[MINUTES] CCG Weekly 2025-08-19 from meetings@w3c-ccg.org on 2025-08-19 (public-credentials@w3.org from August 2025)

From: <meetings@w3c-ccg.org>
Date: Tue, 19 Aug 2025 18:07:50 -0400
To: public-credentials@w3.org
Message-ID: <CA+ChqYfXGjZwq+xBsMx9vgCXLOWanfS3j1YBsHP+zT+0Hh+nyQ@mail.gmail.com>
CCG Weekly Meeting Summary - 2025/08/19

*Topics Covered:*

   - *Administrative Matters:* Reminders on code of ethics, contributor
   license agreements, upcoming events (Identity Week, APAC call series,
   Verifiable Credentials Working Group meetings), and updates on work items.
   - *Threat Modeling Community Group (TM-CG) Presentation and Game:*
   Simone Onofri, Amir Sharif, and Zahra Ebadi presented their work on threat
   modeling for the Digital Credentials API. The presentation included
   definitions, taxonomies, and a walkthrough of a threat modeling game using
   the LINDDUN framework.
   - *Digital Credentials API Security:* The group discussed various
   threats related to the Digital Credentials API, including:
      - Issuer impersonation and trusted list compromise.
      - Wallet device loss and credential revocation.
      - Presentation replay attacks and expired/revoked credential usage.
      - Detectable service usage and mitigation strategies (TLS, etc.).
      - Identifiers in data requests and the need for session-specific
      identifiers and data minimization.
      - Improper data lifecycle management, including the risks of
      non-auditability at scale and the unintended consequences of
data retention
      requirements.
      - Insufficient access to personal data by data subjects.

*Key Points:*

   - The TM-CG used a game-based approach (LINDDUN framework) to
   interactively identify and discuss threats.
   - Participants highlighted numerous security and privacy risks
   throughout the Digital Credentials API lifecycle (issuance, presentation,
   verification).
   - The importance of mitigating threats through robust revocation
   mechanisms, session-specific identifiers, and secure data lifecycle
   management practices was emphasized.
   - The group recognized the challenges of auditability at scale and the
   potential for regulatory requirements to inadvertently increase data
   retention and privacy risks.
   - The need for continuous iteration and flexibility in threat modeling
   and remediation was stressed, acknowledging that attackers may find ways to
   bypass even well-designed models.
   - A follow-up session was planned to continue the threat modeling game.

Text: https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-weekly-2025-08-19.md

Video: https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-weekly-2025-08-19.mp4
*CCG Weekly - 2025/08/19 11:57 EDT - Transcript* *Attendees*

Alex Higuera, Amir Sharif, Benjamin Young, Chandima Cumaranatunge, Dmitri
Zagidulin, Erica Connell, Geun-Hyung Kim, Greg Bernstein, Gregory Natran,
Harrison Tang, Hiroyuki Sano, James Chartrand, Jeff O - HumanOS, Jennie
Meier, Joe Andrieu, John K. Lindstedt, Jonathan's Notetaker, Kaliya
Identity Woman, Kayode Ezike, Leo, Mahmoud Alkhraishi, Manu Sporny, Otto
Mora, Parth Bhatt, Phillip Long, Przemek P, Rob Padula, Simone Onofri, Ted
Thibodeau Jr, Vanessa Xu, Venu R, Will Abramson, Zahra Ebadi
*Transcript*

Simone Onofri: Hello.

Harrison Tang: Hello. Hey,…

Harrison Tang: thanks for taking the time to join us.

Simone Onofri: Thank Also, there was already air and Zara. So, that we're
going to do this thing all together.

Harrison Tang: Amir, hey Zara, thanks for jumping on.

Harrison Tang: Thanks a lot.

Zahra Ebadi: Hi. Okay.

Simone Onofri: So because of course there will be threat modeling community
group…

Simone Onofri: but also a lot of work in security interest group because at
the end the groups are interlin. So there's still a lot of job to do for
identities and…

Simone Onofri: credentials. better than me.

Harrison Tang: No, this is great.

Harrison Tang: Yeah, the more people the marrier,…

Harrison Tang: So, it's good.

Simone Onofri: Yes, there was also this song by Genesis like too many men's
too many problems.

Harrison Tang: I'm pretty sure you got a great leadership. So, I'm pretty
sure the things are going okay.

Simone Onofri: Yes. Yes.

