How much is it reasonable to generalize from the TruAge implementation? from Adrian Gropper on 2023-11-09 (public-credentials@w3.org from November 2023)

From: Adrian Gropper <agropper@healthurl.com>
Date: Thu, 9 Nov 2023 12:13:21 -0500
To: W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CANYRo8ikqCxq6eQS4P9eZyW4j5LxUk0EW_6eZPtjK7CBAxM9FQ@mail.gmail.com>

As we saw on Tuesday, TruAge is a milestone in privacy-preserving digital
identity. The design decisions they made are domain specific for
convenience stores but the architecture seems more general in many ways.

In particular, we saw:

   1. Witnessed linkage between a deduplicated gov credential and a digital
   identity.
   2. Local biometrics for holder binding.
   3. Separate tokens for each transaction to avoid correlation.
   4. Secure logs to enable enforcement in a specific context.

Taken together, these four elements seem general and maybe essential for
almost any privacy-preserving application of digital identity (standards)
in a witnessed transaction like a convenience store or dispensary purchase.
Sadly, TruAge does not cover the online use of digital identity but some of
the four essentials will likely apply there as well.

My interest in the TruAge architecture goes back over three years to
suggestions that we treat notarized transactions and the Zener principle
for managing logs as a core use case (
https://github.com/w3c/did-use-cases/issues/102#issuecomment-703943437 )

In order of the four elements:

1. The witnessed link between a deduplicated gov credential such as a
RealID driver's license and a digital identity could be strengthened by
using federal postal workers instead of store clerks. Lying to a federal
employee is very risky.

2. The use of local biometrics for holder binding implies the use of a
certified mobile app. What are the best practices for such apps and is the
Open Wallet Foundation a good place to do that work?

3. How centralized does the issue of one-time tokens need to be and what
are the essential standards that will define the context for their issue?

4. What is the general principle for managing contextual logs to ensure
Sybil-resistance as good as the link to a deduplicated gov identity (1.)
without risk of privacy or cross-context surveillance?

Answering these four questions seems essential to adoption of VCs and DIDs.
Dealing with the use of the credential on-line might then become obvious or
at least more tractable.

- Adrian

Received on Thursday, 9 November 2023 17:13:40 UTC