Re: cloud-based wallet from Orie Steele on 2022-03-26 (public-credentials@w3.org from March 2022)

From: Orie Steele <orie@transmute.industries>
Date: Sat, 26 Mar 2022 16:08:58 -0500
To: Nikos Fotiou <fotiou@aueb.gr>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CAN8C-_KOc17z_u5qQrfh_KLm-xALtzUkjtrNeqaxGqN8CmJKHQ@mail.gmail.com>

If the VCs in the cloud are a commitment to a DID instead of a hardware
bound key... then their presentation from hardware bound keys achieves the
same effect, but if the device is lost, the holder just registers new
device bound keys, and no need to re-issue the VCs (but a DID Update
operation is required).

This is similar to account recovery in end to end  / enclave systems like
Signal (long term id is phone number, short term ids are keys).

It's also similar to this now archived SSH CA project from Netflix:
https://github.com/Netflix/bless (long term id is OIDC sub, short term id
is ssh pub)

It's also similar to GPG use cases where your long term ID is an email, and
your short term IDs are public keys (possibly hardware protected).

It's a very common pattern to generate keys for a security context, sign
them from a different context, and then verify the chain until the child
context becomes compromised (device damage or compromise)... only exposing
the child context to the "daily use" threat environment.

Another use case that lines up is revocation list credentials, those need
to be hosted somewhere, but they can be used to revoke a credential that
was bound to a device that becomes damaged or stolen... the holder does not
present those though... The verifier checks them when a revocable
credential is presented.

OS

On Sat, Mar 26, 2022 at 1:48 PM Nikos Fotiou <fotiou@aueb.gr> wrote:

> Hi all,
>
> We are experimenting with a cloud-based wallet, where VCs are stored in a
> cloud service (which may or may not be owned by the VC holder) but VPs are
> generated using a hardware token, owned by the VC holder.
>
>
>
> Although this is a very nice exercise, I am wondering if there is any real
> value in such a system. Especially, given that if the hardware token is
> lost, the VCs stored in the cloud are useless.
>
>
>
> Any thoughts? Are you aware of any similar system?
>
>
>
> Thanks,
>
> Nikos
>
>
>
> Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
>
> Researcher - Mobile Multimedia Laboratory
>
> Athens University of Economics and Business
>
> https://mm.aueb.gr
>
>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>

Received on Saturday, 26 March 2022 21:10:22 UTC