Simone Onofri: So as we say that our mission is try to make the world
secure or less vulnerable.

Harrison Tang: It's going to get harder and…

Harrison Tang: harder as this world will include not just humans… but
agents down the road, right?

Harrison Tang:

Simone Onofri: Yeah, if we had a nice discussion today at seeing about
identities and…

Simone Onofri: agent identities with human credentials inside and so I have
a pretty strong opinion on this that at the end also now we are techniated
to use a term that I learn in criminology. so also it's always an agent at
the end the different thing like an agentic AI I don't know is not
deterministic agent so we are more randomness and is not always

Harrison Tang: Yeah, actually we got the Cisco people who's building the
internet of agents agency.org.

Simone Onofri: Mhm. Yeah.

Harrison Tang: So we got them to actually share their work in October 21st.
So if you're interested, just join.

Simone Onofri: Yes. Yes.

Harrison Tang: Yeah. Yeah.

Simone Onofri: Yes. For Something. Mhm.

Harrison Tang: And then MIT also has something the NANDA right and then I'm
trying to get the Google A2A agent to agent protocol people here too.

Harrison Tang: So all right so we'll start and…

Simone Onofri: Okay. Yes. Yes.

Harrison Tang: then we'll go through some administrative stuff first and
then we'll jump right in to today's topic. So first of all just welcome
everyone and thanks for joining our W3CG call today and today we're very
excited to have Simone Amir and Zara here to talk about threat modeling
community group and their latest work. but before then just So first of all
just a quick reminder on the code of ethics and professional conduct. just
want to make sure that we have great respectful and constructive
conversations that we always have. next one can participate in these.
However, all substances to the CCG work items must be member of the CCG
with full IPR agreement signed.

Harrison Tang: So if you have troubles getting the free W3C account or the
contributor license agreement feel free to reach out to any of the coaches.
these calls are automatically transcribed and we will send out the
transcription the video and audio recording automatically in the next 24
hours. I just want to take a quick moment for the introductions and
reintroduction. So, if you are new to the community or you haven't been
active and want to engage, feel free to just unmute or use the raise hand
feature in the Google Meet. All right. quick moment for the announcements
and reminders. So, any announcements reminders?

Harrison Tang: Bonnie, please.

Manu Sporny: Yeah,…

Manu Sporny: just a quick one from incubation. the verifiable credential
working group has started meeting again after the summer. we're just
meeting once a month for doing maintenance mode stuff. but we've been
incubating specs in this group and we need to hand it over to that group
which means that we need to publish final community group specifications.
So, just a heads up to the chairs that we're going to need to do that, in
the next couple of weeks. I can be in touch over the email list to mention
what we need to do to do that. render method and confidence method are
going to be the two that we need to do. first, which are ready, they've
been incubated. They're ready to be handed over. and then as for the rest
of the meetings, we will continue to meet this week.
00:05:00

Manu Sporny: we're meeting on verifiable credential API which the
specification might be renamed to credential life cycle management and then
we are going to meet to incubate more on the verifiable issuers verifiable
verifiers kind of trust list stuff on Wednesday so just a heads up that
those meetings are happening this week that's

Harrison Tang: Sounds good. Thanks, Manu. yeah.

Kaliya Identity Woman: Hi folks. really important information. Since last
time I told you all about IW, there was a mistake made by our venue, the
Computer History Museum, and the dates have shifted a week earlier. So, IW
is October 21 to 23 in Mountain View, California. and we're very sorry if
this caused any problems in your travel plans, but mistakes apparently
happen. So, anyways, now Thanks,

Harrison Tang: Sounds good. Thanks.

Will Abramson: Yeah, I could just briefly say, I'm sure you saw the email,
but on the 3rd of September at 10:00 a.m. my time, so 10 a.m. UK time,
we'll have an hour call to talk about the APAC call series that I'm hoping
to run in October. So, if you're in the Pacific region or really
Asia-Pacific or EU regions, and you care about this, it would be great to
see there cuz, we're just going to be talking about stuff like what do we
want to talk about and, when might that call take place in October. So, no
worries if you can't make it.

Will Abramson: And we have got a bunch of people who replied to the doodle
poll, but just to let you know.

Harrison Tang: Sounds good.

Harrison Tang: By the way, have you put that in the W3C calendar or not yet?

Will Abramson: Yeah, It's on my dar. I put it in the 3rd of September,…

Harrison Tang: Okay.

