Re: [PROPOSED WORK ITEM] Verifiable Credentials Confidence Methods from Oliver Terbu on 2023-07-05 (public-credentials@w3.org from July 2023)

From: Oliver Terbu <oliver.terbu@spruceid.com>
Date: Wed, 5 Jul 2023 17:31:12 +0200
To: Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAP7TzjBJYRLx5_TEW6LBUkFA+MmHbfVjiuqKomQ7mG-ner=Epg@mail.gmail.com>
We are still looking for more discussion on the proposed confidence method
work item here:

 https://github.com/w3c-ccg/community/issues/245

And we are still looking for two volunteers to drive the maturity of the
specification (which might include bigger changes).

Thanks
-Oliver

On Tue, Jun 27, 2023 at 9:23 PM Adrian Gropper <agropper@healthurl.com>
wrote:

> It's not just biometrics. "Locking" a wallet to an individual can achieve
> this. Also, certification of the wallet, to make sharing of private keys
> less likely, will have to be explicitly considered. I would hope that all
> three of these potential solutions are explicitly listed as in-scope for
> the work.
>
> Adrian
>
>
>
> On Tue, Jun 27, 2023 at 11:25 AM Alan Karp <alanhkarp@gmail.com> wrote:
>
>> One item in your list concerns me.
>>
>>        - an entity, such as the presenter of a verifiable credential, is
>> the same entity that the issuer made claims about
>>
>> Unless you're requiring biometrics, I don't think that's possible in an
>> online world in which private keys can be shared.  Perhaps you should say
>> "is the same entity or that entity's designated agent."
>>
>> --------------
>> Alan Karp
>>
>>
>> On Tue, Jun 27, 2023 at 4:17 AM Oliver Terbu <o.terbu@gmail.com> wrote:
>>
>>> Hi everyone,
>>>
>>> Sorry for receiving this potentially twice. I had some problems with my
>>> first email and I couldn't find my email in the archive, so I'm sending
>>> this again.
>>>
>>> I'm seeking feedback on a new CCG Work Item proposal regarding
>>> Confidence Method (previously known as Confirmation Method).
>>>
>>> Please leave your support or concerns here:
>>> - https://github.com/w3c-ccg/community/issues/245
>>>
>>> There was a lot of interest in the W3C VCDM WG on this new extension
>>> mechanism as you can see here:
>>>
>>>
>>> https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding
>>> .
>>>
>>> However, we would be looking for new owners of this work. If you are
>>> interested in becoming an owner, please indicate that in your comment as
>>> well.
>>>
>>> # New Work Item Proposal
>>>
>>> The proposal is about defining a new property for the W3C VCDM that acts
>>> as an extension point that allows an issuer to include one or more
>>> Confidence Methods in a verifiable credential to inform verifiers of
>>> mechanisms they could use to increase their confidence in the truth of a
>>> variety of things, including the following:
>>> - a particular identifier in the verifiable credential refers to the
>>> same entity the issuer intended it to refer to
>>> - an entity, such as the presenter of a verifiable credential, is the
>>> same entity that the issuer made claims about
>>> - an entity controls, or has been designated to use, one or more
>>> mechanisms for demonstrating proof-of-possession or proof-of-use of
>>> cryptographic key material
>>> - an entity identified in the verifiable credential can be checked
>>> against a biometric
>>>
>>> See the following ...
>>> - https://github.com/spruceid/confidence-method-spec
>>> - https://spruceid.github.io/confidence-method-spec/
>>>
>>> NOTE: The idea was originally to define and add the new property to W3C
>>> VCDM 2.0 but the group decided that it would be good to incubate the
>>> property in W3C CCG first (in case there is interest). More context
>>> information about the latest discussions can be found here:
>>> - https://github.com/w3c/vc-data-model/pull/1054
>>> -
>>> https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding
>>>
>>> @awoie also presented the idea on a W3C CCG Call. Back then the proposal
>>> was still called "confirmation method":
>>> https://docs.google.com/presentation/d/1-uPVyl3S-vPvy4HqL6BcjN0xTu9AvqxFfwowqwzcXpo
>>> .
>>>
>>> ## Include Link to Abstract or Draft
>>>
>>> - https://github.com/spruceid/confidence-method-spec
>>> - https://spruceid.github.io/confidence-method-spec/
>>>
>>> ## List Owners
>>>
>>> I hope that we find people in the W3C CCG community to own this.
>>>
>>> ## Work Item Questions
>>>
>>> > Answer the following questions in order to document how you are
>>> meeting the requirements for a new work item at the W3C Credentials
>>> Community Group. Please note if this work item supports the Silicon Valley
>>> Innovation program or another government or private sector project.
>>>
>>> 1. Explain what you are trying to do using no jargon or acronyms.
>>>
>>> How can the verifier trust that the entity, the one the issuer issued
>>> the verifiable credentials to, presented the verifiable presentation and
>>> the entity did not simply get a copy of the included verifiable credentials.
>>>
>>> 3. How is it done today, and what are the limits of the current practice?
>>>
>>> There is no standardized way of how this can be done. Implementers are
>>> using Verifiable Presentations but  there are a few issues with this
>>> approach:
>>> - "holder" is non-normative and optional,
>>> - unclear who is "holder" when omitted,
>>> - "credentialSubject.id" is optional,
>>> - issues with no DIDs or in general no identifiers are used,
>>> - not implementable in a uniform way
>>>
>>> Implementers are using something like the following to achieve this goal
>>> but note that this would only work for naive cases where the holder and the
>>> subject have identifiers that allow to the verifier to obtain cryptographic
>>> material such as DIDs or public keys in general:
>>>
>>> ```
>>> IF (holder.id == credentialSubject.id
>>>   AND hasAuthnMethod(resolve(holder.id), vp.proof.verificationMethod)
>>>   AND isValid(vp.proof)) THEN
>>>     Print “Holder Binding validated”
>>> ```
>>>
>>> 5. What is new in your approach and why do you think it will be
>>> successful?
>>>
>>> This is the first attempt to standardize this approach in form of a
>>> framework. It will be successful because it is an extension mechanism that
>>> can act as a big tent for all such methods that are used in the wild today,
>>> e.g., DID-Auth, Anoncreds, etc.
>>>
>>> 7. How are you involving participants from multiple skill sets and
>>> global locations in this work item? (Skill sets: technical, design,
>>> product, marketing, anthropological, and UX. Global locations: the
>>> Americas, APAC, Europe, Middle East.)
>>>
>>> This is the result of work started at  the last Rebooting the Web of
>>> Trust in The Hague, which brought together a number of people from various
>>> countries: Austria, Germany, Netherlands, Spain, Norway, Greece, Canada,
>>> Italy,  and more:
>>>
>>>
>>> https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/final-documents/identifier-binding.md
>>>
>>> We hope to gather more feedback from the diverse community in the CCG.
>>>
>>> 8. What actions are you taking to make this work item accessible to a
>>> non-technical audience?
>>>
>>> The specification should attempt to provide a gentle introduction to the
>>> topic via a non-technical introduction as well as non-technical use cases
>>> with imagery that is accessible to the general population. Since the
>>> specification is technical in nature, I'd be curious to learn more about
>>> other mechanisms that could be used to make the specification more
>>> accessible to a non-technical audience.
>>>
>>> Thanks!
>>>
>>> Oliver Terbu
>>>
>>
Received on Wednesday, 5 July 2023 15:31:32 UTC