- From: David Baron via WBS Mailer <sysbot+wbs@w3.org>
- Date: Thu, 29 Dec 2016 07:15:01 +0000
- To: public-new-work@w3.org
The following answers have been successfully submitted to 'Call for Review: Verifiable Claims Working Group Charter' (Advisory Committee) for Mozilla Foundation by David Baron. The reviewer's organization opposes this Charter and requests that this group not be created [Formal Objection]. Additional comments about the proposal: We don't think the W3C should be putting resources behind standardization of verifiable claims. We're not convinced of either sufficient demand for this or sufficient incubation of the technology. However, based on the proposed architecture at https://w3c.github.io/webpayments-ig/VCTF/architecture/ , linked from the charter, we're very concerned about the privacy properties of this work if the W3C were to proceed with it. This architecture appears to propose a system in which verification of claims leaks substantial information about a user. For example, presenting a credential that is tied to an identity of a user allows for tracking of that identity across sites, which the user may not want. Or if, for example, a site accepts claims from various government authorities for proof of a user's age, then presentation of a claim of age from the California DMV would provide the data that the user lives in California, even if that was not the information requested or needed. Even if claims are not directly tied to identity, it appears that the proposed architecture would allow the Issuer and the Inspector to collude to determine which Holder a claim applies to. There has been substantial work on using cryptography to allow proof of specific claims without leaking information, such as https://www.microsoft.com/en-us/research/project/u-prove/ . However, this effort seems to ignore that work and instead propose a design with much worse privacy properties. If the W3C were to pursue this work, we think it would be best to pursue a system with strong privacy properties such as this one. However, if that is not done, we would be particularly opposed to a system that ties claims to a single identity for the user, which would be most prone to unsanctioned tracking. However, even transitory and pseudonomous identifiers can leak substantial information, contrary to the expectations of the user (in the proposed architecture, the Holder), particularly if some or all of the Issuer, Identifier Registry, and Inspector cooperate to track the Holder. Answers to this questionnaire can be set and changed at https://www.w3.org/2002/09/wbs/33280/VCWG/ until 2017-01-15. Regards, The Automatic WBS Mailer
Received on Thursday, 29 December 2016 07:15:07 UTC