RE: About credential transfer mechanisms from Ismael Illán García on 2024-05-14 (public-credentials@w3.org from May 2024)

From: Ismael Illán García <iillan@iti.es>
Date: Tue, 14 May 2024 09:54:39 +0000
To: Phil Archer <phil.archer@gs1.org>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <PAXPR01MB864657F1EA79E734D9D8763CB9E32@PAXPR01MB8646.eurprd01.prod.exchangelabs>

Hello Phil,

First of all, thank you very much for your response. Your comments are very well-founded, but I would like to make some clarifications to get your opinion.

If DIDs are used to identify the owners of a product throughout its useful life, I don't see the privacy problem. When someone checks this chain, they could see that the product has been resold x times, but they couldn't get much more information from the DID of the previous owners because it may no longer exist. This is assuming that the previous owners have only used a DID for their relationship with the product.
A chain of credentials from one owner back to the previous one(s) back to the retailer is rather privacy-busting.previous one(s) back to the retailer is rather privacy-busting.

I believe that being able to prove that the product you are selling is not a counterfeit has enough value for the seller and it will be in the buyer's interest to be able to verify it. In addition, it will help the buyer to see if they are buying a relatively new product or if it has already had many owners. It would also be possible to demonstrate how old a product is since its first sale.
Plus, you're asking the man/woman in the street to take an action. What's their incentive?

Best regards,
Ismael.
________________________________
De: Phil Archer <phil.archer@gs1.org>
Enviado: lunes, 13 de mayo de 2024 10:26
Para: Ismael Illán García <iillan@iti.es>; public-credentials@w3.org <public-credentials@w3.org>
Asunto: RE: About credential transfer mechanisms

[No suele recibir correo electrónico de phil.archer@gs1.org. Descubra por qué esto es importante en https://aka.ms/LearnAboutSenderIdentification ]

Hi Ismael,

I understand the issue but there are several problems with the solutions you propose, primary among them: privacy and business model.

A chain of credentials from one owner back to the previous one(s) back to the retailer is rather privacy-busting. A GTIN isn't enough (that's a class-level identifier). For this you'd need a GTIN+ Serial number, i.e. an instance identifier. Plus, you're asking the man/woman in the street to take an action. What's their incentive?

The principal problem with the second option is that once a product leaves a retailer, the retailer's business is concluded, except to try and sell more stuff to the same person.

The area where this kind of thing already exists is things like vehicle ownership where there is a central authority issuing documents confirming legal responsibility for a car. For high value items (like $10K handbags) one can imagine the brand running such an ownership scheme but, again, their commercial relationship is really only with the original purchaser.

What you might be able to do, as you suggest, is in making more of the receipt for the transaction. If the digital receipt includes the serialized produce identifier then you'd have proof of ownership that way. I'm sure that could be done in a pseudonymous way.

Phil

---

Phil Archer
Web Solutions Director, GS1
https://www.gs1.org

https://philarcher.org
+44 (0)7887 767755
@philarcher1

On Wednesday, April 24, 2024 9:12 AM, Ismael Illán García wrote:
* Greetings CCG,
* I would like to get your opinion on the transfer/cession of credentials. Assuming, for example, that a credential issued by a store represents product ownership similar to a purchase receipt. The credential would contain information to identify the product (e.g., GTIN) and the owner's DID. In the event of a resale, what mechanisms could be established? In my group, we have raised the following options:

* 1. Utilizing the extensibility property of credentials: The current holder could issue a new transfer credential with their signature, which would reference the first credential. The new owner could then present the chain of credentials from them to the store that sold the product. The main problem with this approach is that previous owners could continue to present their ownership credentials as if they were still the owners.

* 2. The other option would require the participation of the store: Once the first sale of the product has been made (store -> customer). The current owner could request the store to issue the credential again, but for the new owner's DID. To ensure that the current owner does not keep their credential and continue to use it, the store could have a published list of credential statuses, allowing them to revoke it.

*
*
Thanks
*
Ismael.
*
*
*
*
*
*

CONFIDENTIALITY / DISCLAIMER: The contents of this e-mail are confidential and are not to be regarded as a contractual offer or acceptance from GS1 (registered in Belgium).
If you are not the addressee, or if this has been copied or sent to you in error, you must not use data herein for any purpose, you must delete it, and should inform the sender.
GS1 disclaims liability for accuracy or completeness, and opinions expressed are those of the author alone.
GS1 may monitor communications.
Third party rights acknowledged.
(c) 2020.

Received on Tuesday, 14 May 2024 09:54:48 UTC