Re: When Technical Standards Meet Geopolitical Reality

> I'm trying to say that, in a Verifiable Credential situation, we have attestations by a party capable of making attestations. That the issuer attests to the statement is core to the semantic model. Devices cannot attest.

Ok, here’s probably a use case that helps me understand your position a bit better.

When a user uses a passkey to login is it the user making the attestation or the FIDO authenticator?

Is it also the user who’s making the attestation when the authenticator is asserting that it’s a legitimate authenticator issued by Yubico or Apple TPM or is it the device manufacturer TPM?

Does the semantics of this change if the site is making the request for the authenticator assertion using an attestation value other than None in Webauthn in order to get some side effect such as guarantees about software running on a clients device and doesn’t actually care about the webauthn call for the purposes of login?

-Kyle

On Tue, Aug 12, 2025 at 12:53 PM, Joe Andrieu <[joe@legreq.com](mailto:On Tue, Aug 12, 2025 at 12:53 PM, Joe Andrieu <<a href=)> wrote:

> I'm trying to say that, in a Verifiable Credential situation, we have attestations by a party capable of making attestations. That the issuer attests to the statement is core to the semantic model. Devices cannot attest.
>
> While it may be useful to have a device sign a thing, so you can have some notion of authenticity, it would be misleading to say that the device is claiming or attesting. That's anthropomorphizing a technical result as if a human did it.
>
> What's far more interesting to me is how we can establish legal accountability through digital records.
>
> So I'm not so much as making an assumption about your use case as I am asserting that device made claims are about a useful as a server log.
>
> In contrast, a claim tied to a legal person as issuer? Now that I can use!
>
> Joe Andrieu
> President
> joe@legreq.com
> +1(805)705-8651
> ---------------------------------------------------------------
>
> Legendary Requirements
> https://legreq.com
>
> On Mon, Aug 11, 2025, 3:16 PM Pryvit NZ <kyle@pryvit.tech> wrote:
>
>> Joe, I think you may be making an assumption I’m not. I’m not assuming the sites are relying on the legal assurances, but rather on the technical assurances as a means of fingerprinting the user.
>>
>> Explaining the impact of this in a consent screen to the user in the wallet or browser isn’t easy either because it’s a technical side effect, not intended for the original purpose of the metadata claim.
>>
>> -Kyle
>>
>> On Tue, Aug 12, 2025 at 9:21 AM, Joe Andrieu < [joe@legreq.com](mailto:On+Tue,+Aug+12,+2025+at+9:21+AM,+Joe+Andrieu+%3C%3Ca+href=)> wrote:
>>
>>> Hardware is incapable of fulfilling the role of issuer.
>>>
>>> This remains an area where the VC spec incorrectly states that any "entity" can fulfill a role.
>>>
>>> The role fundamentally gives in the legal culpability for the issuance. A device cannot have legal culpability. A legal person (human or incorporated) can.
>>>
>>> Joe Andrieu
>>> President
>>> joe@legreq.com
>>> +1(805)705-8651
>>> ---------------------------------------------------------------
>>>
>>> Legendary Requirements
>>> https://legreq.com
>>>
>>> On Mon, Aug 11, 2025, 1:06 PM David Chadwick < d.w.chadwick@truetrust.co.uk> wrote:
>>>
>>>> On 11/08/2025 20:32, Daniel Hardman wrote:
>>>>
>>>>> I think the issuer of this verifiable data must be one or more individual human beings.
>>>>
>>>> I think the issuer could be a tamperproof piece of hardware with its own private key that could read a biometric of a human, along with liveness testing, and assert that the entity that just provided the biometric to it, is a live human being.
>>>>
>>>> Kind regards
>>>>
>>>> David