Re: Revocation and No Phone Home from Manu Sporny on 2025-06-03 (public-credentials@w3.org from June 2025)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Mon, 2 Jun 2025 21:24:56 -0400
To: Stephen Curran <swcurran@cloudcompass.ca>
Cc: W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CAMBN2CT1Z5tiL9FxzaGPEnrqg4PGprbH2AiGO3P-7rN4YVabjg@mail.gmail.com>

On Mon, Jun 2, 2025 at 1:12 PM Stephen Curran <swcurran@cloudcompass.ca> wrote:
> My question: What is the benchmark for retrieving revocation data such that it is not considered “phoning home”?

The general place we got to in the VC Working Group, from a "What
level of pseudonymity is safe enough?" was something along the lines
of:

When status information is retrieved from the issuer, the issuer
cannot easily guess (with a very high degree of probability), who the
subject of interest is.

The default for BitstringStatusList is 1 in 131,072, or a 0.00076%
(seventy-six millionths of a percent) chance of correctly guessing who
the subject is given a status list retrieval. To put it in
perspective, those are close to your lifetime odds of being killed by
lightning (1/180,000) or killed by an asteroid impact (1/120,000).

That, of course, assumes that the issuer isn't misimplementing or
being nefarious in some sort of undetectable way, as Kyle mentioned.

> There are other mitigations worth considering:
>
> Verifiers should only request revocation status when necessary.

Yes, agreed.

> Verifiers could accept a bounded age for a proof of non-revocation (e.g., “not revoked in the past two weeks”).

Yes, that would also improve things.

> Issuers could publish revocation schedules or patterns to reduce the need for frequent checks.

That could work as well, but getting verifiers to properly implement
that might be difficult. Aggressive caching at the edge would help
here, as would more use of Oblivious HTTP, as Kyle mentioned in his
email.

> What other techniques or considerations can help meet both the “no phone home” requirement and the need for revocation support?

The statement on the nophonehome.com website is a good general
statement, and one that should be a guiding principle for all digital
credential ecosystems. I was (and still am) a bit concerned about some
of the nuances... like what Stephen and Kyle are getting at in this
thread.

Retrieving a status list could be misinterpreted as "phoning home"...
but it's not anywhere near the same level of "phoning home" that
contacting the issuer and telling them "I've got Steve here at
booze-hut.com, is he over 21?" achieves.

This feels a bit like the "Spectrum of Privacy" statement in the VC spec:

https://www.w3.org/TR/vc-data-model-2.0/#spectrum-of-privacy

... that is, there is a spectrum of "phone home" from "contacting the
issuer provides the issuer with a very high assurance of who you are,
where you are, and what you're doing" to "contacting the issuer does
not give them any statistically significant knowledge of who you are,
where you are, or what you're doing".

So, "phone home" is not binary... there's a spectrum there, but
"spurious mDL server retrieval" is about as maximal of a privacy
violation as you can achieve.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Tuesday, 3 June 2025 01:25:36 UTC