Re: [PROPOSED WORK ITEM] Verifiable Credentials Confidence Methods

Thanks, Alan, for your comments. I agree that the language can be improved
and probably should be improved. I expect more discussions like this to
happen once the proposal is accepted as a CCG work item.

On Tue, 27 Jun 2023 at 17:22, Alan Karp <alanhkarp@gmail.com> wrote:

> One item in your list concerns me.
>
>        - an entity, such as the presenter of a verifiable credential, is
> the same entity that the issuer made claims about
>
> Unless you're requiring biometrics, I don't think that's possible in an
> online world in which private keys can be shared.  Perhaps you should say
> "is the same entity or that entity's designated agent."
>
> --------------
> Alan Karp
>
>
> On Tue, Jun 27, 2023 at 4:17 AM Oliver Terbu <o.terbu@gmail.com> wrote:
>
>> Hi everyone,
>>
>> Sorry for receiving this potentially twice. I had some problems with my
>> first email and I couldn't find my email in the archive, so I'm sending
>> this again.
>>
>> I'm seeking feedback on a new CCG Work Item proposal regarding Confidence
>> Method (previously known as Confirmation Method).
>>
>> Please leave your support or concerns here:
>> - https://github.com/w3c-ccg/community/issues/245
>>
>> There was a lot of interest in the W3C VCDM WG on this new extension
>> mechanism as you can see here:
>>
>>
>> https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding
>> .
>>
>> However, we would be looking for new owners of this work. If you are
>> interested in becoming an owner, please indicate that in your comment as
>> well.
>>
>> # New Work Item Proposal
>>
>> The proposal is about defining a new property for the W3C VCDM that acts
>> as an extension point that allows an issuer to include one or more
>> Confidence Methods in a verifiable credential to inform verifiers of
>> mechanisms they could use to increase their confidence in the truth of a
>> variety of things, including the following:
>> - a particular identifier in the verifiable credential refers to the same
>> entity the issuer intended it to refer to
>> - an entity, such as the presenter of a verifiable credential, is the
>> same entity that the issuer made claims about
>> - an entity controls, or has been designated to use, one or more
>> mechanisms for demonstrating proof-of-possession or proof-of-use of
>> cryptographic key material
>> - an entity identified in the verifiable credential can be checked
>> against a biometric
>>
>> See the following ...
>> - https://github.com/spruceid/confidence-method-spec
>> - https://spruceid.github.io/confidence-method-spec/
>>
>> NOTE: The idea was originally to define and add the new property to W3C
>> VCDM 2.0 but the group decided that it would be good to incubate the
>> property in W3C CCG first (in case there is interest). More context
>> information about the latest discussions can be found here:
>> - https://github.com/w3c/vc-data-model/pull/1054
>> -
>> https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding
>>
>> @awoie also presented the idea on a W3C CCG Call. Back then the proposal
>> was still called "confirmation method":
>> https://docs.google.com/presentation/d/1-uPVyl3S-vPvy4HqL6BcjN0xTu9AvqxFfwowqwzcXpo
>> .
>>
>> ## Include Link to Abstract or Draft
>>
>> - https://github.com/spruceid/confidence-method-spec
>> - https://spruceid.github.io/confidence-method-spec/
>>
>> ## List Owners
>>
>> I hope that we find people in the W3C CCG community to own this.
>>
>> ## Work Item Questions
>>
>> > Answer the following questions in order to document how you are meeting
>> the requirements for a new work item at the W3C Credentials Community
>> Group. Please note if this work item supports the Silicon Valley Innovation
>> program or another government or private sector project.
>>
>> 1. Explain what you are trying to do using no jargon or acronyms.
>>
>> How can the verifier trust that the entity, the one the issuer issued the
>> verifiable credentials to, presented the verifiable presentation and the
>> entity did not simply get a copy of the included verifiable credentials.
>>
>> 3. How is it done today, and what are the limits of the current practice?
>>
>> There is no standardized way of how this can be done. Implementers are
>> using Verifiable Presentations but  there are a few issues with this
>> approach:
>> - "holder" is non-normative and optional,
>> - unclear who is "holder" when omitted,
>> - "credentialSubject.id" is optional,
>> - issues with no DIDs or in general no identifiers are used,
>> - not implementable in a uniform way
>>
>> Implementers are using something like the following to achieve this goal
>> but note that this would only work for naive cases where the holder and the
>> subject have identifiers that allow to the verifier to obtain cryptographic
>> material such as DIDs or public keys in general:
>>
>> ```
>> IF (holder.id == credentialSubject.id
>>   AND hasAuthnMethod(resolve(holder.id), vp.proof.verificationMethod)
>>   AND isValid(vp.proof)) THEN
>>     Print “Holder Binding validated”
>> ```
>>
>> 5. What is new in your approach and why do you think it will be
>> successful?
>>
>> This is the first attempt to standardize this approach in form of a
>> framework. It will be successful because it is an extension mechanism that
>> can act as a big tent for all such methods that are used in the wild today,
>> e.g., DID-Auth, Anoncreds, etc.
>>
>> 7. How are you involving participants from multiple skill sets and global
>> locations in this work item? (Skill sets: technical, design, product,
>> marketing, anthropological, and UX. Global locations: the Americas, APAC,
>> Europe, Middle East.)
>>
>> This is the result of work started at  the last Rebooting the Web of
>> Trust in The Hague, which brought together a number of people from various
>> countries: Austria, Germany, Netherlands, Spain, Norway, Greece, Canada,
>> Italy,  and more:
>>
>>
>> https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/final-documents/identifier-binding.md
>>
>> We hope to gather more feedback from the diverse community in the CCG.
>>
>> 8. What actions are you taking to make this work item accessible to a
>> non-technical audience?
>>
>> The specification should attempt to provide a gentle introduction to the
>> topic via a non-technical introduction as well as non-technical use cases
>> with imagery that is accessible to the general population. Since the
>> specification is technical in nature, I'd be curious to learn more about
>> other mechanisms that could be used to make the specification more
>> accessible to a non-technical audience.
>>
>> Thanks!
>>
>> Oliver Terbu
>>
>

Received on Tuesday, 27 June 2023 15:36:37 UTC