Re: IETF: Secure Credential Transfer

• From: Manu Sporny <msporny@digitalbazaar.com>
• Date: Mon, 4 Apr 2022 20:57:14 -0400
• To: public-credentials@w3.org
• Message-ID: <b06ae079-48f3-ebe5-5f13-f3a0eee77d8b@digitalbazaar.com>

On 4/4/22 11:18 AM, Orie Steele wrote:
> https://www.ietf.org/archive/id/draft-secure-credential-transfer-03.html

Uses HTML5+RDFa[1] for visual representation... rest of it looks similar to
some Encrypted Data Vault[2] design choices... not to mention the tie-in to
Apple and Google push notification services (they own those push notification
service platforms, after all)... all kinda jumbled together as a point
solution for moving static credentials (with no suggestion to how the
cryptographic keys are moved)... some interesting design choices[3].

The charter seems to only focus on the transfer of bearer credentials:

https://github.com/dimmyvi/secure-credential-transfer/blob/main/charter.md

I'd expect that with that specification, you could argue that you support an
open ecosystem (as long as you ignore the push service centralization and the
fact that Apple/Google aren't going to allow credential export to just /any/
wallet)... but you get a handful of "trusted platforms" in each market and you
can avoid good chunks of anti-competition regulations.

Leader author is Dmitry Vinokurov -- His public Github profile[4] says:
"Dmitry is an engineer at Apple. There, he works on the server applications
for Apple Pay, focusing on areas including security, cryptography and
web-commerce."

I'll note that Mozilla's CTO also seems to have reviewed the documents and is
contributing to Charter text:

https://github.com/dimmyvi/secure-credential-transfer/commits?author=ekr

https://github.com/dimmyvi/secure-credential-transfer/commit/a74913aee1fe338f29bc76fdd645cafb7297c675

Seems like a point solution -- digital dead drop box for bearer credentials
that are encrypted to specific individuals. Very little overlap w/ VCs and the
protocols we're discussing here (but, would be good to keep our eye on this one).

-- manu

[1]https://www.w3.org/TR/html-rdfa/
[2]https://identity.foundation/edv-spec/#core-concepts
[3]https://github.com/dimmyvi/secure-credential-transfer
[4]https://github.com/dimmyvi

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Tuesday, 5 April 2022 00:57:31 UTC