- From: Joe Andrieu <joe@legreq.com>
- Date: Tue, 08 Mar 2022 18:23:22 -0800
- To: "Credentials Community Group" <public-credentials@w3.org>
- Message-Id: <bb522967-355f-4885-9ee9-861744fb0ca0@www.fastmail.com>
On Tue, Mar 8, 2022, at 2:51 AM, David Chadwick wrote: > On 08/03/2022 00:50, Manu Sporny wrote: > > Just to remind you that PII only relates to living people and not to organisations or the dead > > Kind regards > David Yes, but every organization I've known has some information they consider confidential and proprietary, and in governmental or military contexts, classified and top secret. Turns out the same protections that GDPR requires for individuals can also easily extend to protecting all forms of correlatable information. This is particularly true for supply chain applications. In general, firms don't want competitors to see the movement of goods through the firm's channels, regardless of blockchain fairy dust. The same blinding & commitment approaches that enable proof-of-existence for PII without disclosing that PII can also be used for company data. In general, using ephemeral DIDs for each transaction allows the transactional flow to be non-correlatable to outside parties. If you need correlatable identifiers for particular points in the transaction, put that in a VC (with a unique nonce), put a hash of the VC on chain, and send the VC separately. That proves that particular VC was associated with the supply chain event (recorded at a particular time) without exposing the parties involved. For even better results, encrypt the VC for its intended recipient and store it in Confidential Storage. Then even the storage substrate can't read your VC, which also isn't on-chain. -j -- Joe Andrieu, PMP joe@legreq.com LEGENDARY REQUIREMENTS +1(805)705-8651 Do what matters. http://legreq.com <http://www.legendaryrequirements.com/>
Received on Wednesday, 9 March 2022 02:24:08 UTC