Re: Novel (to me) architecture for control of personal data from Adrian Gropper on 2022-09-10 (public-credentials@w3.org from September 2022)

From: Adrian Gropper <agropper@healthurl.com>
Date: Sat, 10 Sep 2022 13:49:06 -0400
To: devi prasad <dprasadm@gmail.com>
Cc: Steve Capell <steve.capell@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, Chris Gough <christopher.d.gough@gmail.com>, namlleps.drahcir@gmail.com
Message-ID: <CANYRo8hkwPsX-jhr+Anhj9DPUMtxsHLuGxh4nzi5BpnkMr_V7Q@mail.gmail.com>
It's helpful to consider the value propositions and business models that
can drive adoption of SSI because they can provide objective input into
layering standards. More directly, standardized VCs can participate in
different value / business opportunities depending on how we design and
layer applicable protocols.

As this real-world example implies, there are three principal value
propositions:

1 -  Aggregation by a trusted delegate AA for convenience in policy-based
authorization and the business opportunity offered by standards that enable
free choice of these delegates.

2 - Increasing trust (reduced surveillance) and reducing the cost (security
and regulatory) of the AA by keeping the contents of the transaction out of
the AA.

3 - Increased privacy by blinding the issuer and verifier from each other.

#1 and 2 are independent of #3. Absolute blinding adds overall complexity
and cost for authenticity and revocation. Relaxing the absolute requirement
of #3 through audit and accountability mechanisms such as logs and notaries
can still provide much of the privacy value.

So we have three patterns for applying VCs in the marketplace. They range
from absolute blinding (
https://github.com/w3c/vc-data-model/issues/821#issuecomment-1241110115)
with no Account Aggregator > through the BIS / India pattern of
encryption-isolated AA > to a delegated authorization AA that also isolates
the content of the transaction but does not use the AA as proxy.

Over this spectrum, VCs apply to solve the authenticity issue as applied to
Data Providers and also to reduce the risk of an authorization decision as
applied to Data Users making a request to the AA.

VCs will be most successful in the marketplace if we design protocols that
facilitate VC use (and reuse) across all three patterns of control.

Adrian

---------- Forwarded message ---------
From: devi prasad <dprasadm@gmail.com>
Date: Sat, Sep 10, 2022 at 4:05 AM
Subject: Re: Novel (to me) architecture for control of personal data
To: Steve Capell <steve.capell@gmail.com>
CC: Adrian Gropper <agropper@healthurl.com>, W3C Credentials Community
Group <public-credentials@w3.org>, Chris Gough <
christopher.d.gough@gmail.com>, <namlleps.drahcir@gmail.com>



Steve, the consent manager is an Account Aggregator (AA) in this ecosystem.
AAs are regulated by the central bank - the Reserve Bank of India (RBI).
The Financial Information Users (FIUs) generally pay per
consent/transaction - the amount is not fixed by RBI. It is left to
the market.

Refer to the official site for more details: https://api.rebit.org.in/

IMO, substantial trust is placed on AAs when a Financial Information User
(FIU) fetches financial data from a Financial Information Provider (FIP - a
bank, for example).
Ephemeral keys are used per data fetch between FIU and FIP. ECDH using
Curve25519 is mandatory.

There's a central registry of FIPs and FIUs maintained by the non-profit
organization, Sahamati - https://sahamati.org.in/.
This is indeed an interesting model that works at India scale.

The data request from FIU to an FIP via AA is documented here:
https://swagger-ui.rebit.org.in/?url=https://specifications.rebit.org.in/api_specifications/account_aggregator/FIP_1_1_3.yaml#/Data%20Flow/post_FI_request
This is the context where I think an FIU trusts AAs because the former
exposes the initial key material it wants to share with the FIP for
subsequent cryptographic operations (signing as well as data encryption).

This text (by a licensed AA) offers more details :
https://docs.setu.co/data/account-aggregator/encryption

Regards
Devi Prasad



On Sat, Sep 10, 2022 at 3:05 AM Steve Capell <steve.capell@gmail.com> wrote:

> 
> Thanks for sharing that Adrian
>
> It’s very interesting - all the more so because it’s apparently live and
> working in the worlds most populous democracy.  Some thoughts occur to me
>
> 1 - It doesn’t say how the key management works for that encrypted flow of
> private data works. Orchestrated by the consent manager but not visible by
> the consent manager.  I guess it must be asymmetric encryption based on
> public key discovery of data users
>
> 2 - it doesn’t say how the commercial model works. Who pays for the
> consent manager service? The data user maybe?  Or is the consent manager a
> government run public good utility?
>
> 3 - although it’s different, I’m not entirely sure how / whether it’s
> better than a VC / EDV model where the subject is also the consent Manager?
> It might have something to do with the question about commercial
> incentives.  Possibly the most interesting thing about the Indian model is
> not the tech pattern but the commercial model for a fee-charging consent
> manager who’s profit motives are to protect the data subject’s data rather
> than to profit from the aggregation / analysis / resale of it
>
> Not expecting you to answer these questions Adrian - just sharing them as
> they occur to me ;)
>
> Kind regards
>
> Steven Capell
> Mob: 0410 437854
>
> On 10 Sep 2022, at 12:55 am, Adrian Gropper <agropper@healthurl.com>
> wrote:
>
> 
>
> https://www.brookings.edu/blog/future-development/2022/09/08/give-people-control-of-their-data/
>
> Builds around delegation to an intermediary that does not see the data
> itself.
>
> Adrian
>
>
>
Received on Saturday, 10 September 2022 17:49:30 UTC