Re: Selective Disclosure for W3C Data Integrity from Manu Sporny on 2023-06-03 (public-credentials@w3.org from June 2023)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 3 Jun 2023 12:47:53 -0400
To: Richard Spellman <richard.spellman@gosource.com.au>
Cc: Steve Capell <steve.capell@gmail.com>, Dave Longley <dlongley@digitalbazaar.com>, "John, Anil" <anil.john@hq.dhs.gov>, W3C Credentials CG <public-credentials@w3.org>, Sin LOH <LOH_Sin_Yong@imda.gov.sg>, "Ren KAY (IMDA)" <KAY_Ren_Yuh@imda.gov.sg>
Message-ID: <CAMBN2CTedixFUDTdeuur6VNMJipqAbhdQddh7CHQeeAKsk3aHA@mail.gmail.com>

On Wed, May 31, 2023 at 8:37 AM Richard Spellman
<richard.spellman@gosource.com.au> wrote:
> I think the challenge, going back to my point, is less about business practice, and more about usable abstractions.... the underlying protocol exchange would look like two agents engaging in presentation exchange where the requesting verifier initiates the request, and the holder agent constructs the presentation based on the query. A human observing the interaction could still think about it in the same terms, but that abstraction should not drive the underlying exchange...

Yes, exactly. To make your suggestion concrete, there is an example of
this in the Selective Disclosure for Data Integrity slide deck (slide
16):

https://docs.google.com/presentation/d/1d-04kIWhPuNscsAyUuRH3pduqrNerhigCWahKe6SNos/edit#slide=id.g2446ba3ea2c_0_41

That effectively asks the Holder: "I need an Employee Credential
stating your employers name."

The way that works via the Verifiable Presentation Request spec is
that only the claims that are needed are requested by the Verifier.
The Holder's software then interprets the request and will attempt to
find the minimum selective disclosure that could be performed to
fulfil the request.

For example, if the individual has an Employee VC that is signed (in
parallel) using both ecdsa-2019 and ecdsa-sd-2023, and both parties
know how to handle ecdsa-sd-2023 signatures, then the digital wallet
can provide such a limited disclosure to the Verifier (exposing only
the employer's name and only the parts of the ecdsa-sd-2023 signature
that matter).

The Holder would only be exposed to a simple question on what the
Verifier is requesting, and could then consent to the information to
be released to the Verifier.

So, +1 to your "usable abstractions" statement, Richard. This is very
much about usable abstractions and your thought process on the matter
is aligned with ours.

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Saturday, 3 June 2023 16:48:35 UTC