Will Abramson: 10 a.m. my time. So probably is in your morning at 2 am,
Harrison.

Harrison Tang: We got it. Okay.

Harrison Tang: I don't see that in this link at least. Not yet. Okay, I'll
follow up with you. I'll try to put that in the calendar. So, we have a lot
of events in the CCG. so, not just the main call right now, but also the
incubations and promotions on Wednesdays, the crypto stuff on Fridays and
data integrity on Fridays, VCAPI, and now the APAC call.

Harrison Tang: And of course there's a VCU as So, it's a little bit hard to
follow all the events. So, you can just go to this link to actually …

Harrison Tang: and then put that into a calendar if needed. All right,
Will. Mhm.

Will Abramson: Yeah. Yeah.

Will Abramson: You just reminded me I was talking to Joe yesterday and you
talked about the VCEDU. I don't know if there's anyone on the VCEDU on this
call who's from the VCEDU, but I don't really know what goes on in the
VCEDU world. And it's just a flag. I would love to hear from you guys. And
I think our next quarterly review is at the end of the month. I think our
worked is the 30th of September. That's a Tuesday. so just to flag we would
love to hear what you're doing. So please try and…

Dmitri Zagidulin: I could…

Will Abramson: make that call and be prepared to speak to us about it.

Dmitri Zagidulin: if I could jump in. So that might not be the best call.
VCHU has been in traditional education fashion has been on break during the
summer since most of the folks that…

Dmitri Zagidulin: since most of the members are on vacation and so So we'll
be reconvening in September.

Will Abramson: Sure.

Will Abramson: Okay. …

Will Abramson: maybe between when you reconvene, you could just let
everybody know we've reconvened and we're starting up and this is long we
have four times. That would be cool. Cheers.

Dmitri Zagidulin: Yeah, we'll do.

Dmitri Zagidulin: We'll do.

Harrison Tang: Sounds good. All Any updates on the work items? All right. a
quick last call for the introductions, announcements, reminders, work or
work item related stuff. All right, we got a great big party here.
00:10:00

Harrison Tang: So, let's get to the main agenda. So, again, we're very
excited and big thanks to Simone, Amir, Zara here to actually talk about
and present their work at the threat modeling community group. So, Simone,
the floor is yours.

Simone Onofri: Okay, thank you.

Simone Onofri: I am trying to share the screen which is the most difficult
part of the job today. So I'm giving also you the link of the presentation
on the chat if you like to see and anticipate the things. welcome and also
thank you also that there are here Amir and Zara. this will be an
interactive session.

Simone Onofri: So we'll try to be as quick as possible to have this online
version of a game which is Lyndon and probably because we already played
this game in Geneva alto together we played also another time in the last
IW that was a session is a similar approach even if you're going to
experiment now the one in the virtual way And of course we are from
security interest group and we are working in credentials. So since a lot
of time and in particular also Amir and Zara they are a lot of expertise
also on the European wallet.

Simone Onofri: also working with the government on shaping these kind of
topics and we are also working on the digital credentials API security
consideration sections with a lot of discussion within the group but also
within us that's because we would like to hear from you some feedback
opinions that can help us to help also for our standards to make the right
security decision and privacy decision. so we will trying to be quick on So
this will be our agenda the short introduction about some definition or
taxonomies and then we'll start playing the game.

Simone Onofri: So that understanding what are we working on, what can go
wrong, what are we going to do about it and if did we do a good job. the
introduction just a few definition just updated thanks for a long
discussion with Joe on this topic. So threat modeling is a process about
defining a system model which is the scope and then we are going to
identify the threats and the resulting attacks and also trying to address
them through responses and in particular the most important part of this
job if is the revalidation or iteration on this. So it's a never ending
story.

Simone Onofri: to do this game we are going to use the process proposed by
Shak which is a very simplified process of There was threat modeling were
used and was born in a military concept context. So it was a long history
and this is the simplified version but really effective. so we are working
on what are we working on? defining the system model and we have just a
model for the digital credentials with a focus on the web of course what
can go wrong. So finding attacks and threats and we also have an example of
some threats already identified to inspire you. and then we are going to
pick the game. then also we will have another phase. What are we going to
do about it?

