Re: Using Email as an Identifier from Adrian Gropper on 2021-11-12 (public-credentials@w3.org from November 2021)

From: Adrian Gropper <agropper@healthurl.com>
Date: Fri, 12 Nov 2021 14:18:19 -0500
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Credentials Community Group <public-credentials@w3.org>, public-vc-edu@w3.org
Message-ID: <CANYRo8g2m=vjaL9_yp6ch3J10nQpuoP5pMP-SOWDU=igcMX2Rg@mail.gmail.com>

Authentication depends on what kind of fraud you’re concerned about and
whether the verifier is getting the badge in-person. In many cases, like
the NZ Covid VC, the subject identifier needs to match one on a biometric
driver’s license presented in-person. Other VC options available in-person
discussed here:
https://github.com/w3c/vc-data-model/issues/831#issuecomment-960249901

Adrian

On Fri, Nov 12, 2021 at 2:00 PM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 11/12/21 11:05 AM, Kerri Lemoie wrote:
> > There’s been an ongoing discussion in the Open Badges community about
> > using email addresses as an identifier when a wallet is not being used.
>
> The issue comes down to "How do you authenticate someone that presents an
> Open
> Badge with an email address as a subject identifier?"
>
> There are email ceremonies that can handle this today (just email the
> person
> with an authentication code).
>
> I mean, the way the problem is proposed really only drives one way of
> solving
> the problem.
>
> "You have an email address and nothing else as a subject identifier." --
> well,
> then you only have one solution available to you -- an email address.
>
> However, if you shift the problem into "How do I authenticate the person
> showing the Open Badge"... you could use telephone number, email address,
> Linked In page, Twitter handle, and a variety of other mechanisms that
> would
> enable you to authenticate control over that identifier. That is, for
> example,
> send the person a message with a 6-digit code and have them respond by
> typing
> in that code on a web page.
>
> Remember that you also don't have to provide a credentialSubject.id value
> in a
> VC. You can provide multiple alternate identifiers (telephone number, email
> address, web page), and it's up to the verifier to do the authentication
> dance
> there.
>
> It is far less secure and automatic than a DID-based login, though.
> Remember
> that you can always re-issue already issued VCs.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
>

Received on Friday, 12 November 2021 19:18:45 UTC