- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Wed, 10 Jul 2024 09:21:16 -0400
- To: Pascal Knoth <pascal@malach.it>
- Cc: public-credentials@w3.org
On Sat, Jul 6, 2024 at 6:15 AM Pascal Knoth <pascal@malach.it> wrote: >> I am Pascal Knoth, an independent worker, Hi Pascal, thank you for the work you are doing on revocation mechanisms for VCs. :) We definitely need better privacy-preserving mechanisms for doing revocation. I read through your spec multiple times and have a few observations and questions. The use of HOTP is interesting, but I can't quite understand what it is doing. My expectation going into the specification was that this was a privacy preserving status checking mechanism that would enable the holder to assert their status in a way that is decentralized and didn't require interactions with the issuer. After reading the spec, I feel that my assumptions are wrong, but don't know which ones. I gather that the issuer has a secret and they use that to issue some sort of HOTP-based token, presumably to the holder? The holder then takes that token and gives it to a verifier? The verifier then uses that token and asks the issuer if its still valid? If that's the flow, doesn't the verifier uniquely identify the holder when the check is performed by the issuer? Doesn't this result in even more "bytes transmitted over the wire" than a single status bit in a bitstring? As you can see, I'm struggling to understand the goals and advantages of the specification. Can you help me understand where I'm going wrong above? We are very interested in more decentralized, privacy-preserving status mechanisms for the VC ecosystem! Thanks again for the time and care you put into the specification. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Wednesday, 10 July 2024 13:21:55 UTC