Re: [PROPOSED WORK ITEM] Verifiable Credentials Confidence Methods

One item in your list concerns me.

       - an entity, such as the presenter of a verifiable credential, is
the same entity that the issuer made claims about

Unless you're requiring biometrics, I don't think that's possible in an
online world in which private keys can be shared.  Perhaps you should say
"is the same entity or that entity's designated agent."

--------------
Alan Karp


On Tue, Jun 27, 2023 at 4:17 AM Oliver Terbu <o.terbu@gmail.com> wrote:

> Hi everyone,
>
> Sorry for receiving this potentially twice. I had some problems with my
> first email and I couldn't find my email in the archive, so I'm sending
> this again.
>
> I'm seeking feedback on a new CCG Work Item proposal regarding Confidence
> Method (previously known as Confirmation Method).
>
> Please leave your support or concerns here:
> - https://github.com/w3c-ccg/community/issues/245
>
> There was a lot of interest in the W3C VCDM WG on this new extension
> mechanism as you can see here:
>
>
> https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding
> .
>
> However, we would be looking for new owners of this work. If you are
> interested in becoming an owner, please indicate that in your comment as
> well.
>
> # New Work Item Proposal
>
> The proposal is about defining a new property for the W3C VCDM that acts
> as an extension point that allows an issuer to include one or more
> Confidence Methods in a verifiable credential to inform verifiers of
> mechanisms they could use to increase their confidence in the truth of a
> variety of things, including the following:
> - a particular identifier in the verifiable credential refers to the same
> entity the issuer intended it to refer to
> - an entity, such as the presenter of a verifiable credential, is the same
> entity that the issuer made claims about
> - an entity controls, or has been designated to use, one or more
> mechanisms for demonstrating proof-of-possession or proof-of-use of
> cryptographic key material
> - an entity identified in the verifiable credential can be checked against
> a biometric
>
> See the following ...
> - https://github.com/spruceid/confidence-method-spec
> - https://spruceid.github.io/confidence-method-spec/
>
> NOTE: The idea was originally to define and add the new property to W3C
> VCDM 2.0 but the group decided that it would be good to incubate the
> property in W3C CCG first (in case there is interest). More context
> information about the latest discussions can be found here:
> - https://github.com/w3c/vc-data-model/pull/1054
> -
> https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding
>
> @awoie also presented the idea on a W3C CCG Call. Back then the proposal
> was still called "confirmation method":
> https://docs.google.com/presentation/d/1-uPVyl3S-vPvy4HqL6BcjN0xTu9AvqxFfwowqwzcXpo
> .
>
> ## Include Link to Abstract or Draft
>
> - https://github.com/spruceid/confidence-method-spec
> - https://spruceid.github.io/confidence-method-spec/
>
> ## List Owners
>
> I hope that we find people in the W3C CCG community to own this.
>
> ## Work Item Questions
>
> > Answer the following questions in order to document how you are meeting
> the requirements for a new work item at the W3C Credentials Community
> Group. Please note if this work item supports the Silicon Valley Innovation
> program or another government or private sector project.
>
> 1. Explain what you are trying to do using no jargon or acronyms.
>
> How can the verifier trust that the entity, the one the issuer issued the
> verifiable credentials to, presented the verifiable presentation and the
> entity did not simply get a copy of the included verifiable credentials.
>
> 3. How is it done today, and what are the limits of the current practice?
>
> There is no standardized way of how this can be done. Implementers are
> using Verifiable Presentations but  there are a few issues with this
> approach:
> - "holder" is non-normative and optional,
> - unclear who is "holder" when omitted,
> - "credentialSubject.id" is optional,
> - issues with no DIDs or in general no identifiers are used,
> - not implementable in a uniform way
>
> Implementers are using something like the following to achieve this goal
> but note that this would only work for naive cases where the holder and the
> subject have identifiers that allow to the verifier to obtain cryptographic
> material such as DIDs or public keys in general:
>
> ```
> IF (holder.id == credentialSubject.id
>   AND hasAuthnMethod(resolve(holder.id), vp.proof.verificationMethod)
>   AND isValid(vp.proof)) THEN
>     Print “Holder Binding validated”
> ```
>
> 5. What is new in your approach and why do you think it will be successful?
>
> This is the first attempt to standardize this approach in form of a
> framework. It will be successful because it is an extension mechanism that
> can act as a big tent for all such methods that are used in the wild today,
> e.g., DID-Auth, Anoncreds, etc.
>
> 7. How are you involving participants from multiple skill sets and global
> locations in this work item? (Skill sets: technical, design, product,
> marketing, anthropological, and UX. Global locations: the Americas, APAC,
> Europe, Middle East.)
>
> This is the result of work started at  the last Rebooting the Web of Trust
> in The Hague, which brought together a number of people from various
> countries: Austria, Germany, Netherlands, Spain, Norway, Greece, Canada,
> Italy,  and more:
>
>
> https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/final-documents/identifier-binding.md
>
> We hope to gather more feedback from the diverse community in the CCG.
>
> 8. What actions are you taking to make this work item accessible to a
> non-technical audience?
>
> The specification should attempt to provide a gentle introduction to the
> topic via a non-technical introduction as well as non-technical use cases
> with imagery that is accessible to the general population. Since the
> specification is technical in nature, I'd be curious to learn more about
> other mechanisms that could be used to make the specification more
> accessible to a non-technical audience.
>
> Thanks!
>
> Oliver Terbu
>