Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Adrian Gropper on 2022-03-23 (public-credentials@w3.org from March 2022)

From: Adrian Gropper <agropper@healthurl.com>
Date: Wed, 23 Mar 2022 13:01:26 -0400
To: "John, Anil" <anil.john@hq.dhs.gov>
Cc: Credentials Community Group <public-credentials@w3.org>
Message-ID: <CANYRo8iphZq2USHWHPzr_8RnWPJfhXNWCO0CAON9U33nasKqYw@mail.gmail.com>
The critical piece, as implied in my second question, is that a
chain-of-custody wallet design would be unacceptably coercive. I'm
envisioning an ankle bracelet or chip.

How do we avoid coercion?

Another issue involves the temptation to use strong credentials for trivial
transactions. ZKPs would solve this but I don't think VPs do.

Adrian

On Wed, Mar 23, 2022 at 12:48 PM John, Anil <anil.john@hq.dhs.gov> wrote:

> >This is extremely helpful, Anil. Can you provide some perspective on
> biometrics?
>
> >Some VCs include a biometric and some don't. Is wallet design and
> provenance less critical when the VC includes a biometric?
>
> >Wallets that are locked by a biometric (as opposed to a passphrase) can
> be coercively opened. What are possible mitigations?
>
>
>
> Adrian – I was not actually thinking about it from that perspective but
> from a different one.
>
>
>
> Biometrics is a technique for Identity Verification and not Identity
> Validation and I don’t conflate those terms.
>
>    - Identity Validation is the confirmation of the accuracy of the
>    identity as established by an authoritative source. Identity validation
>    does not ensure that an individual is asserting their own identity, only
>    that the identity is accurate and timely.
>    - Identity Verification is the confirmation that the identity is
>    claimed by the rightful individual.
>
>
>
> In the current timeframe, biometrics is used to confirm whether the
> carbon-based-lifeform that shows up in person or on the other end of the
> wire is indeed the human that is described by a set of attributes that have
> been confirmed as being legit through the identity validation process.
> Biometrics is seen as the thing that can provide the highest assurance of
> that “binding” between the data and the human.
>
>
>
> But is that the only way?
>
>
>
> Let me re-use some of the language from Daniel’s reply to set the context
> “In issuance, an issuer (the source of the credential) is trying to decide
> whether to trust the holder (the recipient) to receive the cred. In
> proving, the verifier (the recipient) is trying to decide whether to trust
> the holder (the source of the credential) to do the thing the cred
> qualifies them for.”
>
>
>
> What if, as part of the issuance interaction, the wallet has the ability
> to provide non-forgeable assurances to the issuer that “If you send me a
> set of attributes that describe a person or their entitlements to store, it
> will be managed/stored in such a way that only ONE specific human will ever
> be able to access and share that information in the future”.  Then the
> issuer can focus on two specific things:
>
>
>
>    1. During the on-boarding of a person’s record, ensure that there is
>    secure process to ensure that that person that is described in the record
>    is known to be a specific human.
>    2. During the provisioning process, ensure that the person who shows
>    up requesting the credential is indeed the human who was originally
>    on-boarded.
>
>
>
> To be blunt, this is by necessity a high touch process that is useful only
> when the credential / entitlement in question is of high value. There is
> little to no value to this process if what you need is simply some manner
> of a bearer token.
>
>
>
> But where this becomes interesting is on the other side of the journey.
>
>
>
> What if, during the presentation process, the wallet can provide
> non-forgeable assurances to the Verifier that “A set of attributes were
> provided to me by Issuer X about a particular human and the only human that
> can share that information with you from my storage is the human who is
> standing in front of you or on the other end of the wire.”
>
>
>
> As I am thinking this thru, it feels like the only way such attestations
> can be made with the level of rigor that I noted is if the
> hardware/platform participates in the end-to-end flow.
>
>
>
> However the issue in the current environment is two-fold:
>
>    1. In order for this to work, the ability to do this need to be open
>    to 3rd party developers – and currently it is not. There are
>    gatekeepers in the middle.
>    2. Even if you had such access, uniqueness of the human cannot be
>    guaranteed at this time (I can provision the biometrics of my entire family
>    to gain access to the secure element on my mobile device)
>
>
>
> But the potential light at the end of the tunnel, and the question that I
> am asking myself is that if that entire Issuer >> Wallet >> Verifier
> attestation chain can exist, is based on hardware/platform attestations
> that cannot be tampered with, can biometrics for all practical purposes be
> minimized or eliminated as an identity verification technique in the Wallet
> <> Verifier interaction?
>
>
>
> I am sure that I am missing some critical piece that I have not thought
> through yet, which has this entire train of thought implode : -), but that
> is where my head is currently at.
>
>
>
> Best Regards,
>
>
>
> Anil
>
Received on Wednesday, 23 March 2022 17:01:50 UTC