My reservations regarding this bill are less about the efficacy of this technology, but the immaturity of robust health privacy and risk models, adversary analysis, and expected public health benefits in regards to the future use of these for specific public health purposes, which were not included in the original use cases originally defined in these standards. In particular, I feel that specific use of Verifiable Claims for Immunity Credentials require additional risk analysis and possibly additional legislation.
> > >
> > > For instance, given the current lack of understanding of the effectiveness of COVID19 immunity test from the public health perspective, I have concerns in regard to the success of the suggested outcomes if an Immunity Credential was rushed to market too soon. In addition, I believe that the use of immunity Credentials may have discriminatory effects that may require additional work for the Assembly to address, such as including whether NOT having a disease can be used as consideration in layoffs, the ability to get fair compensation or unemployment or to apply for disability.
> > >
> > > However, I do believe that if the State Assembly is going to authorize some form of investigation, proof of concept, or implementation of new privacy-preserving health care technology, that Verifiable Claims and Decentralized Identifiers should be authorized as being acceptable, as they are the safest architecture available today. Implementors still need to be careful with the details — it is still possible to use these tools in ways that may compromise their intended goals for security & privacy.
> > >
> > > That being said, continued use of the current extremely fragmented legacy architectures for identity and personal health information in the health care community has higher risks. I urge you to support allowing the use of new Verifiable Claims international standards in your regulations.
> > >
> > > Thank you for the opportunity to speak before the Assembly on this topic. Let me know if you need more details on the topics above or if there are other ways my expertise can be of service.
> > >
Received on Tuesday, 9 June 2020 06:17:21 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 9 June 2020 06:17:22 UTC