Simone Onofri: because it's good to find threats and this is in particular
on privacy that's really simple to find threats most difficult to find
mitigations and good responses and then we are going to iterate again what
are we working on so just a quick point who already knows digital
credentials API just rise your end to understand which kind of level of
details I see there are few. So maybe we can just try to have this to start
this video if it's working. If it's not working, we can try to push another
button.
00:15:00

Simone Onofri: So this is how we are presenting credentials on the web.
It's loading. The question is that there was a lot of discussion about
presenting papers and credentials on the web. the approach is to use the
browser to mediate this communication and that first for presentation but
there is also in the scope of our charter is also for issuing credentials.
So we have the full cycle. So there was this click on a website which is
asking for family name given names and other things.

Simone Onofri: There will be a first message asking the user, hey, are you
trusting this specific website for sending your data? And if the user
clicks continue, there will be another window. these windows comes from the
wallet which is connected through a platform API. So we are talking about
operating system and saying okay you have your driving license in your
wallet and you have this nice dot to for having a different wallets for
example with your family name give a name and maybe if you can just for
example drink alcohol or these kind of things and on the other side when we
confirm that will be the official button to present the credential.

Simone Onofri: the control is passed to the wallet with all the additional
checks maybe also some duplicate checks and if you're happy we can just
push the share button that will be the authentication part on the wallet
and then of course we can see finally on the website our credentials and
that's all it's from also API perspective there are a few calls it's not
the web is pretty simple but implications are important so just to
summarize we have the first screen with this prompt asking if you're sure
we would like to share then that will be the wallet selector then we will
have the control to the wallet

Simone Onofri: that is confirming also because we have a trusted region on
who is asking for credentials and then at the end the presentation on sent
to the website. This is also at the end our not swim lanes. Okay, this is
just a diagram. so the process is to the user clicks on the link that
requires the website create the request of the presentation of the
credential. then of course the user is going to talk with the wallet
selecting the correct wallet the correct credentials they would like.

Simone Onofri: then it's going to be so sent using the browser to the
website another point is really important we are including in our
discussion because we think there can be a lot of threats in the
verification of the credential even if it's something managed not by the
browser itself. It's not valid by the browser but it's something between
the verifier and the issuer sometimes depends on the protocol on the
credential on the technology used and other interesting things and then of
course if we provided the credentials the website wants finally we will
have the access to these results. so we prepared a lot of diagrams to
understand so quoting also the agents meet from matrix if someone is old
like me.

Simone Onofri: the nice thing about is there are a lot of me and that is
why we have a lot of diagrams and another diagram is more for representing
the initial structure also the one that was designed by team Kapali which
is one of the editor of the digital API and also trying to capture a lot of
items like the issue the wallet the browser the app OS platform and all the
things that is also made by okay just mixing the DC API diagram with the
verifiable credentials diagram. So we love to create models and is also in
the presentation we used the elements in a verifiable presentation by WTC
of course. So there was data model identifier the encoding vocabularies
format signatures and cryptography.
00:20:00

Simone Onofri: So a lot of things and this is one of the point of threat
modeling. So all models are wrong but some are useful. So maybe you have
another diagram. If you have a diagram better than our diagram please send
us. We are really happy to work with other diagrams but our focus is having
a diagram which is useful to play with it. so now we are going to play
finally on what can go wrong and we are going to use Lindongo which is a
framework there areic with a list of threats about rivacy. linking
identifying nonreudiation detecting data disclosure and awareness and
non-compliance. If you're curious you can just search on internet for this
framework or we will have virtual cards.

Simone Onofri: If you are around also a tea or something, you will also
find us with the physical cards. So we can also play the game al together
physically. I think this is also suitable for poker or other games. So we
can mix the two games. of course now we are doing a serious game is
something scientifically proven that can be useful for brainstorming and
for thinking about new topics and this can facilitate the brainstorming
along along with knowledge and so on.

Simone Onofri: so for the rules of the game so you will find inside the
slides the digital deck that we prepared with some threats we would like to
focus today. And then we cannot ask Zim to pick a victim sadly. so we'll
have 30 participants. We have a random.org just configured picking our
victim manually So we can just find someone that would like to as the first
chance to think about this card and we are going to document this threat.
So this will be an official resource of threat modeling community group and
the bonus points if you're able to find also a good mitigation for this and
also then to fight for this mitigation which is the most complex part. So I
already talked a lot so this is for you.

Simone Onofri: So this is a part of our threats already identified.

