W3C home > Mailing lists > Public > public-credentials@w3.org > September 2022

Re: Open Wallet Foundation

From: Adrian Gropper <agropper@healthurl.com>
Date: Sat, 17 Sep 2022 17:59:44 -0400
Message-ID: <CANYRo8iMmJAJZoFWC5ku8ytnGt1o4LjWZvAxY3_Ji0wq7N4fLw@mail.gmail.com>
To: Liam McCarty <liam@unumid.co>
Cc: Orie Steele <orie@transmute.industries>, Philipp Schmidt <phi.schmidt@gmail.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>, Sharon Leu <sleu@jff.org>
Healthcare provides an obvious and large scale example of the difference
between professional and consumer wallets as applied to accessing health

The requirements seem to be:
- The professional credentials are almost universally public
- The professional needs to use a non-repudiable signature to request
access to a patient's record at a service provider
- The patient's relationship with a service provider should be pseudonymous
and correlation resistant by design
- The patient does not need any credentials beyond authentication with
the service provider
- Verifiable credentials with the patient as a subject are a solution
looking for a problem as the relatively simple example of COVID credentials
has shown. Vaccine registries as service providers seem to be essential and
do not preclude adding verifiable credentials for the off-line use-cases
- Client credentials for accessing the service providers are a huge
usability problem
- Delegation (for minors, elders, family caregivers, office staff and
on-call professionals is an absolute must.

Our HIE of One project has been trying to demonstrate this use-case for
almost a decade using standards and open source software. We have learned
that working on wallets outside of the entirety of the requirements above
is inefficient.


On Sat, Sep 17, 2022 at 3:48 PM Liam McCarty <liam@unumid.co> wrote:

> *Unfortunately you can't use WebAuthN to get generic signatures needed to
>> treat a device as a wallet.*
> @Orie Steele <orie@transmute.industries> this is such an important point,
> and I'm thrilled to see you bringing it to light here. It's a huge missed
> opportunity that WebAuthn supports hardware backed cryptographic signatures *only
> *for authentication. As far as I can tell, it's largely an unfortunate
> side effect of the working group's mandate being "authentication"
> specifically.
> I brought this up in WebAuthn (and WebCrypto) GitHub issues posts last
> spring:
> *PROPOSAL: Add support for general (hardware backed) cryptographic
> signatures and key exchange*
>    - WebAuthn Github issues post:
>       https://github.com/w3c/webauthn/issues/1608
>       - WebCrypto GitHub issues post:
>       https://github.com/w3c/webcrypto/issues/263
> This was after a long conversation in a separate WebAuthn GitHub issues
> post I made:
> *Can the private keys be used for other cryptographic operations?:*
> https://github.com/w3c/webauthn/issues/1595
> I understand the motivation to prevent tracking of users, and that's
> crucial. But in my view that's not a reason to not support generic
> cryptographic signatures. It simply requires a different implementation,
> e.g. one that includes a nonce so that an RP can't pass in the same data
> and get back exactly the same proof twice (which would enable tracking).
> I think the only way this will change is with much more advocacy from all
> of us. If anyone else agrees with Orie and with my proposals linked above,
> please reopen the GitHub issues posts, comment on them, and speak up!
> Imagine what would be possible with general, hardware backed cryptographic
> signatures... extremely secure and highly usable web based identity
> wallets. It would change the game.
> Liam Hale McCarty
> CEO, Founder of Unum ID <https://www.unumid.co/>
> Forbes 30 Under 30 | Stanford Physics
> www.LiamHaleMcCarty.com <https://www.liamhalemccarty.com/>
> *Meet with me* <https://calendly.com/liammccarty/30min>
> [image: Unum ID verified email badge]
> <https://wallet.unumid.co/authenticate?referralCode=S49YWeNTHpTQ>
> Unum ID Sender
> On Sat, Sep 17, 2022 at 2:05 PM Orie Steele <orie@transmute.industries>
> wrote:
>> One of my areas of interest is "professional" or "business" wallets.
>> Various operators require a cryptographically authenticatable
>> confidential storage system, a few example roles to consider:
>> - law enforcement officers, issuing tickets
>> - site inspectors, certifying operating conditions for a facility
>> - traders developing and executing financing contracts
>> - lawyers, social workers or other roles that manage multiple clients
>> with unique confidentiality requirements
>> A major risk to the industry is that in our haste to secure the B2C
>> scenarios, we focus far too much on "personal privacy", "personal
>> payments", "personal identity".
>> Roads and other critical infrastructure that benefits individual persons
>> is rarely built for "personal use" reasons initially.
>> There is a strong intersection point between edtech and professional
>> employment... Jobs for the Future is leading the way!
>> But do we think people should be using personal wallets for
>> "professional business" ?
>> When and where do personal credential use cases mix?
>> How many devices do I need to operate safely?
>> How many will be required to adhere to corporate / government security
>> policies?... See Ukraine / Russia conflict for real examples of why
>> professional operators should not be using personal devices.
>> Let's get some use cases that can start to connect the personal and
>> professional wallet ecosystems.
>> Regards,
>> OS
>> On Sat, Sep 17, 2022 at 12:32 PM Philipp Schmidt <phi.schmidt@gmail.com>
>> wrote:
>>> On Sat, Sep 17, 2022 at 9:58 AM Orie Steele <orie@transmute.industries>
>>> wrote:
>>>> Regarding OWF, I think it's about time we came together to talk about
>>>> wallet interoperability, use cases and threats to users.... It's young, we
>>>> can all be a part of shaping it.
>>> Jobs for the Future has been organizing a wallet plugfest to do just
>>> this, with support from the VC-EDU task force. It is modeled after Anil
>>> John's work bringing together various parties. I believe there are
>>> something like 35 groups participating in the next round. The Digital
>>> Credentials Consortium is one of those groups.
>>> I can't speak on behalf of the plugfest organizers, but from where I
>>> sit, I see a lot of value for the OWF to get involved as well (if they are
>>> not already talking to each other) and build on the efforts that are
>>> already underway.
>>> Philipp
>> --
>> Chief Technical Officer
>> www.transmute.industries
>> <https://www.transmute.industries>
Received on Saturday, 17 September 2022 22:00:11 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 17 September 2022 22:00:12 UTC