Re: Future of Identity from Adrian Gropper on 2020-05-12 (public-credentials@w3.org from May 2020)

From: Adrian Gropper <agropper@healthurl.com>
Date: Tue, 12 May 2020 13:19:32 -0400
To: David Chadwick <D.W.Chadwick@kent.ac.uk>
Cc: W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CANYRo8j5KCpEhzuFLocxfOG0GsQg7FOede0P5d48KxhagcEbpg@mail.gmail.com>

This work complements efforts to focus our community on adoption issues
around SSI in general.

The IIW30 session https://iiw.idcommons.net/
*SSI_Adoption_Sequence_in_a_Pandemic*
<https://iiw.idcommons.net/SSI_Adoption_Sequence_in_a_Pandemic> comes at
this by drawing a parallel with the W3C Prescription Use Case. Please check
out the doc at the top of the notes as well as the IIW discussion.

The prescription use case assumes there are two identities involved: the
doctor as prescriber and the patient as subject. The pharmacist is the
verifier. Mapping to COVID credentials, the lab is the issuer but a doctor
could also be the issuer.

I was unable to open the link to your COVID credentials demo on this slide
https://youtu.be/yqSr0xKcG18?t=1123 What follows may be a bad assumption on
my part...

The key point for both David and my framing is that the patient as subject
does not need a DID. The issuer may need a DID but since their credentials
are typically public the holder / presentation issue for privacy might be
an unnecessary barrier to adoption.

Another DID issue has to do with correlation. I agree with David that FIDO2
should be baseline and DIDs pose a privacy risk that is often unnecessary.
However, in general, patient privacy benefits from a self-sovereign
authorization server that represents their persona across multiple service
providers. How do we avoid unwarranted correlation when "registering" the
FIDO2 key (browser fingerprinting?) or the authorization server (as a
pairwise DID service endpoint)?

Also, as we heard in the fabulous EuroPass presentation in the Ed
Credentials call on Monday, in practice the verification of the subject's
credential (be it about immunity or a prescription) might often be
outsourced to an intermediary by the verifier and this seems to overlap
with our DID Resolution work.

- Adrian

On Tue, May 12, 2020 at 6:01 AM David Chadwick <D.W.Chadwick@kent.ac.uk>
wrote:

> Hi Everyone,
>
> Kuppinger Cole is having a free online seminar today on the Future of
> Identity Management. Registration is open to everyone. See
>
> https://www.kuppingercole.com/events/identity-fabrics-iam
>
> I have just given a talk entitled "I want COVID-19 Certificates but I
> don't want a DID" which some of you might find relevant and interesting.
> I have recorded it and put it on YouTube here, just in case you missed it
>
> https://youtu.be/yqSr0xKcG18
>
> I would be very interested in anyone's critical appraisal of my talk, so
> that it can be improved next time
>
>
> Kind regards
>
> David
>
>
>
>

Received on Tuesday, 12 May 2020 17:20:02 UTC