Zahra Ebadi: Thank you Zim. So do you hear me?

Simone Onofri: Loud and clear.

Zahra Ebadi: So thanks Mona again for presenting the model. So we have here
the credential issued and presented on the web model. But at every step of
these flow from the issuer to the wallet and the verifier there are attack
points that needs to be discovered using our threat modeling. So here I
have just highlighted some of the main threats that can happen in this
ecosystem.

Zahra Ebadi: regarding the issuance side where we have this issuer for
example we could have this entity impersonation where an attacker tries to
impersonate an issuer and issue fake credential for example to a user using
a wallet in our ecosystem. So from the threats that we can also put in this
category allowing this issue impersonation to happen or trusted list
compromise where an attacker tried to register for example trust to poison
the trust anchor and register a fake issuer itself as a legitimated issuer.

Zahra Ebadi: So this is a kind of a threat that we have in this part or for
the wallet we can consider device loss. So when a user loses his device and
can be used by any attacker any person that has access to his device to
share his credential and obtain access to the services by his credential.
impersonate the user in this case and for each of these kind of thread we
can also assume the device responses could be kind of wallet revocation
that we expect from the wallet provider to provide this functionality it
could be roboc of the user credential is stored in the wallet.
00:25:00

Zahra Ebadi: from the presentation part we can consider for example a
presentation reply when an attacker stos a user credential in a
presentation and try to use in his session binding methods are kind of
useful here to prevent this kind of threats. And if I want to give another
example, we have also expired revoked the stolen credential to be used for
the verification is in the verifier site. So it's important to always be
validated by the verifier before accepting a presentation for access to a
services.

Zahra Ebadi: So I guess it's enough from my side and I can give the follow
to continue. So we already given intuition of how it works. So probably now
we can start playing the game if you are all agreed.

Zahra Ebadi: So if everyone let me put the link in the chat. So we can
start with selecting the first card and then with the help of the random
number generator we can have our first victim. So

Simone Onofri: Okay, just picking the first card is this one detectable
service usage and okay we are 33 plus considering it also AI agents so
maybe they can talk so We can have the third one. One, two, three. So,
Dimitri, you're the first one. Any idea on this card?

Dmitri Zagidulin: Detectable service usage. all right. So assuming we have
TLS connection, Assuming we have encryption in motion, communication will
not be able to be observed externally. inferred from observe communication.

Dmitri Zagidulin: same with the interaction is between the relying party
the operating system browser and the wallets. So no can't be observed by
other wallets as well because they register the query with the operating
system. So they're not notified until the user selects. What else?
observing communication tele medicine serve. okay yeah so what else can be
observed there is one of the other actors is the revocation endpoint.

Dmitri Zagidulin: So then we have all the usual consideration on how to
mitigate sort of phone home sort of threats with revocation endpoints. So
we have a class of mitigations for those including batch issuing caching
use of trusted parties as the revocation endpoint in the first place. we
have the alternative revocation mechanisms such as handing a revocation
credentials. We have the mechanisms of not using revocation and instead
doing shorter expiration periods. a threat revocation mechanism. Thread
description if using an external revocation service hold on.
00:30:00

Zahra Ebadi: Excuse me.

Dmitri Zagidulin: So yeah service the relying party when verifying would
fetch revocation list and…

Simone Onofri: Yes. Okay.

Simone Onofri: I'm just taking some random notes of course, but I will take

Dmitri Zagidulin: therefore notify the revocation service at very least
time stamp and…

Dmitri Zagidulin: IP address. Right. mitigation there's a bunch.

Simone Onofri: That's right.

Dmitri Zagidulin: So specifically the revocation mechanism has been a
subject of a decent amount of threat modeling in this group. All Run night.

Simone Onofri: Yes, there was a lot of discussion. thank you for being the
first victim. And okay, just say saved.

Simone Onofri: thank you so you already understood the power of this card.
There was a lot of questions. So it's just not only thinking about
detectable service usage but also there was a lot of int for brainstorming.
So thank you. anyone else has other ideas about dedectable service usage?

Harrison Tang: On

Manu Sporny: Yeah, I guess even with TLS usage,…

Manu Sporny: I would imagine that a network provider would be able to know
when a holder is interacting with the verifier especially if you're using
any kind of protocols like OID4 anything that opens up HTTP connections and
VC API also falls into this category. you would see someone making a
connection to a verifier and potentially that there's some kind of
relationship going on there.

