Re: Credential Chaining from Brent Shambaugh on 2022-07-04 (public-credentials@w3.org from July 2022)

From: Brent Shambaugh <brent.shambaugh@gmail.com>
Date: Mon, 4 Jul 2022 10:27:53 -0500
To: Snorre Lothar von Gohren Edwin <snorre@diwala.io>
Cc: Eduardo A. Chongkan Líos <e.chongkan@gmail.com>, Harrison <harrison@spokeo.com>, Credentials Community Group <public-credentials@w3.org>, David Chadwick <d.w.chadwick@truetrust.co.uk>
Message-ID: <CACvcBVqafGXEcoYLgHF2Hz8-0pJ=Jp7H6brc2qz1rboaRHq5CQ@mail.gmail.com>
In the time after I started this thread, I found Kyle Den Hartog's blog:

Here is delegation of authority:
https://kyledenhartog.com/example-authz-with-VCs/

Here is yet another post:
https://kyledenhartog.com/delegation-in-verifiable-credentials/

Here is a comparison with zcaps, which can be better for authorization:

https://kyledenhartog.com/comparing-VCs-with-zcaps/
https://w3c-ccg.github.io/zcap-spec/

-Brent Shambaugh


On Mon, Jul 4, 2022 at 2:20 AM Snorre Lothar von Gohren Edwin <
snorre@diwala.io> wrote:

