- From: David Chadwick <D.W.Chadwick@kent.ac.uk>
- Date: Wed, 13 May 2020 14:07:01 +0100
- To: Adrian Gropper <agropper@healthurl.com>
- Cc: W3C Credentials Community Group <public-credentials@w3.org>
Hi Adrian answers below On 12/05/2020 23:28, Adrian Gropper wrote: > Thanks, David for sharing the COVID-19 certificate demo. I have a few > questions. > > 1 - Who is signing the VC? Is it the NHS lab or is it Dr. Smith? Who's > signature on the VC is going to be checked by Nightingale? As you know, the VC Data Model is a bottom up trust model. So Nightingale decides who to trust from the many possible issuers there may be. My solution to this dilemma is issuer delegation of authority, which I discuss more fully in the IEEE Comms Standards paper as the downwards or upwards delegation models, both of which work in the real world today. (Paper available here for private study https://kar.kent.ac.uk/80304/ for those without IEEE subscriptions). > > 2 - Dr. Smith is being counted on to verify David's identity (Name and > DOB) when it's attached to the test sample. Nightingale, the verifier, > presumably checks that the VC is about the same David with the same > DOB. Are you presuming that David showed some kind of identity card to > both the doctor and the hospital? In the UK everyone is registered with a GP, and has a NHS number (centralised ID :-). So Dr Smith knows all his/her patients. Dr Smith notifies the test centre who the test is about. This happens today with blood tests etc. David then logs into the test centre, is matched with his record, and the COVID-19 certificate is issued to him on his device. Nightingale only check the crypto in my current demo but this can prove possession of the COVID-19 certificate on the device. If the device has been stolen or given to someone else, then including a photo of David (or URL to one) in the certificate will prevent device swapping. > > 3 - Nightingale as verifier needs to install software to display the > VC and verify the signature OR it needs to outsource that job to > someplace it trusts - maybe the lab that did the test or the system > that Dr. Smith used to order the test. Which of these are you > proposing in the example? We have verifier software middleware that Nightingale runs on its premises, or as an AWS service if it wants to outsource it to the cloud. > > 4 - There are two privacy benefits to the VC model: (a) The issuer > (lab or doctor) doesn't track the use of the credential at Nightingale > and (b) David gets to choose if and when to present the credential. Both of these are present in the demo. > From a privacy perspective, (b) is paramount because we're not asking > people to wear their COVID credentials on their sleeve - yet. But (a) > is lass clear. Is there a real a problem with regulated entities like > labs or doctors being aware of when a test result is presented. Knowing when a test result is presented is not the same as knowing to whom the result is presented. Clearly someone monitoring the network would be able to correlate the test result request and the presentation of it to someone else. But I am assuming the test centre is not able to do this, and is not motivated to do it. > Would anyone be less likely to get or use an immunity test if they > believed that their voluntary presentation of the result would be > subject to monitoring by the issuer? I did not think that monitoring the frequency of requesting test VCs from an issuer would be an issue, but clearly there is a privacy aspect to this. What does it tell the test centre that David requested his test VC 100 times and Adrian did not request it once? Adrian is self-isolating and David is a travelling salesman? > Would public health authorities and our communities actually benefit > form knowing how the credentials are being used? It is not how they are being used, but how frequently they are being used. That info might be valuable to the health authorities. Clearly if no-one was ever requesting their test certificates then they must be deemed to be useless by the population. > > 5 - In the case of an immunity credential, expiration date is > inadequate. Some verifiers will want a test every day, others once a > week, others after months. Allowing David to choose which of many > credentials to present to which verifiers does not seem like an > optimal strategy for pandemic mitigation. How would serial VCs be > linked so that only the last test was always the current credential? > > Finally, a question on the FIDO point. When I use my Yubikey in Chrome > to sign into a service provider, does that provider have access to my > IP address and other identifying information? In order to use FIDO2 the user has to establish a TLS connection with the issuer. So whatever information TLS provides about the caller is available to the test centre. However, in our implementation we do not record the IP address of the caller or any other identifying information about the caller. But clearly the issuer has to know who the caller is in order to locate the test results. This information is passed after the FIDO2 connection is established. FIDO2 only stores the public key id of the caller and a local user ID to link to it. So the user is essentially anonymous Kind regards > > - Adrian > > On Tue, May 12, 2020 at 4:36 PM David Chadwick > <D.W.Chadwick@kent.ac.uk <mailto:D.W.Chadwick@kent.ac.uk>> wrote: > > > On 12/05/2020 18:19, Adrian Gropper wrote: > > This work complements efforts to focus our community on adoption > > issues around SSI in general. > > > > The IIW30 session > > https://iiw.idcommons.net/*SSI_Adoption_Sequence_in_a_Pandemic* > > <https://iiw.idcommons.net/SSI_Adoption_Sequence_in_a_Pandemic> > comes > > at this by drawing a parallel with the W3C Prescription Use Case. > > Please check out the doc at the top of the notes as well as the IIW > > discussion. > > > > The prescription use case assumes there are two identities > involved: > > the doctor as prescriber and the patient as subject. The > pharmacist is > > the verifier. Mapping to COVID credentials, the lab is the > issuer but > > a doctor could also be the issuer. > > > > I was unable to open the link to your COVID credentials demo on > this > > slide https://youtu.be/yqSr0xKcG18?t=1123 What follows may be a bad > > assumption on my part... > > The link is actually > > https://youtu.be/Q-1X1FRSTss > > This shows the benefit of base58 encoding!! > > The font used in the ppt does not differentiate between one and > capital > eye unfortunately > > > > The key point for both David and my framing is that the patient as > > subject does not need a DID. The issuer may need a DID but since > their > > credentials are typically public the holder / presentation issue > for > > privacy might be an unnecessary barrier to adoption. > > > > Another DID issue has to do with correlation. I agree with David > that > > FIDO2 should be baseline and DIDs pose a privacy risk that is often > > unnecessary. However, in general, patient privacy benefits from a > > self-sovereign authorization server that represents their persona > > across multiple service providers. How do we avoid unwarranted > > correlation when "registering" the FIDO2 key (browser > fingerprinting?) > > Because FIDO2 ensures a different key pair is used for every service > provider. It strongly enforces SOP. > > Kind regards > > David > > > or the authorization server (as a pairwise DID service endpoint)? > > > > Also, as we heard in the fabulous EuroPass presentation in the Ed > > Credentials call on Monday, in practice the verification of the > > subject's credential (be it about immunity or a prescription) might > > often be outsourced to an intermediary by the verifier and this > seems > > to overlap with our DID Resolution work. > > > > - Adrian > > > > > > > > On Tue, May 12, 2020 at 6:01 AM David Chadwick > > <D.W.Chadwick@kent.ac.uk <mailto:D.W.Chadwick@kent.ac.uk> > <mailto:D.W.Chadwick@kent.ac.uk <mailto:D.W.Chadwick@kent.ac.uk>>> > wrote: > > > > Hi Everyone, > > > > Kuppinger Cole is having a free online seminar today on the > Future of > > Identity Management. Registration is open to everyone. See > > > > https://www.kuppingercole.com/events/identity-fabrics-iam > > > > I have just given a talk entitled "I want COVID-19 > Certificates but I > > don't want a DID" which some of you might find relevant and > > interesting. > > I have recorded it and put it on YouTube here, just in case you > > missed it > > > > https://youtu.be/yqSr0xKcG18 > > > > I would be very interested in anyone's critical appraisal of my > > talk, so > > that it can be improved next time > > > > > > Kind regards > > > > David > > > > > > >
Received on Wednesday, 13 May 2020 13:07:19 UTC