Manu Sporny: So if you had information on the individual's IP address which
we can go and buy on the open market then you would be able to understand
that they are engaging in a certain type of verification with the website
and then that would allow you to determine that they're probably engaging
in some kind of business process like age verification on an adult content
site.

Manu Sporny: You would be able to detect that pretty easily.

Simone Onofri: Okay. Thank you.

Simone Onofri: I think also it's interesting because there was the H
verification regulation up and running in UK. so maybe we should get a look
on how the real world is reacting to this threat. probably not so good, but
I still need to look. Okay, Amir, are you happy or we can change the card
or Okay.

Zahra Ebadi: Yeah, I'm happy. So, we can go from

Simone Onofri: Previous card. I'm going to this one identifiers in data
request and I'm picking again a new number even if now we are 28. Generate
number seven. Why slower numbers? So one 2 3 4 5 6 7.
00:35:00

Simone Onofri: Okay, we have sorry for bad pronunciation. It's mixing
Italian, English and other languages. If you have some ideas about this

Simone Onofri: Okay. Or okay. I see.

Harrison Tang: Yeah, I by the way even if it's randomize right if you
actually keep using it even if it's a let's say a hash…

Harrison Tang: if you keep using it constantly at some point becomes
identifiable right so I mean the only solution is just to basically rotate
it isn't

Simone Onofri: Yes, this is a really important threat.

Simone Onofri: Also because if you're using something maybe random
anonymous but reusing it should be an issue and…

Simone Onofri: also because we are always using identifiers also within the
ID or something. So it's an important point

Harrison Tang: Yeah, I guess my point is that let's just say…

Harrison Tang: if it's a email address or let's say social security number,
even you if you keep using that hash forever, I mean that hash can be
identifiable, via rainbow attacks at some point, right? So,…

Simone Onofri: Okay, I'm far.

Harrison Tang: the only solution is to rehash it, and not use it
permanently.

Harrison Tang: Please

Will Abramson: Yeah, I mean I was just going to say the obvious identifiers
in this case we're exchanging that credential contains data that is
typically identifiable like a name or…

Will Abramson: anything like that right so just being aware of what you're
requesting from the person that you're identifying how that identifies them
I suppose

Simone Onofri: Which can be the name of the threat?

Zahra Ebadi: Thank you.

Simone Onofri: of PP personally didn't know which is the cory.

Zahra Ebadi: Yeah. Heat.

Simone Onofri: This is This can be interesting to find a solution for this.
because the only thing I'm thinking about cryptography was something like
using homorphic encryption. Okay, I'm not a cryptographer.

Simone Onofri: But that there was probably something that can be used for
but maybe not user for sharing this kind of strings.

Zahra Ebadi: I would say in the credential level maybe in a state of
sharing the claim values you can use sodiums…

Simone Onofri: I don't know.

Zahra Ebadi: and then there was another interesting point that highlighted
in the chat so maybe we can add that as

Zahra Ebadi: And in the credential level we have also this revocation index
which we have protocol status list So this is also point of blinkability.

Simone Onofri: Okay, I'm
00:40:00

Otto Mora: Yeah, I was thinking also session specific identifiers to
counteract things like that,…

Simone Onofri: Yes, this is I think a really complex issue to work on.

Otto Mora: but yeah.

Harrison Tang: Yeah, I would add that the session specific identifiers
basically akin to what I was saying earlier which is like you will take the
identifiers right you don't have a permanent identifier same thing with
what Apple is doing right so instead of device specific identifier I think
it's app specific and you change the apps like the identifier changes so
you don't have a permanent identifier

Simone Onofri: Okay, great. we can try to pick another improper data life
cycle management or this is also connected to the things probably that manu
was saying before will just so we are 24 so the probability with the gistas

Simone Onofri: Pyth I think it's lower numbers interesting on my is two
three five okay there was okay I would like to say Kim which is the name
I'm picking from my is it Yung for the bad pronunciation. Or anyone else
also that would like to discover some threats in this

Simone Onofri: Okay. Har is on.

Harrison Tang: Yeah, I think this one sounds like one of the biggest
threats, right? Because at the end of the day, it feels so broad because
the issuer, right, the verifier, even the holder, I mean, I'm guessing the
the big platforms or wallet providers, they're probably privacy experts and
security experts. So probably less but issuers and verifiers companies can
have lapses right in their data stoages and…

Simone Onofri: Mhm.

