W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

From: Adrian Gropper <agropper@healthurl.com>
Date: Wed, 23 Mar 2022 17:02:18 -0400
Message-ID: <CANYRo8i5Z_F32cmfXC-_sEgHcUr3_dKfmTC6NgJqrCDq7tu7Eg@mail.gmail.com>
To: "John, Anil" <anil.john@hq.dhs.gov>
Cc: Credentials Community Group <public-credentials@w3.org>
On Wed, Mar 23, 2022 at 1:14 PM John, Anil <anil.john@hq.dhs.gov> wrote:

> > How do we avoid coercion?
> What is the current approach to avoiding coercion when it comes to the use
> of physical credentials?

Physical credentials are self-contained and, when they include biometrics
or the ability to link to a biometric registry,  physical credentials do
not depend on a chain-of-custody design. Nobody specifies how my driver's
license should be handled. I can have multiple passports and choose which
one to show at the border without the potential coercion of a certified
wallet or wallets.

> > Another issue involves the temptation to use strong credentials for
> trivial transactions.
> What is the current approach to avoid the use of strong physical
> credentials for trivial transactions?

There are good reasons why CDC vaccine cards are weak credentials.
Apologies, but I've lost track of the reference, but getting more people
vaccinated is more important than preventing the fraud. For example, at a
busy concert entry a few months ago, I was asked to show my biometric
strong physical credential along with my weak CDC vaccine card. I asked the
bouncer why he picked me. He said they check about one in ten and did not
describe any profiling.

> The point of my questions to your questions is very simple – I acknowledge
> that the problem exists, but also that the problem is not specific to
> digital credentials.

The problem unique to digital credentials comes the ease with which strong
credentials can be abused in trivial situations where the verifier cannot
be trusted by the subject to not misuse the credential. The bouncer at the
bar does not have a chance to save my license info the way a car license
plate reader can. The license plate reader can also combine all sorts of
other information such as location and my face without my knowledge or
consent, store these forever, and sell access. The individual components
are physical credentials and relatively weak. Their combination and
digitization is incredibly coercive and difficult to regulate. My lack of
control is a form of coercion.

But it gets worse. Our work to create standard data models for the digital
credentials makes the problem orders of magnitude worse.  I call this
Ambient Surveillance. https://github.com/w3c/did-use-cases/issues/113

> As such, any solutions to both questions will not necessarily have a
> technical answer.

With all due respect, necessarily, we will only get mitigation of the
coercive aspects of our work if we document the problems and the technical
mitigations that we apply. Right now, it is my observation that this issue
is considered out of scope for CCG and probably by W3C as a whole.


Received on Wednesday, 23 March 2022 21:02:41 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:29 UTC