- From: Julien Fraichot <Julien.Fraichot@hyland.com>
- Date: Thu, 23 Jan 2025 16:53:45 +0000
- To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <SA3PR13MB61886657DCF73FB4D4AC94C690E02@SA3PR13MB6188.namprd13.prod.outlook.com>
Hi CCG Community, I’m currently in the process of gathering information and practices regarding improving trust in Controller Documents. I guess the main issue I’m trying to tackle is how to rule out a malicious actor actively impersonating an official issuer. Think for instance of someone who is able to set up a thorough infrastructure with DIDs or Controller Documents and whatever mechanism in place to sanction the validity of the public keys used (CEL, did:webvh, KERI, etc) but using a clone domain similar as to what would be done in a phishing attack (ie: instead of https://www.dmv.ca.gov/portal/, you would have someone use https://www.dmv-california.org or similar to host any web based information and “spoof” an identity). I’m guessing I am not the only one working on such a matter so I’d like to hear about things that I might have missed thus far. I have looked at the solutions listed above, but to me they don’t suffice to address the use case I’m exposing. And I think, generally speaking, DIDs can have a similar weakness: you probably read about that French woman who got scammed by her fake Brad Pitt boyfriend, the attacker could have presented a fake Brad Pitt DID that wouldn’t have likely triggered any alarm. I know trust registries can be used but several issues can arise: * How do you get registered (aka accepted)? * As a small new actor in a field, or an individual, isn’t the process a barrier of entry? * How do you trust the goodwill and intentions of who signs off an entry into the registry? * Who manages the registry? * And if all of that is centralized, isn’t this just a glorified CA? * If it’s decentralized, what’s the incentive to run a node/governance (cryptocurrency?)? Witnesses are also an option, but again, how do you trust the network of witnesses. Scammers could very well set up their own network of witnesses and point to each other. Is there some work going on at this level, protecting the end human user against their own naivety? Thanks for your input -- Julien Fraichot Developer – Hyland Credentials ----------------------------------------- Please consider the environment before printing this e-mail ----------------------------------------- CONFIDENTIALITY NOTICE: This message and any attached documents may contain confidential information from Hyland Software, Inc. The information is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for the delivery of this message to the intended recipient, the reader is hereby notified that any dissemination, distribution or copying of this message or of any attached documents, or the taking of any action or omission to take any action in reliance on the contents of this message or of any attached documents, is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail or telephone, at +1 (440) 788-5000, and delete the original message immediately. Thank you.
Received on Thursday, 23 January 2025 16:53:55 UTC