- From: Andrew Hughes <andrewhughes3000@gmail.com>
- Date: Thu, 9 Dec 2021 10:08:03 -0800
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CAGJp9UaX1FxSnqdp1HtvZpNX4gKeXo32MDKt7q3w7N4f2s6rVQ@mail.gmail.com>
Thanks Manu The proposals made a couple years ago regarding VCs etc were too early for the ISO WG to absorb. Also, the ISO WG was at the time by necessity inwards-focused. Now that 18013-5 is published, it's actually a better time to talk about data structures and proof mechanisms - because we have one approach that is proven to work. Now we can make moves towards efficiency, newer approaches, technologies that have different properties/capabilities, and so on. ———————— *Andrew Hughes *CISM CISSP m +1 250.888.9474 AndrewHughes3000@gmail.com On Thu, Dec 9, 2021 at 9:38 AM Manu Sporny <msporny@digitalbazaar.com> wrote: > On 12/7/21 1:07 PM, Andrew Hughes wrote: > > The part that appears to be not covered here is the protocol-related > > clauses and the data integrity and "mdoc authentication" using the > Mobile > > Security Object (MSO). > > Yes, at least one large W3C Member insisted (and continues to insist) that > protocol be placed out of scope in the VCWG. They are, interestingly > enough, > also involved in the ISO 18013-5 work, but I'm sure there is no connection > between those two data points and it's just a coincidence. :P > > You are right to note that there is a problem there that needs a > standardized > solution. > > > While the MSO is technically not inside the data model in 18013-5 it is > > required in order for the verifier to confirm data integrity > > per-data-element... I realize that the VC approach in this work is not > the > > same - but how should we accommodate issuers who want or need to use the > > 18013-5 MSO security approach? > > Yes, and ONE solution to this could be embedding the MSO as a "proof" in > the > Verifiable Credential and passing that on verbatim. The downside, here, > however is that it's yet another Verifiable Credential data integrity > algorithm that we'd need to spec -- though, the spec could largely point to > the ISO-18013-5 specification. > > It's not elegant, but I see no reason why it wouldn't work (yet). > > > Verifiers following the 18013-5 verification approach will be expecting > to > > get an MSO for processing. This is the biggest item that I continue to > > struggle to conceptualize (even before this work was circulated) - > whether > > the MSO approach is fundamental to the concept of Mobile Driving > License, > > or if that's just one approach to data integrity etc. And whether any > other > > equivalent proof mechanism is acceptable for conformity to 18013-5 (which > > is what Issuers are likely to demand of any vendor/app) > > Here's what it could look like for a selectively disclosed driver's license > (sharing only document number, birth date, and expiration date): > > https://gist.github.com/msporny/6292b3b6f77e2040fbc0e534d0a30ff2 > > IIRC, this was already proposed to the ISO-18013-5 group several years ago. > I'll note that BBS+ is probably a far better, more generalized, solution to > the problem the MSO is attempting to solve. The problem w/ BBS+, of > course, is > the lack of finalized standards that could be leveraged today. > > Hope that helps, happy to answer further questions. > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > News: Digital Bazaar Announces New Case Studies (2021) > https://www.digitalbazaar.com/ > > >
Received on Thursday, 9 December 2021 18:08:28 UTC