Re: Open Wallet Foundation from Liam McCarty on 2022-09-17 (public-credentials@w3.org from September 2022)

From: Liam McCarty <liam@unumid.co>
Date: Sat, 17 Sep 2022 15:44:57 -0400
To: Orie Steele <orie@transmute.industries>
Cc: Philipp Schmidt <phi.schmidt@gmail.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, Sharon Leu <sleu@jff.org>
Message-ID: <CAHMWg4_ps8LXVeu=7R6LUWXE3g9epH26X=8Pt_sYv+4TEwsBiA@mail.gmail.com>

>
> *Unfortunately you can't use WebAuthN to get generic signatures needed to
> treat a device as a wallet.*


@Orie Steele <orie@transmute.industries> this is such an important point,
and I'm thrilled to see you bringing it to light here. It's a huge missed
opportunity that WebAuthn supports hardware backed cryptographic
signatures *only
*for authentication. As far as I can tell, it's largely an unfortunate side
effect of the working group's mandate being "authentication" specifically.

I brought this up in WebAuthn (and WebCrypto) GitHub issues posts last
spring:

*PROPOSAL: Add support for general (hardware backed) cryptographic
signatures and key exchange*


   - WebAuthn Github issues post:
      https://github.com/w3c/webauthn/issues/1608
      - WebCrypto GitHub issues post:
      https://github.com/w3c/webcrypto/issues/263

This was after a long conversation in a separate WebAuthn GitHub issues
post I made:

*Can the private keys be used for other cryptographic operations?:*
https://github.com/w3c/webauthn/issues/1595

I understand the motivation to prevent tracking of users, and that's
crucial. But in my view that's not a reason to not support generic
cryptographic signatures. It simply requires a different implementation,
e.g. one that includes a nonce so that an RP can't pass in the same data
and get back exactly the same proof twice (which would enable tracking).

I think the only way this will change is with much more advocacy from all
of us. If anyone else agrees with Orie and with my proposals linked above,
please reopen the GitHub issues posts, comment on them, and speak up!

Imagine what would be possible with general, hardware backed cryptographic
signatures... extremely secure and highly usable web based identity
wallets. It would change the game.

Liam Hale McCarty
CEO, Founder of Unum ID <https://www.unumid.co/>
Forbes 30 Under 30 | Stanford Physics
www.LiamHaleMcCarty.com <https://www.liamhalemccarty.com/>
*Meet with me* <https://calendly.com/liammccarty/30min>
[image: Unum ID verified email badge]
<https://wallet.unumid.co/authenticate?referralCode=S49YWeNTHpTQ>
Unum ID Sender


On Sat, Sep 17, 2022 at 2:05 PM Orie Steele <orie@transmute.industries>
wrote:

> One of my areas of interest is "professional" or "business" wallets.
>
> Various operators require a cryptographically authenticatable confidential
> storage system, a few example roles to consider:
>
> - law enforcement officers, issuing tickets
> - site inspectors, certifying operating conditions for a facility
> - traders developing and executing financing contracts
> - lawyers, social workers or other roles that manage multiple clients with
> unique confidentiality requirements
>
> A major risk to the industry is that in our haste to secure the B2C
> scenarios, we focus far too much on "personal privacy", "personal
> payments", "personal identity".
>
> Roads and other critical infrastructure that benefits individual persons
> is rarely built for "personal use" reasons initially.
>
> There is a strong intersection point between edtech and professional
> employment... Jobs for the Future is leading the way!
>
> But do we think people should be using personal wallets for
> "professional business" ?
>
> When and where do personal credential use cases mix?
>
> How many devices do I need to operate safely?
>
> How many will be required to adhere to corporate / government security
> policies?... See Ukraine / Russia conflict for real examples of why
> professional operators should not be using personal devices.
>
> Let's get some use cases that can start to connect the personal and
> professional wallet ecosystems.
>
> Regards,
>
> OS
>
>
> On Sat, Sep 17, 2022 at 12:32 PM Philipp Schmidt <phi.schmidt@gmail.com>
> wrote:
>
>> On Sat, Sep 17, 2022 at 9:58 AM Orie Steele <orie@transmute.industries>
>> wrote:
>>
>>>
>>> Regarding OWF, I think it's about time we came together to talk about
>>> wallet interoperability, use cases and threats to users... It's young, we
>>> can all be a part of shaping it.
>>>
>>
>> Jobs for the Future has been organizing a wallet plugfest to do just
>> this, with support from the VC-EDU task force. It is modeled after Anil
>> John's work bringing together various parties. I believe there are
>> something like 35 groups participating in the next round. The Digital
>> Credentials Consortium is one of those groups.
>>
>> I can't speak on behalf of the plugfest organizers, but from where I sit,
>> I see a lot of value for the OWF to get involved as well (if they are not
>> already talking to each other) and build on the efforts that are already
>> underway.
>>
>> Philipp
>>
>>
>>
>
> --
> *ORIE STEELE*
> Chief Technical Officer
> www.transmute.industries
>
> <https://www.transmute.industries>
>

Received on Saturday, 17 September 2022 19:46:01 UTC