Re: Resources on holder binding from Greg Bernstein on 2025-11-07 (public-credentials@w3.org from November 2025)

From: Greg Bernstein <gregb@grotto-networking.com>
Date: Fri, 7 Nov 2025 11:21:45 -0800
To: public-credentials@w3.org
Message-ID: <da36aa98-ec75-4366-80d8-a9a41e3ce505@grotto-networking.com>

Hi Mahmoud, I’m sure there will be other perspectives, but I’ll give you 
a few of mine.

 1.

    Holder binding primarily prevents credential theft from an honest
    holder. There are a number of ways of providing for this. My
    presentation BBS Advanced Features 2
    <https://www.grotto-networking.com/Presentations/BBSforVCs/BBSAdvancedFeatures2.html>,
    discusses the /non-privacy/ preserving using a disclosed public key
    and additional signature (like used in SD-JWT “key binding”) as well
    as the privacy preserving approach taken in the VC-DI-BBS
    <https://www.w3.org/TR/vc-di-bbs/#anonymous-holder-binding>.

 2.

    As explained in my recent presentation on Everlasting Privacy
    <https://www.grotto-networking.com/Presentations/EverlastingPrivacy/EverlastingPrivacySlides.html>
    showed that “holder binding” does *not* help with a holder
    /complicit/ in credential abuse. This seems to be a common
    misconception and seems to be resulting in “device based holder
    binding” (see below).

 3.

    Some notions of “holder binding” include “device binding”. Which is
    essentially the public key/signature approach mentioned above using
    a /Secure Element/ (SE) or /Trusted Platform Module/ (TPM) to secure
    the private key and compute the signatures. With current SEs an TPMs
    this takes significant effort to preserve privacy. We had a talk on
    using ZKPs this year at the CCG (longfellow-zk).

Hope this helps. There is some interesting new efforts in this area to 
help out on privacy.

Cheers Greg B.

On 11/6/25 7:16 AM, Mahmoud Alkhraishi wrote:

>
> Hi All,
>
> I'm in a conversation with several people who keep bringing up topics 
> around holder bindings, but they are lacking some foundation for it, 
> including things like biometrics etc.
>
> Does anyone have any good articles or primers I can share with them to 
> help explain:
>
> 1.
>     What is holder binding?
> 2.
>     Ways holder binding can be done
> 3.
>     pitfalls or issues that can arise from doing it badly?
>
> I know there has been a few conversations on the mailing list, but it 
> isn't digestible for those groups.
>
>
> Regards,
> Mahmoud Alkhraishi
-- 
------------------------------------------------------------------------

Dr. Greg M. Bernstein, https://www.grotto-networking.com


&#8203;

Attachments

application/pgp-keys attachment: OpenPGP public key

Received on Friday, 7 November 2025 19:23:42 UTC