W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

RE: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

From: John, Anil <anil.john@hq.dhs.gov>
Date: Wed, 23 Mar 2022 16:42:55 +0000
To: Credentials Community Group <public-credentials@w3.org>
Message-ID: <SA1PR09MB881539098297BF87C4878795C5189@SA1PR09MB8815.namprd09.prod.outlook.com>
>This is extremely helpful, Anil. Can you provide some perspective on biometrics?
>Some VCs include a biometric and some don't. Is wallet design and provenance less critical when the VC includes a biometric?
>Wallets that are locked by a biometric (as opposed to a passphrase) can be coercively opened. What are possible mitigations?

Adrian – I was not actually thinking about it from that perspective but from a different one.

Biometrics is a technique for Identity Verification and not Identity Validation and I don’t conflate those terms.

  *   Identity Validation is the confirmation of the accuracy of the identity as established by an authoritative source. Identity validation does not ensure that an individual is asserting their own identity, only that the identity is accurate and timely.
  *   Identity Verification is the confirmation that the identity is claimed by the rightful individual.

In the current timeframe, biometrics is used to confirm whether the carbon-based-lifeform that shows up in person or on the other end of the wire is indeed the human that is described by a set of attributes that have been confirmed as being legit through the identity validation process. Biometrics is seen as the thing that can provide the highest assurance of that “binding” between the data and the human.

But is that the only way?

Let me re-use some of the language from Daniel’s reply to set the context “In issuance, an issuer (the source of the credential) is trying to decide whether to trust the holder (the recipient) to receive the cred. In proving, the verifier (the recipient) is trying to decide whether to trust the holder (the source of the credential) to do the thing the cred qualifies them for.”

What if, as part of the issuance interaction, the wallet has the ability to provide non-forgeable assurances to the issuer that “If you send me a set of attributes that describe a person or their entitlements to store, it will be managed/stored in such a way that only ONE specific human will ever be able to access and share that information in the future”.  Then the issuer can focus on two specific things:

  1.  During the on-boarding of a person’s record, ensure that there is secure process to ensure that that person that is described in the record is known to be a specific human.
  2.  During the provisioning process, ensure that the person who shows up requesting the credential is indeed the human who was originally on-boarded.

To be blunt, this is by necessity a high touch process that is useful only when the credential / entitlement in question is of high value. There is little to no value to this process if what you need is simply some manner of a bearer token.

But where this becomes interesting is on the other side of the journey.

What if, during the presentation process, the wallet can provide non-forgeable assurances to the Verifier that “A set of attributes were provided to me by Issuer X about a particular human and the only human that can share that information with you from my storage is the human who is standing in front of you or on the other end of the wire.”

As I am thinking this thru, it feels like the only way such attestations can be made with the level of rigor that I noted is if the hardware/platform participates in the end-to-end flow.

However the issue in the current environment is two-fold:

  1.  In order for this to work, the ability to do this need to be open to 3rd party developers – and currently it is not. There are gatekeepers in the middle.
  2.  Even if you had such access, uniqueness of the human cannot be guaranteed at this time (I can provision the biometrics of my entire family to gain access to the secure element on my mobile device)

But the potential light at the end of the tunnel, and the question that I am asking myself is that if that entire Issuer >> Wallet >> Verifier attestation chain can exist, is based on hardware/platform attestations that cannot be tampered with, can biometrics for all practical purposes be minimized or eliminated as an identity verification technique in the Wallet <> Verifier interaction?

I am sure that I am missing some critical piece that I have not thought through yet, which has this entire train of thought implode : -), but that is where my head is currently at.

Best Regards,

Received on Wednesday, 23 March 2022 16:46:39 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:29 UTC