- From: Adrian Gropper <agropper@healthurl.com>
- Date: Tue, 27 Jun 2023 15:20:42 -0400
- To: Alan Karp <alanhkarp@gmail.com>
- Cc: Oliver Terbu <o.terbu@gmail.com>, Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CANYRo8g_U3Fnm24dDSk8dXGrshY6GLmu+pQHAzQjZNzBJdAOkw@mail.gmail.com>
It's not just biometrics. "Locking" a wallet to an individual can achieve this. Also, certification of the wallet, to make sharing of private keys less likely, will have to be explicitly considered. I would hope that all three of these potential solutions are explicitly listed as in-scope for the work. Adrian On Tue, Jun 27, 2023 at 11:25 AM Alan Karp <alanhkarp@gmail.com> wrote: > One item in your list concerns me. > > - an entity, such as the presenter of a verifiable credential, is > the same entity that the issuer made claims about > > Unless you're requiring biometrics, I don't think that's possible in an > online world in which private keys can be shared. Perhaps you should say > "is the same entity or that entity's designated agent." > > -------------- > Alan Karp > > > On Tue, Jun 27, 2023 at 4:17 AM Oliver Terbu <o.terbu@gmail.com> wrote: > >> Hi everyone, >> >> Sorry for receiving this potentially twice. I had some problems with my >> first email and I couldn't find my email in the archive, so I'm sending >> this again. >> >> I'm seeking feedback on a new CCG Work Item proposal regarding Confidence >> Method (previously known as Confirmation Method). >> >> Please leave your support or concerns here: >> - https://github.com/w3c-ccg/community/issues/245 >> >> There was a lot of interest in the W3C VCDM WG on this new extension >> mechanism as you can see here: >> >> >> https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding >> . >> >> However, we would be looking for new owners of this work. If you are >> interested in becoming an owner, please indicate that in your comment as >> well. >> >> # New Work Item Proposal >> >> The proposal is about defining a new property for the W3C VCDM that acts >> as an extension point that allows an issuer to include one or more >> Confidence Methods in a verifiable credential to inform verifiers of >> mechanisms they could use to increase their confidence in the truth of a >> variety of things, including the following: >> - a particular identifier in the verifiable credential refers to the same >> entity the issuer intended it to refer to >> - an entity, such as the presenter of a verifiable credential, is the >> same entity that the issuer made claims about >> - an entity controls, or has been designated to use, one or more >> mechanisms for demonstrating proof-of-possession or proof-of-use of >> cryptographic key material >> - an entity identified in the verifiable credential can be checked >> against a biometric >> >> See the following ... >> - https://github.com/spruceid/confidence-method-spec >> - https://spruceid.github.io/confidence-method-spec/ >> >> NOTE: The idea was originally to define and add the new property to W3C >> VCDM 2.0 but the group decided that it would be good to incubate the >> property in W3C CCG first (in case there is interest). More context >> information about the latest discussions can be found here: >> - https://github.com/w3c/vc-data-model/pull/1054 >> - >> https://github.com/w3c/vc-data-model/issues?q=is%3Aopen+is%3Aissue+label%3Aholder-binding >> >> @awoie also presented the idea on a W3C CCG Call. Back then the proposal >> was still called "confirmation method": >> https://docs.google.com/presentation/d/1-uPVyl3S-vPvy4HqL6BcjN0xTu9AvqxFfwowqwzcXpo >> . >> >> ## Include Link to Abstract or Draft >> >> - https://github.com/spruceid/confidence-method-spec >> - https://spruceid.github.io/confidence-method-spec/ >> >> ## List Owners >> >> I hope that we find people in the W3C CCG community to own this. >> >> ## Work Item Questions >> >> > Answer the following questions in order to document how you are meeting >> the requirements for a new work item at the W3C Credentials Community >> Group. Please note if this work item supports the Silicon Valley Innovation >> program or another government or private sector project. >> >> 1. Explain what you are trying to do using no jargon or acronyms. >> >> How can the verifier trust that the entity, the one the issuer issued the >> verifiable credentials to, presented the verifiable presentation and the >> entity did not simply get a copy of the included verifiable credentials. >> >> 3. How is it done today, and what are the limits of the current practice? >> >> There is no standardized way of how this can be done. Implementers are >> using Verifiable Presentations but there are a few issues with this >> approach: >> - "holder" is non-normative and optional, >> - unclear who is "holder" when omitted, >> - "credentialSubject.id" is optional, >> - issues with no DIDs or in general no identifiers are used, >> - not implementable in a uniform way >> >> Implementers are using something like the following to achieve this goal >> but note that this would only work for naive cases where the holder and the >> subject have identifiers that allow to the verifier to obtain cryptographic >> material such as DIDs or public keys in general: >> >> ``` >> IF (holder.id == credentialSubject.id >> AND hasAuthnMethod(resolve(holder.id), vp.proof.verificationMethod) >> AND isValid(vp.proof)) THEN >> Print “Holder Binding validated” >> ``` >> >> 5. What is new in your approach and why do you think it will be >> successful? >> >> This is the first attempt to standardize this approach in form of a >> framework. It will be successful because it is an extension mechanism that >> can act as a big tent for all such methods that are used in the wild today, >> e.g., DID-Auth, Anoncreds, etc. >> >> 7. How are you involving participants from multiple skill sets and global >> locations in this work item? (Skill sets: technical, design, product, >> marketing, anthropological, and UX. Global locations: the Americas, APAC, >> Europe, Middle East.) >> >> This is the result of work started at the last Rebooting the Web of >> Trust in The Hague, which brought together a number of people from various >> countries: Austria, Germany, Netherlands, Spain, Norway, Greece, Canada, >> Italy, and more: >> >> >> https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/final-documents/identifier-binding.md >> >> We hope to gather more feedback from the diverse community in the CCG. >> >> 8. What actions are you taking to make this work item accessible to a >> non-technical audience? >> >> The specification should attempt to provide a gentle introduction to the >> topic via a non-technical introduction as well as non-technical use cases >> with imagery that is accessible to the general population. Since the >> specification is technical in nature, I'd be curious to learn more about >> other mechanisms that could be used to make the specification more >> accessible to a non-technical audience. >> >> Thanks! >> >> Oliver Terbu >> >
Received on Tuesday, 27 June 2023 19:21:01 UTC