> So the DID is an important piece here, but that has been exchanged so the
> issuer knows what to issue too. But this brings us into the which DID did I
> hold the certain credential on, and not going into that.
> User "connects" with the issuer with a DID. They can communicate and
> can wrap data around a did.
> Issuer wants to verify something before issuing. Sorry for using
> identifying and misleading the discussion.
> Issuer wants to verify that you are the rightful holder of a certain piece
> of information, a special credential(ticket to a festival), a value inside
> a certain credential(name, current place of residence is Denver) and so on.
> Holder tries to prove any of these set criterias with their credentials
> and issuer can verify that their criteria is met.
> OIDC solves this by using their centralized identifying mechanism because
> you log in.
> But credentials should be able to just have a ping pong and the issuer
> software have simple ways of setting up criterias for issuance.
>
> Why do we need a registry in the middle here?
>
> ᐧ
> ᐧ
>
> On Mon, Jul 4, 2022 at 8:40 AM Eduardo A. Chongkan Líos <
> e.chongkan@gmail.com> wrote:
>
>> I think it is not necessary to confirm the Identity of the person the
>> credential is being issued to, because it will be chained to a DID.
>>
>> Issues are the ones responsible for verifying the Identity, but that is
>> detached to the model.
>>
>> e.g. Upon Registry for a Test, a user needs to verify his identity PRIO
>> making the test. By the time the credential is issued by the Issuer, the
>> DID is already known and other confirmations have taken place. Like
>> Onboarding with AML
>>
>> verifiable data registryA role a system might perform by mediating the
>> creation and verification
>> <https://www.w3.org/TR/vc-imp-guide/#dfn-verify> of identifiers, keys,
>> and other relevant data, such as verifiable credential
>> <https://www.w3.org/TR/vc-imp-guide/#dfn-verifiable-credentials> schemas,
>> revocation registries, issuer public keys, and so on, which might be
>> required to use verifiable credentials
>> <https://www.w3.org/TR/vc-imp-guide/#dfn-verifiable-credentials>. Some
>> configurations might require correlatable identifiers for subjects
>> <https://www.w3.org/TR/vc-imp-guide/#dfn-subjects>. Some registries,
>> such as ones for UUIDs and public keys, might just act as namespaces for
>> identifiers.
>>
>> --
>> Eduardo Chongkan
>>
>>
>>
>> On Mon, Jul 4, 2022 at 12:32 AM Snorre Lothar von Gohren Edwin <
>> snorre@diwala.io> wrote:
>>
>>> Is this being thought of as too complicated?
>>> I assume that when someone wants to issue a credential to someone, there
>>> has to be an identifying step of some sorts.
>>> What we plan to try out is that the person who issues, has knowledge
>>> about something about the holder they are to issue to, if it is some
>>> important things.
>>> They can then set a criteria that the holder has to prove before the
>>> issuance happens. This might be out of any spec or anything.
>>> But the thought is that you read an issuance request, and to be able to
>>> accept it you have to prove that you hold a certain VC, "drivers license",
>>> and that matches their known value?
>>> Does anything have to be chained here? Or just a ping pong of
>>> credentials?
>>> ᐧ
>>>
>>> On Sun, Jul 3, 2022 at 11:39 PM Harrison <harrison@spokeo.com> wrote:
>>>
>>>> Just curious:  I can imagine that some Issuers would want to check the
>>>> authenticity of the Holder (i.e. making sure that the Holder is who they
>>>> say they are) before issuing a credential.  Otherwise, anyone can claim
>>>> that they are Tom Cruise and get his credentials.  What do we do in this
>>>> case?
>>>>
>>>> In this scenario, I can imagine that the Holder has a special,
>>>> "soulbound" (i.e. non-transferable), and secure-enclave-like credential
>>>> that includes authentication factor information like SMS OTP and/or hashed
>>>> biometric tokens, and then the Issuer can check against this special
>>>> authenticator credential before deciding whether to issue a credential to
>>>> the Holder or not (i.e. credential chaining).  This problem has probably
>>>> come up before, and does the high-level concept above make sense?  Or is
>>>> there a better alternative?
>>>>
>>>> Sincerely,
>>>> Harrison
>>>>
>>>>
>>>>
>>>> On Sat, Jul 2, 2022 at 12:31 PM Brent Shambaugh <
>>>> brent.shambaugh@gmail.com> wrote:
>>>>
>>>>> Thank you all. I believe this is what I had in mind. It is sort of
>>>>> like maintaining state with verifiable credentials. You cannot do this
>>>>> unless you've done this. Prerequisites. I'll chew on this like manna from
>>>>> heaven.
>>>>>
>>>>>
>>>>> -Brent Shambaugh
>>>>>
>>>>> GitHub: https://github.com/bshambaugh
>>>>> Website: http://bshambaugh.org/
>>>>> LinkedIN: https://www.linkedin.com/in/brent-shambaugh-9b91259
>>>>> Skype: brent.shambaugh
>>>>> Twitter: https://twitter.com/Brent_Shambaugh
>>>>> WebID: http://bshambaugh.org/foaf.rdf#me
>>>>>
>>>>>
>>>>> On Thu, Jun 30, 2022 at 3:43 AM David Chadwick <
>>>>> d.w.chadwick@truetrust.co.uk> wrote:
>>>>>
>>>>>> Yes. We have implemented this following the UK Power of Attorney
>>>>>> model, where one person (the attorney) can obtain the VC of another person
>>>>>> (the donor) who has become incapacitated. The attorney must possess a PoA
>>>>>> VC first and present it to the issuer of the donor's account.
>>>>>>
>>>>>> Kind regards
>>>>>>
>>>>>> David
>>>>>> On 29/06/2022 17:33, Brent Shambaugh wrote:
>>>>>>
>>>>>> Is there such a thing as credentials that can only be issued if the
>>>>>> holder already has a particular credential?
>>>>>>
>>>>>> --
>>>>>> -Brent Shambaugh
>>>>>>
>>>>>> GitHub: https://github.com/bshambaugh
>>>>>> Website: http://bshambaugh.org/
>>>>>> LinkedIN: https://www.linkedin.com/in/brent-shambaugh-9b91259
>>>>>> Skype: brent.shambaugh
>>>>>> Twitter: https://twitter.com/Brent_Shambaugh
>>>>>> WebID: http://bshambaugh.org/foaf.rdf#me
>>>>>>
>>>>>>
>>>
>>> --
>>>
>>> *Snorre Lothar von Gohren Edwin*
>>> Co-Founder & CTO, Diwala
>>> +47 411 611 94
>>> www.diwala.io
>>> <http://www.diwala.io/>
>>> *Stay on top of Diwala news on social media! **Facebook
>>> <https://www.facebook.com/diwalaorg>** / **LinkedIn
>>> <https://www.linkedin.com/company/diwala>** / **Instagram
>>> <https://www.instagram.com/diwala_/>** / **Twitter
>>> <https://twitter.com/Diwala>*
>>>
>>
>
> --
>
> *Snorre Lothar von Gohren Edwin*
> Co-Founder & CTO, Diwala
> +47 411 611 94
> www.diwala.io
> <http://www.diwala.io/>
> *Stay on top of Diwala news on social media! **Facebook
> <https://www.facebook.com/diwalaorg>** / **LinkedIn
> <https://www.linkedin.com/company/diwala>** / **Instagram
> <https://www.instagram.com/diwala_/>** / **Twitter
> <https://twitter.com/Diwala>*
>
Received on Monday, 4 July 2022 15:28:19 UTC