Re: [PROPOSED WORK ITEM] Verifiable Credentials Confidence Methods from Michael Prorock on 2023-06-27 (public-credentials@w3.org from June 2023)

From: Michael Prorock <mprorock@mesur.io>
Date: Tue, 27 Jun 2023 09:59:25 -0600
To: Oliver Terbu <o.terbu@gmail.com>
Cc: Alan Karp <alanhkarp@gmail.com>, Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAGJKSNSsFeAwOy1mpj8eVVq2Bxh3249=p7fcmee9DFuqBWat8g@mail.gmail.com>
Chair note: this item will need two different parties to agree to own this
work for it to become a work item

Mike Prorock
CTO, Founder
https://mesur.io/



On Tue, Jun 27, 2023 at 9:37 AM Oliver Terbu <o.terbu@gmail.com> wrote:

> Thanks, Alan, for your comments. I agree that the language can be improved
> and probably should be improved. I expect more discussions like this to
> happen once the proposal is accepted as a CCG work item.
>
> On Tue, 27 Jun 2023 at 17:22, Alan Karp <alanhkarp@gmail.com> wrote:
>
>> One item in your list concerns me.
>>
>>        - an entity, such as the presenter of a verifiable credential, is
>> the same entity that the issuer made claims about
>>
>> Unless you're requiring biometrics, I don't think that's possible in an
>> online world in which private keys can be shared.  Perhaps you should say
>> "is the same entity or that entity's designated agent."
>>
>> --------------
>> Alan Karp
>>
>>
>> On Tue, Jun 27, 2023 at 4:17 AM Oliver Terbu <o.terbu@gmail.com> wrote:
>>
>>> Hi everyone,
>>>
>>> Sorry for receiving this potentially twice. I had some problems with my
>>> first email and I couldn't find my email in the archive, so I'm sending
>>> this again.
>>>
>>> I'm seeking feedback on a new CCG Work Item proposal regarding
>>> Confidence Method (previously known as Confirmation Method).
>>>
>>> Please leave your support or concerns here:
>>> - https://github.com/w3c-ccg/community/issues/245
>>>
>>> There was a lot of interest in the W3C VCDM WG on this new extension
>>> mechanism as you can see here:
>>>
>>>
>>> https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding
>>> .
>>>
>>> However, we would be looking for new owners of this work. If you are
>>> interested in becoming an owner, please indicate that in your comment as
>>> well.
>>>
>>> # New Work Item Proposal
>>>
>>> The proposal is about defining a new property for the W3C VCDM that acts
>>> as an extension point that allows an issuer to include one or more
>>> Confidence Methods in a verifiable credential to inform verifiers of
>>> mechanisms they could use to increase their confidence in the truth of a
>>> variety of things, including the following:
>>> - a particular identifier in the verifiable credential refers to the
>>> same entity the issuer intended it to refer to
>>> - an entity, such as the presenter of a verifiable credential, is the
>>> same entity that the issuer made claims about
>>> - an entity controls, or has been designated to use, one or more
>>> mechanisms for demonstrating proof-of-possession or proof-of-use of
>>> cryptographic key material
>>> - an entity identified in the verifiable credential can be checked
>>> against a biometric
>>>
>>> See the following ...
>>> - https://github.com/spruceid/confidence-method-spec
>>> - https://spruceid.github.io/confidence-method-spec/
>>>
>>> NOTE: The idea was originally to define and add the new property to W3C
>>> VCDM 2.0 but the group decided that it would be good to incubate the
>>> property in W3C CCG first (in case there is interest). More context
>>> information about the latest discussions can be found here:
>>> - https://github.com/w3c/vc-data-model/pull/1054
>>> -
>>> https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding
>>>
>>> @awoie also presented the idea on a W3C CCG Call. Back then the proposal
>>> was still called "confirmation method":
>>> https://docs.google.com/presentation/d/1-uPVyl3S-vPvy4HqL6BcjN0xTu9AvqxFfwowqwzcXpo
>>> .
>>>
>>> ## Include Link to Abstract or Draft
>>>
>>> - https://github.com/spruceid/confidence-method-spec
>>> - https://spruceid.github.io/confidence-method-spec/
>>>
>>> ## List Owners
>>>
>>> I hope that we find people in the W3C CCG community to own this.
>>>
>>> ## Work Item Questions
>>>
>>> > Answer the following questions in order to document how you are
>>> meeting the requirements for a new work item at the W3C Credentials
>>> Community Group. Please note if this work item supports the Silicon Valley
>>> Innovation program or another government or private sector project.
>>>
>>> 1. Explain what you are trying to do using no jargon or acronyms.
>>>
>>> How can the verifier trust that the entity, the one the issuer issued
>>> the verifiable credentials to, presented the verifiable presentation and
>>> the entity did not simply get a copy of the included verifiable credentials.
>>>
>>> 3. How is it done today, and what are the limits of the current practice?
>>>
>>> There is no standardized way of how this can be done. Implementers are
>>> using Verifiable Presentations but  there are a few issues with this
>>> approach:
>>> - "holder" is non-normative and optional,
>>> - unclear who is "holder" when omitted,
>>> - "credentialSubject.id" is optional,
>>> - issues with no DIDs or in general no identifiers are used,
>>> - not implementable in a uniform way
>>>
>>> Implementers are using something like the following to achieve this goal
>>> but note that this would only work for naive cases where the holder and the
>>> subject have identifiers that allow to the verifier to obtain cryptographic
>>> material such as DIDs or public keys in general:
>>>
>>> ```
>>> IF (holder.id == credentialSubject.id
>>>   AND hasAuthnMethod(resolve(holder.id), vp.proof.verificationMethod)
>>>   AND isValid(vp.proof)) THEN
>>>     Print “Holder Binding validated”
>>> ```
>>>
>>> 5. What is new in your approach and why do you think it will be
>>> successful?
>>>
>>> This is the first attempt to standardize this approach in form of a
>>> framework. It will be successful because it is an extension mechanism that
>>> can act as a big tent for all such methods that are used in the wild today,
>>> e.g., DID-Auth, Anoncreds, etc.
>>>
>>> 7. How are you involving participants from multiple skill sets and
>>> global locations in this work item? (Skill sets: technical, design,
>>> product, marketing, anthropological, and UX. Global locations: the
>>> Americas, APAC, Europe, Middle East.)
>>>
>>> This is the result of work started at  the last Rebooting the Web of
>>> Trust in The Hague, which brought together a number of people from various
>>> countries: Austria, Germany, Netherlands, Spain, Norway, Greece, Canada,
>>> Italy,  and more:
>>>
>>>
>>> https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/final-documents/identifier-binding.md
>>>
>>> We hope to gather more feedback from the diverse community in the CCG.
>>>
>>> 8. What actions are you taking to make this work item accessible to a
>>> non-technical audience?
>>>
>>> The specification should attempt to provide a gentle introduction to the
>>> topic via a non-technical introduction as well as non-technical use cases
>>> with imagery that is accessible to the general population. Since the
>>> specification is technical in nature, I'd be curious to learn more about
>>> other mechanisms that could be used to make the specification more
>>> accessible to a non-technical audience.
>>>
>>> Thanks!
>>>
>>> Oliver Terbu
>>>
>>
Received on Tuesday, 27 June 2023 15:59:44 UTC