[PROPOSED WORK ITEM] Verifiable Credentials Confidence Methods

Hi everyone,

Sorry for receiving this potentially twice. I had some problems with my
first email and I couldn't find my email in the archive, so I'm sending
this again.

I'm seeking feedback on a new CCG Work Item proposal regarding Confidence
Method (previously known as Confirmation Method).

Please leave your support or concerns here:
- https://github.com/w3c-ccg/community/issues/245

There was a lot of interest in the W3C VCDM WG on this new extension
mechanism as you can see here:

https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding
.

However, we would be looking for new owners of this work. If you are
interested in becoming an owner, please indicate that in your comment as
well.

# New Work Item Proposal

The proposal is about defining a new property for the W3C VCDM that acts as
an extension point that allows an issuer to include one or more Confidence
Methods in a verifiable credential to inform verifiers of mechanisms they
could use to increase their confidence in the truth of a variety of things,
including the following:
- a particular identifier in the verifiable credential refers to the same
entity the issuer intended it to refer to
- an entity, such as the presenter of a verifiable credential, is the same
entity that the issuer made claims about
- an entity controls, or has been designated to use, one or more mechanisms
for demonstrating proof-of-possession or proof-of-use of cryptographic key
material
- an entity identified in the verifiable credential can be checked against
a biometric

See the following ...
- https://github.com/spruceid/confidence-method-spec
- https://spruceid.github.io/confidence-method-spec/

NOTE: The idea was originally to define and add the new property to W3C
VCDM 2.0 but the group decided that it would be good to incubate the
property in W3C CCG first (in case there is interest). More context
information about the latest discussions can be found here:
- https://github.com/w3c/vc-data-model/pull/1054
-
https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding

@awoie also presented the idea on a W3C CCG Call. Back then the proposal
was still called "confirmation method":
https://docs.google.com/presentation/d/1-uPVyl3S-vPvy4HqL6BcjN0xTu9AvqxFfwowqwzcXpo
.

## Include Link to Abstract or Draft

- https://github.com/spruceid/confidence-method-spec
- https://spruceid.github.io/confidence-method-spec/

## List Owners

I hope that we find people in the W3C CCG community to own this.

## Work Item Questions

> Answer the following questions in order to document how you are meeting
the requirements for a new work item at the W3C Credentials Community
Group. Please note if this work item supports the Silicon Valley Innovation
program or another government or private sector project.

1. Explain what you are trying to do using no jargon or acronyms.

How can the verifier trust that the entity, the one the issuer issued the
verifiable credentials to, presented the verifiable presentation and the
entity did not simply get a copy of the included verifiable credentials.

3. How is it done today, and what are the limits of the current practice?

There is no standardized way of how this can be done. Implementers are
using Verifiable Presentations but  there are a few issues with this
approach:
- "holder" is non-normative and optional,
- unclear who is "holder" when omitted,
- "credentialSubject.id" is optional,
- issues with no DIDs or in general no identifiers are used,
- not implementable in a uniform way

Implementers are using something like the following to achieve this goal
but note that this would only work for naive cases where the holder and the
subject have identifiers that allow to the verifier to obtain cryptographic
material such as DIDs or public keys in general:

```
IF (holder.id == credentialSubject.id
  AND hasAuthnMethod(resolve(holder.id), vp.proof.verificationMethod)
  AND isValid(vp.proof)) THEN
    Print “Holder Binding validated”
```

5. What is new in your approach and why do you think it will be successful?

This is the first attempt to standardize this approach in form of a
framework. It will be successful because it is an extension mechanism that
can act as a big tent for all such methods that are used in the wild today,
e.g., DID-Auth, Anoncreds, etc.

7. How are you involving participants from multiple skill sets and global
locations in this work item? (Skill sets: technical, design, product,
marketing, anthropological, and UX. Global locations: the Americas, APAC,
Europe, Middle East.)

This is the result of work started at  the last Rebooting the Web of Trust
in The Hague, which brought together a number of people from various
countries: Austria, Germany, Netherlands, Spain, Norway, Greece, Canada,
Italy,  and more:

https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/final-documents/identifier-binding.md

We hope to gather more feedback from the diverse community in the CCG.

8. What actions are you taking to make this work item accessible to a
non-technical audience?

The specification should attempt to provide a gentle introduction to the
topic via a non-technical introduction as well as non-technical use cases
with imagery that is accessible to the general population. Since the
specification is technical in nature, I'd be curious to learn more about
other mechanisms that could be used to make the specification more
accessible to a non-technical audience.

Thanks!

Oliver Terbu

Received on Tuesday, 27 June 2023 11:15:01 UTC