Re: [EXTERNAL] [jfraichot@learningmachine.com] Re: VC formats

  *    selective disclosure in SD-JWT/CWT/ecdsa-sd/mDoc is that only the issuer can choose what fields are selectively disclosable

So not to add more confusion in a confused premise, I don’t think that’s entirely true, at least in ecdsa-sd with which I’ve recently played. While some fields are deemed mandatory by the issuer, provided the wallet/selective disclosure UI offers the possibility of selecting fields, the holder has total control over which fields can be selectively disclosed.


From: Christopher Allen <ChristopherA@lifewithalacrity.com>
Date: Wednesday, 20 March 2024 at 06:22
To: Kim Hamilton <kimdhamilton@gmail.com>
Cc: Kaliya Identity Woman <kaliya@identitywoman.net>, Orie Steele <orie@transmute.industries>, W3C Credentials CG (Public List) <public-credentials@w3.org>
Subject: [EXTERNAL] [jfraichot@learningmachine.com] Re: VC formats
CAUTION: This email originated from outside of Hyland. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On Tue, Mar 19, 2024 at 8:20 PM Kim Hamilton <kimdhamilton@gmail.com<mailto:kimdhamilton@gmail.com>> wrote:
That comparison matrix is gold, thanks! Spice isn’t there but that did come after IIW.

There’s a lot in there and it seems a bit overwhelming. However I think most of us are necessarily abstracting away from this level, assuming a multi-model/format/etc world, to focus on business value, other aspects of the ecosystem, etc.

As that happens, I think communities like this can play an important role in facilitating understanding of impact of these differences on people.  Exciting stuff ahead!

Kim,

I also want to make it clear that Gordian Envelope is somewhat at a different layer than the other examples (SD-JWT, SD-CWT, ecdsa-sd, mDoc) in that it is more generalized to be useful for any authenticated data, in particular data at rest, and thus is not solely for credential data. Its focus is more on data minimization, and can be used for health-care data, AI foundation models, business data, other forms of PII, etc. Gordian Envelope can be used for credentials as well, but right now there is no funding to make it aligned with VCDM. Should be possible, but you lose some of the privacy benefits that allows any holder (not just subject-holder, but any holder) more choices for what to selectively disclose, or selectively correlate (another useful property!).

One my concerns with selective disclosure in SD-JWT/CWT/ecdsa-sd/mDoc is that only the issuer can choose what fields are selectively disclosable, which IMHO they will only do if it is in their interest, which may not necessary be the interest of the subject, or other holders (for instance, an employer holding a employee subject credentials may have other needs to elide that are different than the issuer and the subject). One particular consequence of this is that there may be very few fields in a credential that are selectively disclosable. Combined with various approaches for "holder binding", things become even more challenging. There are also some questions about when it is appropriate to do BBS to also anti-correlate signatures — there are cases where it might not make sense. No easy solutions!

-- Christopher Allen


-----------------------------------------  Please consider the environment before printing this e-mail -----------------------------------------  

CONFIDENTIALITY NOTICE: This message and any attached documents may contain confidential information from Hyland Software, Inc. The information is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for the delivery of this message to the intended recipient, the reader is hereby notified that any dissemination, distribution or copying of this message or of any attached documents, or the taking of any action or omission to take any action in reliance on the contents of this message or of any attached documents, is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail or telephone, at +1 (440) 788-5000, and delete the original message immediately. Thank you.

Received on Wednesday, 20 March 2024 17:45:30 UTC