Re: Verifiable Credential Refresh 2021

It's huge that we're able to have this thread around the refresh use-case
and the PRC example but it would be even better if the thread had human
rights in the label.

Manu's detailed description shows why the (DID Auth) relationship between
Issuer and Subject is key. Whether we use Verifiable Presentation jargon or
Rich Authorization Requests jargon seems secondary. Either way, a request
is being processed into an authorization for issue of a credential. The
privacy / delegation / separation of concerns issue is whether the request
is being presented to the Subject, the Issuer, or an agent of the Subject.
This is a human rights issue to the extent that the Subject of the VC MUST
have the right to decide where requests are to be processed into
authorizations.

This principle of being able to decide where requests are processed is no
less important than Anil's requirement that the Verifier not contact the
Issuer directly. Both are privacy preserving in terms of traffic
analysis and confidentiality and both represent a burden on the Subject of
the VC that the Subject may want to reduce through delegation.

OAuth is not equivalent to GNAP in terms of human rights. The layering of
protocols on top of VCs and DIDs is important in terms of human rights.
Some very important credentials will include biometrics, as in the mobile
driver's license, and some important wallets will be locked biometrically
to the user as in the Apple Wallet. These are not side-issues and need to
be considered primary as we work on the protocols around DIDs and VCs.

Adrian

On Tue, Jan 4, 2022 at 10:09 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 1/3/22 4:03 PM, Adrian Gropper wrote:
> > I hope DHS policy acknowledges the importance of separation of possession
> > from consent and does not take away a subject's right to decide whether
> > control of a VC can be exercised independently of possession. Even if DHS
> > disagrees, it's still imperative that their reasoning and the
> conversation
> > about this be carried out in a thorough and public fashion in order to
> > build public confidence in digital credentials at scale.
>
> Adrian, I'm going to provide some input that is to be interpreted as
> "general
> thoughts" and not as necessarily applying to the PRC use case.
>
> Anil has already explained that, in it's modern form, paper-based
> delegation
> exists today, has existed for many decades, and will continue to exist even
> when digital credentials become an option.
>
> To add to that, you can do programmatic delegation with all of the APIs
> that
> are being developed in CCG using ZCAPs (or GNAP, or OAuth). A Holder can
> delegate access to key material (WebKMS), they can delegate access to
> Issuer
> infrastructure that they control (VC-API), they can delegate access to
> Verifier infrastructure that they control (VC-API), and they can delegate
> access to Holder infrastructure that they control (VC-API). The question of
> how one does programmatic delegation is orthogonal and layered, as it
> should be.
>
> However, to get to a global standard for programmatic delegation, we need
> to
> put the next layer in place, which is the Data Integrity work in the W3C
> Verifiable Credentials 2.0 Working Group. :
>
>
> https://pr-preview.s3.amazonaws.com/w3c/vc-wg-charter/pull/37.html#deliverables
>
> All that to say, we're working towards new global standards for
> programmatic
> delegation (ZCAPs, GNAP), and supporting programmatic delegation through
> OAuth2 today. If you want to do paper-based delegation, that will continue
> to
> be possible for the foreseeable future for Issuers that provide paper-based
> credentials.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
>