Be careful going down this path if you want the credential to be used on the Web at all. If the verifying site can request the assurance that a liveness test occurred and that the system isn’t tampered with then you’ll end up recreating Web Envrionment Integrity guarantees. Many people on the Web were against WEI and it didn’t proceed because of that opposition. Basically, if the credential provides any guarantees about the levels of assurance used to collect the biometrics, liveness test, or device integrity sites will stop caring about the claims in the credential itself (e.g. name) and only the LOA metadata claim. That means a site that needs this probably becomes inaccessible to any OS that doesn’t provide tamper resistant guarantees which is basically Linux based OSes. -Kyle On Tue, Aug 12, 2025 at 8:05 AM, David Chadwick <[d.w.chadwick@truetrust.co.uk](mailto:On Tue, Aug 12, 2025 at 8:05 AM, David Chadwick <<a href=)> wrote: > On 11/08/2025 20:32, Daniel Hardman wrote: > >> I think the issuer of this verifiable data must be one or more individual human beings. > > I think the issuer could be a tamperproof piece of hardware with its own private key that could read a biometric of a human, along with liveness testing, and assert that the entity that just provided the biometric to it, is a live human being. > > Kind regards > > David
Received on Monday, 11 August 2025 20:51:02 UTC