- From: Orie Steele <orie@transmute.industries>
- Date: Sat, 26 Mar 2022 16:08:58 -0500
- To: Nikos Fotiou <fotiou@aueb.gr>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CAN8C-_KOc17z_u5qQrfh_KLm-xALtzUkjtrNeqaxGqN8CmJKHQ@mail.gmail.com>
If the VCs in the cloud are a commitment to a DID instead of a hardware bound key... then their presentation from hardware bound keys achieves the same effect, but if the device is lost, the holder just registers new device bound keys, and no need to re-issue the VCs (but a DID Update operation is required). This is similar to account recovery in end to end / enclave systems like Signal (long term id is phone number, short term ids are keys). It's also similar to this now archived SSH CA project from Netflix: https://github.com/Netflix/bless (long term id is OIDC sub, short term id is ssh pub) It's also similar to GPG use cases where your long term ID is an email, and your short term IDs are public keys (possibly hardware protected). It's a very common pattern to generate keys for a security context, sign them from a different context, and then verify the chain until the child context becomes compromised (device damage or compromise)... only exposing the child context to the "daily use" threat environment. Another use case that lines up is revocation list credentials, those need to be hosted somewhere, but they can be used to revoke a credential that was bound to a device that becomes damaged or stolen... the holder does not present those though... The verifier checks them when a revocable credential is presented. OS On Sat, Mar 26, 2022 at 1:48 PM Nikos Fotiou <fotiou@aueb.gr> wrote: > Hi all, > > We are experimenting with a cloud-based wallet, where VCs are stored in a > cloud service (which may or may not be owned by the VC holder) but VPs are > generated using a hardware token, owned by the VC holder. > > > > Although this is a very nice exercise, I am wondering if there is any real > value in such a system. Especially, given that if the hardware token is > lost, the VCs stored in the cloud are useless. > > > > Any thoughts? Are you aware of any similar system? > > > > Thanks, > > Nikos > > > > Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou > > Researcher - Mobile Multimedia Laboratory > > Athens University of Economics and Business > > https://mm.aueb.gr > > > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
Received on Saturday, 26 March 2022 21:10:22 UTC