- From: Matteo Frigo <matteof@google.com>
- Date: Wed, 4 Jun 2025 15:21:35 -0400
- To: public-credentials@w3.org
- Message-ID: <CAJVnZs_4jHri1uubDV989FSCK_Vjysk0B3NDa=YD4O2OniDc5A@mail.gmail.com>
Hi Manu. We believe that a zero-knowledge presentation of the credential, like the scheme we presented to this forum a few weeks ago, would solve this problem. Are people aware of any attacks that we have not considered? Irrespective of this specific server-retrieval attack, if one is worried about the issuer instructing the relying party to track certain users, it seems to me that any non-ZK presentation is vulnerable to this kind of attack, and that this is not a MDOC-specific problem. For example, a sufficiently malicious issuer who wants to instruct relying parties to track certain users could keep generating (r, s) ECDSA signatures until hash(r,s)=0xdeadbeef, and this particular hash would be used by relying parties to phone home the issuer. Even with BBS+, if the issuer has a choice of which key to use for the BBS signature, a sufficiently malicious issuer could use a particular key for all users it wants to track, and instruct relying parties to track users that present that key. So it seems to me that there is no solution to this problem outside of a zero-knowledge system like the one we are using in Google Wallet, where one can hide the issuer's key. Cheers, Matteo Frigo
Received on Wednesday, 4 June 2025 19:22:27 UTC