Harrison Tang: security there's no perfect security and most companies they
are not very familiar with they just check the box on security right they
don't really understand what security means so they're like sure you can
secure let's say there's 50 databases you has secured 49 of them, but one
of them can be compromised because they use stupid Default passwords for I
mean I'm not sure if anyone does that anymore, but my point is that this is
probably one of the biggest threats because at the end of the day anyone in
this ecosystem can actually have security lapses and write a surface to
basically attacks.

Harrison Tang: So yeah,

Simone Onofri: Yes, I think this is just to drop another idea.
00:45:00

Simone Onofri: I don't know if it's just related. So, Amir Zara, block me
if I'm just going in this rabbit hole. but on the social I was looking also
that there was this idea at least in European architecture about the usage
of cloud hardware security models and there was this nice motto from so
just because that I love to quote things that was this meme if the private
key is not on my device this is not my

Simone Onofri: coin and I don't know if this relates also to this kind of
threat but I think is also as you say something is wide so we can have in
each part of the life cycle and for each actor and this is important

Harrison Tang: Money.

Manu Sporny: Yeah, plus one to what both Harrison and Simone have said so
far. I think there's also, improper data life cycle management. I think
currently there's this presumption that people are going to be able to
improper usage at scale, right? it's hard to understand exactly how that's
going to work. So, for example, let's say that somebody receives an MDL and
they said intent to tain. or even if they say, they don't have an intent to
retain, you have no idea what that system's actually going to do with the
data once it gets it, and even, accidentally things show up in log files,
they get stored to databases, they get written to disk and, accidentally
not deleted.

Manu Sporny: and so I think one of the problems with the improper data life
cycle management is that a threat is non- auditability at scale. meaning
that if these digital credentials get very useful that means that many
websites are going to start consuming the data and may have to make copies
like we're telling people don't do that and that sort of thing but it's
nearly impossible to audit whether or not an organization is doing proper
data life cycle management and if

Manu Sporny: and the only way to really prove that is to audit the
organization which then requires enormous amounts of money and effort to do
it and…

Manu Sporny: even then the auditors might not be able to find the one out
of 50 databases where the information ended up where it shouldn't have been
placed. So I think in improper data life cycle management there's a risk
here that is the threat is non auditability at scale.

Simone Onofri: yes I like your approach and…

Simone Onofri: also to add another point on the data life cycle management
is also about the human prep.

Simone Onofri: So there was so in the life cycle if we have the human in
the loop and maybe we don't have enough controls because if all the things
are technically secure but it was just a person not doing their job or
something else. This can be problematic in particular if we are talking
about. So even if of course there was already documented threats that
people able with corruption to generate false documents and maybe without
proper life cycle management we can have this problem amplified I would
like to say and yes I don't know if this good part so this should be also
implemented in a

Simone Onofri: regulation or having some services for verifying also have
audit functionality in the protocols and in the standards but also maybe to
enforce this through regulation

Harrison Tang: money, please.

Manu Sporny: I think there's another yes a plus one to that simony I think
there's another risk here where if you do so just to be clear I think
intent to retain is probably a really bad idea there's this flag that you
can set when you're consuming things like MDLM doc there's some suggestion
that we would want an intent to retain flag when you request something
there's a danger
00:50:00

Manu Sporny: there one it's not auditable at scale as you know I mentioned
the other thing is that sometimes when in regulation you require
auditability you drive the market to start overcolcting information right
so if you say European regulation says that you will be audited and you
have to prove that you received a driver's license or national ID card at
this point in time, all of a sudden the posture of the organization that's
collecting the information changes from we're just going to check it and
we're going to throw it away and what we're going to do is we're going to
record that we checked it. We got a valid national ID and that is our audit
log.

Manu Sporny: If regulation pushes them further, then all of a sudden you
push organizations into having to retain the data and…

Simone Onofri: Yeah. Mhm.

Manu Sporny: storing the entire digital credential. And that is a much
worse privacy posture to push for example the European Union And so I think
there is a regulatory risk here that if there is one intent to retain might
not be the best idea. and then two audit log proof beyond just we check the
information using a conformant processor and we got a good result. If you
are unclear about what needs to be retained then organizations will
overoptimize to just write everything to a log or a disk which then harms
privacy. and increases the possibility of PII compromises in the future.

