Re: Future of Identity from Adrian Gropper on 2020-05-12 (public-credentials@w3.org from May 2020)

From: Adrian Gropper <agropper@healthurl.com>
Date: Tue, 12 May 2020 18:28:35 -0400
To: David Chadwick <D.W.Chadwick@kent.ac.uk>
Cc: W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CANYRo8gUvpGUwLDzVGTjyNkKZ8K9JC_EN3ZM1aZPq_AJJwjfAg@mail.gmail.com>
Thanks, David for sharing the COVID-19 certificate demo. I have a few
questions.

1 - Who is signing the VC? Is it the NHS lab or is it Dr. Smith? Who's
signature on the VC is going to be checked by Nightingale?

2 - Dr. Smith is being counted on to verify David's identity (Name and DOB)
when it's attached to the test sample. Nightingale, the verifier,
presumably checks that the VC is about the same David with the same DOB.
Are you presuming that David showed some kind of identity card to both the
doctor and the hospital?

3 - Nightingale as verifier needs to install software to display the VC and
verify the signature OR it needs to outsource that job to someplace it
trusts - maybe the lab that did the test or the system that Dr. Smith used
to order the test. Which of these are you proposing in the example?

4 - There are two privacy benefits to the VC model: (a) The issuer (lab or
doctor) doesn't track the use of the credential at Nightingale and (b)
David gets to choose if and when to present the credential. From a privacy
perspective, (b) is paramount because we're not asking people to wear their
COVID credentials on their sleeve - yet. But (a) is lass clear. Is there a
real a problem with regulated entities like labs or doctors being aware of
when a test result is presented. Would anyone be less likely to get or use
an immunity test if they believed that their voluntary presentation of the
result would be subject to monitoring by the issuer? Would public health
authorities and our communities actually benefit form knowing how the
credentials are being used?

5 - In the case of an immunity credential, expiration date is inadequate.
Some verifiers will want a test every day, others once a week, others after
months. Allowing David to choose which of many credentials to present to
which verifiers does not seem like an optimal strategy for pandemic
mitigation. How would serial VCs be linked so that only the last test was
always the current credential?

Finally, a question on the FIDO point. When I use my Yubikey in Chrome to
sign into a service provider, does that provider have access to my IP
address and other identifying information?

- Adrian

On Tue, May 12, 2020 at 4:36 PM David Chadwick <D.W.Chadwick@kent.ac.uk>
wrote:

>
> On 12/05/2020 18:19, Adrian Gropper wrote:
> > This work complements efforts to focus our community on adoption
> > issues around SSI in general.
> >
> > The IIW30 session
> > https://iiw.idcommons.net/*SSI_Adoption_Sequence_in_a_Pandemic*
> > <https://iiw.idcommons.net/SSI_Adoption_Sequence_in_a_Pandemic> comes
> > at this by drawing a parallel with the W3C Prescription Use Case.
> > Please check out the doc at the top of the notes as well as the IIW
> > discussion.
> >
> > The prescription use case assumes there are two identities involved:
> > the doctor as prescriber and the patient as subject. The pharmacist is
> > the verifier. Mapping to COVID credentials, the lab is the issuer but
> > a doctor could also be the issuer.
> >
> > I was unable to open the link to your COVID credentials demo on this
> > slide https://youtu.be/yqSr0xKcG18?t=1123 What follows may be a bad
> > assumption on my part...
>
> The link is actually
>
> https://youtu.be/Q-1X1FRSTss
>
> This shows the benefit of base58 encoding!!
>
> The font used in the ppt does not differentiate between one and capital
> eye unfortunately
>
>
> > The key point for both David and my framing is that the patient as
> > subject does not need a DID. The issuer may need a DID but since their
> > credentials are typically public the holder / presentation issue for
> > privacy might be an unnecessary barrier to adoption.
> >
> > Another DID issue has to do with correlation. I agree with David that
> > FIDO2 should be baseline and DIDs pose a privacy risk that is often
> > unnecessary. However, in general, patient privacy benefits from a
> > self-sovereign authorization server that represents their persona
> > across multiple service providers. How do we avoid unwarranted
> > correlation when "registering" the FIDO2 key (browser fingerprinting?)
>
> Because FIDO2 ensures a different key pair is used for every service
> provider. It strongly enforces SOP.
>
> Kind regards
>
> David
>
> > or the authorization server (as a pairwise DID service endpoint)?
> >
> > Also, as we heard in the fabulous EuroPass presentation in the Ed
> > Credentials call on Monday, in practice the verification of the
> > subject's credential (be it about immunity or a prescription) might
> > often be outsourced to an intermediary by the verifier and this seems
> > to overlap with our DID Resolution work.
> >
> > - Adrian
> >
> >
> >
> > On Tue, May 12, 2020 at 6:01 AM David Chadwick
> > <D.W.Chadwick@kent.ac.uk <mailto:D.W.Chadwick@kent.ac.uk>> wrote:
> >
> >     Hi Everyone,
> >
> >     Kuppinger Cole is having a free online seminar today on the Future of
> >     Identity Management. Registration is open to everyone. See
> >
> >     https://www.kuppingercole.com/events/identity-fabrics-iam
> >
> >     I have just given a talk entitled "I want COVID-19 Certificates but I
> >     don't want a DID" which some of you might find relevant and
> >     interesting.
> >     I have recorded it and put it on YouTube here, just in case you
> >     missed it
> >
> >     https://youtu.be/yqSr0xKcG18
> >
> >     I would be very interested in anyone's critical appraisal of my
> >     talk, so
> >     that it can be improved next time
> >
> >
> >     Kind regards
> >
> >     David
> >
> >
> >
>
Received on Tuesday, 12 May 2020 22:29:02 UTC