Re: Selective Disclosure of lists

This is a common pattern for us (eg list of lines in an invoice VC).  Almost every trade document has the sense of headers and repeating lines.

We use the simple Merkel tree approach to redaction so easy to handle. Verifier will just see a line with a salted hash and without the data 

Kind regards 

Steven Capell
Mob: 0410 437854

> On 9 Jun 2021, at 4:10 am, David Chadwick <d.w.chadwick@verifiablecredentials.info> wrote:
> 
> 
> Hi Jeremy
> 
> On 08/06/2021 18:09, Jeremy Townson wrote:
>> David,
>> 
>> The conclusion I draw is that the verifier should avoid infering properties of the VC from document metadata, such as node counts, or counts of items in a list. On the other hand, the issuer should add properties explicitly to the document (e.g. numDirectors=2).
> This  is one solution, but I am looking for a generic one.
> 
> 
> 
>> Trying to calculate any property of the VC by implication seems to produce errors.
>> 
>> Is this really a problem of selective disclosure. If an issuer creates a VC containing a list of directors, without stating whether it is a complete list, the document signature won't encapsulate such information so such a claim cannot be verified. Is surely does not matter if the document is subsequently redacted or not?
>> 
>> This kind of problem seems to spring up elsewhere. Could the issuer infer that a list is up to date as of  this year if the VC's issuance date is recent for example? It feels like only applications can decide this. To that end, perhaps a 'numDirectors=6' approach would be the simpest and most reliable.
>> 
>> Did you have something more cunning in mind?
> Yes. If the verifier's policy says either "give me the complete list of property X" or "give me whatever you want to disclose from property X" then whatever result is returned and signed by the issuer will conform to the verifier's policy and the verifier wont have to infer anything. In the first case selective disclosure will be forbidden, in the second it wont be. This is the solution we are working towards, but we wondered if anyone had other ideas.
> 
> Kind regards
> 
> David
> 
> 
> 
>> 
>> Regards,
>> Jeremy
>> 
>> 
>> 
>> On Tue, 8 Jun 2021 at 13:47, David Chadwick <d.w.chadwick@verifiablecredentials.info> wrote:
>>> One example is the list of directors and list of secretaries of a company. A list might be empty (allowed), or the holder might wish to remove specific names before disclosing the list to the verifier. The issue is how can the verifier tell the difference between a culled long list and a complete small list.
>>> 
>>> Kind regards
>>> 
>>> David
>>> 
>>> 
>>> 
>>> On 08/06/2021 13:01, Jeremy Townson wrote:
>>>> Could you give an example, David, I had thought the point of selective disclosure was that the verifier could make only a binary (not)valid decision about validity and was not able to infer other properties of the undisclosed data, such as properties of lists.
>>>> 
>>>> On Tue, 8 Jun 2021 at 12:10, David Chadwick <d.w.chadwick@verifiablecredentials.info> wrote:
>>>>> I dont know if anyone has discussed the selective disclosure of lists but here are at least some of the issues:
>>>>> 
>>>>> The user's VC has a property with a list of values (e.g. names of role holders). The user only wants to disclose n of m of this list to the verifier.
>>>>> 
>>>>> How can the verifier determine the difference between
>>>>> 
>>>>> i) a list with only n entries
>>>>> 
>>>>> ii) a list that has more than n entries but the user has withheld some of them.
>>>>> 
>>>>> Then we have the case where 
>>>>> 
>>>>> iii) the list is genuinely empty because e.g. the role, has not been assigned to anyone yet, and 
>>>>> 
>>>>> iv) the user does not want to tell the verifier any of the list values.
>>>>> 
>>>>> As far as I am aware the current data model does not have any way of differentiating between any of the above in a selectively disclosed VC.
>>>>> 
>>>>> Kind regards
>>>>> 
>>>>> David

Received on Tuesday, 8 June 2021 21:56:10 UTC