Simone Onofri: I was not thinking at the residual threats about this
solution and probably Europe we should think also because GDPR is already
mandating some data retention things and auditability but also trying to
use data minimization on these things.

Simone Onofri: so I'm not a lawyer just to clarify but for sure it's we
need caution on this. Thank you for the discussion. maybe we have the time
for another card. this is Insufficient access. So, data subjects do not
have access to their personal data.

Simone Onofri: Just we can try to pick number two. It's Benjamin Young. Any
ideas on this or also someone else?

Benjamin Young: Certainly from a privacy perspective, this one's huge. But
trying to think through it from a security side.

Benjamin Young: I do think it probably pivots on the legal rights given to
both both the thing creating the data and the entity about whom the data is
created. And depending on which jurisdiction you're in,…
00:55:00

Benjamin Young: those might fall different ways.

Simone Onofri: Yes, I think is huge also as I agree with you that can be on
the wall life cycle.

Simone Onofri: I don't know if it makes sense to you, but I was thinking
for example that I'm playing with my mobile driver license and for some
reason the wallet will be deactivated by the government and…

Simone Onofri: if I remember is some kind of feature we have in Europe and
I cannot access my data.

Simone Onofri: And in particular, if they want to put also the payment
things in the wallet, make a revoke my wallet with also some digital
currency inside. Sorry, I was just thinking about Yes,…

Benjamin Young: Yeah. Yep.

Benjamin Young: So the governments in those cases prioritize themselves
over their constituents which end is a security risk for you and they might
see it the other I think it's a security risk regardless if that's a
reasonable way to say but the perspective of who's at risk is different.

Simone Onofri: this is another huge threat.

Simone Onofri: So probably we are less happy about the digital credentials
There was also interesting discussions into the chat and okay so I think we
are just in the top of the hour so we can also continue and schedule
another session playing the game.

Simone Onofri: just to spend some words on so did we do a good job. So we
just started thinking about cards and after each card became more concerned
about privacy and also security. so we can also meet again also in TCG if
it's something interesting but we also have the threat modeling community
group the security interest group and the privacy working group and of
course luckily also on verifiable credentials working group.

Simone Onofri: So there are a lot of work that is started in CCG about also
zero knowledge proof postquantum cryptography and really important topics
for protecting our us which can mean protect our privacy our security in
general terms and also our human rights and related topics. So also thank
you CCG for all the work you're doing to make the web safer. And just the
last word then I'm going to stay silent. We have always remembered that
attackers simply ignore our threat model. So we should always use maximum
care identifying threats. but we know also that attackers can ignore our
threat model and maybe we have some assumptions and they are going to break
the assumption to attack us.

Simone Onofri: So it's something really important to keep in mind that at
the end we always have to iterate and trying to do our best and be flexible
also on remediation. So thank you and also for your contribution. If you
have other ideas you can find our email address and other threats of course
on the first slide.

Harrison Tang: Cool. Thank you.

Simone Onofri: And thank you also for all the work you are doing to making
the credentials better. so I said I missed

Harrison Tang: Simone. And thank you, Amir, and Sara. And by the way, I do
want to probably schedule a follow-up session. I love games. so personally
I enjoy this session quite a bit. by the way,…
01:00:00

Harrison Tang: we actually have a full calendar till January, believe it or
not. So, I'll follow up with you Simone probably next February and then
let's schedule another gaming session because this is kind of fun.

Simone Onofri: Great. Yes,…

Simone Onofri: in general we need a lot of help in particular from you that
are really competent on also the topic. So the quality of the threats will
be great in particular in inside CCG.

Simone Onofri: That's because I was wondering this thing.

Harrison Tang: Great. All right,…

Harrison Tang: I'll follow up with you. Let's try to put some dates down
next January or…

Simone Onofri: Mhm. Thank you.

Harrison Tang: February. thank you. All right, this concludes today's CTG
meeting. thanks for everyone's participation. this is a very active and…

Simone Onofri: Thank you. Bye-bye.

Harrison Tang: fun session. Big thanks. Have a good one. Bye.

Zahra Ebadi: Thank you.

Zahra Ebadi: Thank you. Bye. Bye. Ciao.
Meeting ended after 01:01:10 👋

*This editable transcript was computer generated and might contain errors.
People can also change the text after it was created.*
Received on Tuesday, 19 August 2025 22:08:00 UTC