Re: When is "phone home" ok, if ever?

Thank you Joe, Daniel, Carsten and the rest for the meaningful exchange!

What a lovely discussion you started here, Manu. Building on your flame-retardant suit-up I up you one by dressing as a hammer: everything now looks like a credential! 😊 Putting aside the cheeky comments, I believe we skipped a simple triage that opens our aperture to allow multiple complementing technologies to solve the entirety of the problem before we over-engineer the VCs to a point where they are impossible to use.

Tools, in general, are good when they serve a clear purpose without skewing the intent: reading glasses are a good example here. The assist our ability to read but do not introduce ‘nuances’ to the way light goes through and do not interpret if I read at home or at work. I advocate for simplicity and the use of fit-for-purpose tools. In the case you put forward, I believe the wallet and credentials should not skew/bend according to context but serve as intended: credential is used to authN/authZ until revoked. No phone home (thank you for making this point earlier, Joe).

Now, speaking of safety and tracking, I argue this is *an adjacent* use case that has nothing to do with your digital badge (authN/authZ), and more with insurance/liability. A simple AirTag in the fireman gear would serve similar or better job at satisfying the security concerns of the state – if you are not wearing it (on the job), we do not wish to know your whereabouts. This immediately drills into the risk/liability/legal channel, along the lines of ‘if you venture into fire without gear, you did not follow protocol and risk coverage is void’. Simplistic as it may appear, this tackles the individual challenges with the (supposedly) best tech available, vs cramming all into VCs and related protocols. I hope you understand why I dressed as a hammer here, as I take the costume off.

Warm regards,
Kalin

From: Daniel Hardman <daniel.hardman@gmail.com>
Date: Tuesday, May 6, 2025 at 4:40 PM
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: W3C Credentials CG <public-credentials@w3.org>, carsten.stoecker@spherity.com <carsten.stoecker@spherity.com>
Subject: Re: When is "phone home" ok, if ever?
Carsten:

There is some important thinking here. Thank you for sharing it.

Can I suggest that perhaps it would be nice to change a term before you spread this thinking more widely? I believe that the use of the term "citizen" is problematic, because it puts anyone who is not a citizen into a non-existent third category, and it invites the incorrect assumption that the right of ordinary people to hold non-employee credentials is somehow tied to their government status. Stateless persons living in refugee camps should be able to get most forms of verifiable credentials. I was an expat living in Switzerland; my right to drive was proved with a drivers license issued by the Swiss government, but I was not a citizen there. I just went to a meet-and-greet with Afghan refugees; they are not citizens of the country where they live, but they pay taxes and need VCs documenting their vaccinations, their education, etc.

Perhaps X2P (P = person) would be a better label.

--Daniel

On Tue, May 6, 2025 at 7:35 AM Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>> wrote:
Forwarding a really solid write up from Carsten since the email seems to have not gone through on the CCG mailing list.

---------- Forwarded message ---------
From: <carsten.stoecker@spherity.com<mailto:carsten.stoecker@spherity.com>>
Date: Tue, May 6, 2025 at 4:09 AM
Subject: AW: When is "phone home" ok, if ever?

Dear all,

Thanks for raising the important questions around first responder credentials, tracking, and consent. Your post sparked a deeper analysis on our end about how fundamentally different “citizen” and “employee” use cases are when it comes to verifiable credentials, privacy, tracking, consent management and UX. We conducted the analysis drawing on our expertise in employee wallets and business requirements, supported by in-depth research facilitated through OpenAI Deep Research.

We’ve compiled our findings from an employee related perspective into a .md document, which you can access here: https://hackmd.io/@KsjE2xL6Q_CAsVkYWt58iA/BJ3I9Vwxxx

The key takeaway is that employee credentials—like those for first responders—must be treated with different assumptions than citizen ones. Tracking, consent, wallet structure, and UX expectations diverge significantly due to operational and legal differences.

For example, we argue that:

  *   Employee credentials justify tracking (with limits) for safety, compliance, and auditing.
  *   Privacy-enhancing technologies are often counterproductive in these scenarios.
  *   Terms of use should define purpose, context, and data retention obligations.
  *   Wallet and verifier design should account for these distinctions to protect workers while supporting operations.
We also suggest formalizing the separation of private and employment-related wallets to avoid consent ambiguity and security policy conflicts as well as “wallet dance” when business processes engage with personal wallets on private hardware outside the broader organisational ecosystem infrastructure.

Looking forward to hearing your thoughts—and happy to contribute to standardization discussions on this topic.

Best regards,
Carsten


Key Concepts from our Research Document

1. Distinction between X2C and X2E Use Cases

  *   X2C (Entity-to-Citizen): Consent-centric, minimal disclosure, governed by strong privacy expectations (e.g. GDPR).
  *   X2E (Entity-to-Employee): Includes justified tracking for compliance, safety, and auditing—subject to workplace transparency and proportionality requirements.

2. Citizen vs Employee Credentials

  *   Employee credentials (e.g. digital badges for first responders) support operational needs like authentication, location tracking, and role-based access.
  *   These are structurally and functionally different from credentials used in purely personal contexts.

3. Separate Wallets for Personal and Professional Use

  *   Distinct wallets avoid “wallet dance” issues and reduce privacy and compliance friction.
  *   eIDAS 2.0’s one-wallet policy introduces complications, especially in high-security employment settings.
  *   A business wallet infrastructure is proposed, inheriting verified identity elements under organizational control.

4. Consent and Privacy Management

  *   In X2E scenarios, consent is often non-voluntary, and must be replaced with transparent policy-based controls.
  *   Privacy-enhancing technologies (PETs) offer limited value in operationally intensive environments and may impair usability and interoperability.

5. Terms of Use for Credentials and Presentations

  *   Terms should specify scope, context, permitted data uses, and data retention/deletion timelines.
  *   Wallets and verifier apps should enforce or warn on violations of these terms, helping avoid repurposing or misuse.

6. UX and Simplicity for Critical Scenarios

  *   Especially in the case of first responders, the focus should be on operational simplicity and trust—not abstract privacy guarantees.
  *   The use of verifiable credentials should enhance coordination without introducing excessive technical complexity.
 Mit freundlichen GrĂŒĂŸen / Kind regards

Carsten Stöcker
Founder, CEO Spherity GmbH
+49 152 08930 990

Spherity GmbH<http://spherity.com/> | Emil-Figge-Str. 80 | 44227 Dortmund

Received on Tuesday, 6 May 2025 16:02:40 UTC