RE: Verifiable Barcodes from Phil Archer on 2024-05-30 (public-credentials@w3.org from May 2024)

From: Phil Archer <phil.archer@gs1.org>
Date: Thu, 30 May 2024 16:56:58 +0000
To: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CO6PR08MB7785157D1B13688D9902A4ECB7F32@CO6PR08MB7785.namprd08.prod.outlook.com>
Thanks Manu.

I've replied to your helpful comments in the repo https://github.com/w3c-ccg/community/issues/248#issuecomment-2140250277


Phil

On Thursday, May 30, 2024 3:43 PM, Manu Sporny wrote:
On Thu, May 30, 2024 at 4:54 AM Phil Archer <phil.archer@gs1.org> wrote:
> the "Verifiable Barcodes" title is misleading and inaccurate.

Alright, let's change it. Clearly, if the "barcode people" (GS1) have concerns with the name, we should take those concerns seriously. :)

Thanks for raising the concern in the issue, I've responded there, but also want to draw the renaming discussion more directly into the CCG in the event that someone else has a useful suggestion for a rename.

> Within the world of barcodes and RFID tags (Automatic Identification and Data Capture, AIDC), verification means verifying that the data carrier meets the standard (the PDF417 standard, the QR Code standard, the RFID Gen 2 spec etc.). That means that the bars/modules are the right relative size, there's the correct white space around it and so on. That's not what you mean by "Verifiable Barcodes" (in AIDC terms, all barcodes are verifiable).
>
> Barcodes and RFID tags contain simple data. They are neither secure nor insecure. They're as secure as a Post-It Note.
>
> The security and the verification of the data, comes in the software that reads and processes the data. A bad actor can create an application that reads a 2D barcode that contains a VC and then present the user with false information. That is, it deliberately ignores or misrepresents the data it has read. It just recognizes that it has scanned something and then it acts in whatever way it wants.
>
> Finally, there's nothing in the 2D barcode that confirms that the code is an electronic version of the other info printed on the physical item. That's the world of secure printing, holograms, special inks and all that. Without secure printing, you can have a genuine PDF417 code on a fake driver's license.
>
> In the sense of the proposed work item, it's not the barcode that is verifiable. It is simply that a VC is encoded within a 2D barcode and therefore its payload can be verified with the appropriate software. There are good reasons for doing this. But please don't call it a Verifiable Barcode. It's a VC in a barcode.

Hmm, I get what you're saying but wonder if there is one detail that's missing.

The VC that's embedded in the 2D barcodes (PDF417 or QR Code covering an MRZ), does cover information that is contained on the printed card.

For PDF417, the PDF417 fields are secured via the digital signature in the VC.

For MRZ, the QR Code covers the entirety of the printed MRZ information.

In both cases, the VC embedded in the barcode secures both information in the barcode as well as information that is printed on the physical document. I don't know if that's evident from the proposal?

> Therefore, I would strongly urge you to rename this to something much closer to "Encoding Verifiable Credentials in 2D Barcodes".

It goes a bit beyond the title you're suggesting, as described above.
Given the further detail I've provided above, would you provide another suggestion for the title of the document? To be clear, given your reaction (and your background), I expect others to have the reaction that you had AND we don't want that, so we do need to rename.

Some alternates:

* Secure Barcodes
* Securing Barcodes using Verifiable Credentials
* Verifiable Credential Barcodes
* Barcode Credentials

Do any of those resonate? Does anyone else on here have other suggestions?

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/

Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/


CONFIDENTIALITY / DISCLAIMER: The contents of this e-mail are  confidential and are not to be regarded as a contractual offer or acceptance from GS1 (registered in Belgium). 
If you are not the addressee, or if this has been copied or sent to you in error, you must not use data herein for any purpose, you must delete it, and should inform the sender. 
GS1 disclaims liability for accuracy or completeness, and opinions expressed are those of the author alone. 
GS1 may monitor communications. 
Third party rights acknowledged. 
(c) 2020.
Received on Thursday, 30 May 2024 16:57:12 UTC