- From: Charles E. Lehner <charles.lehner@spruceid.com>
- Date: Thu, 26 May 2022 14:30:39 -0400
- To: public-vc-edu@w3.org
Hi VC-EDU,
(Previous thread participants Bcc'd)
Isn't dereferencing of URLs from credentials a privacy/tracking issue? Issuers could track holders by using unique image URLs in the credentials. HTML emails have a similar issue; for this reason mail clients might not load remote images by default, e.g. Thunderbird: https://support.mozilla.org/en-US/kb/remote-content-in-messages
Credential refresh services could address update-ability?
Regards,
Charles E. Lehner
On Thu, 26 May 2022 10:16:03 -0400
Manu Sporny <msporny@digitalbazaar.com> wrote:
> David Chadwick wrote:
> > I have a question about the display of the badge image. In the JSON
> > example, the image property is not actually an image, but is a URL
> > ("image":
> > "https://w3c-ccg.github.io/vc-ed/plugfest-1-2022/images/JFF_LogoLockup.png")
> > which could point to anything.
> >
> > There are several possible alternatives that I would like to run
> > past you and the group to get some feedback:
> >
> > 1. The wallet displays the URL to the user, and allows the user to
> > click on it, which opens the browser, and the browser displays the
> > contents of the URL (whatever it contains)
> >
> > 2. The wallet never displays the URL to the user, but automatically
> > dereferences the URL and displays the remote contents to the user
> > inside the wallet
> >
> > 3. The issuer replaces the contents of the URL with a base64
> > encoded image, so that the image is embedded inside the VC (and
> > therefore signed for integrity)
> >
> > Which option did you have in mind?
>
> On 5/25/22 8:49 AM, Julien Fraichot wrote:
> > I don’t think there is a better solution between the 2, it’s really
> > about trade-offs: size vs centralization.
>
> Agree with much of what Julien is saying... I'll note that there is
> another trade-off -- update-ability. Sometimes the issuer does want
> to update the image in place (new branding, new brand guidelines,
> etc.) for very long-lived credentials.
>
> Universities stay around for more than a few years at a time, and
> your degree is typically good for a lifetime. Universities also go
> through (very expensive) re-branding exercises every few years... I
> know our local university spends millions doing this... tears down
> all their signs and replaces them with (questionably) improved
> designs every 5-10 years. The same is true for their digital assets,
> like brand images, paper certificates, etc.
>
> All this to say... there is at least size vs. centralization vs.
> update-ability. I don't think there is a one-size-fits-all solution.
>
> There's a lot to unpack here, and my suggestion is that we don't do
> that before the JFF June 6th date. :)
>
> Can we just "do whatever our wallets do today to display images"? So,
> there is a URL... if it's "https://..." we dereference the image and
> display it... if it's "data:image/png;base64,SGVsbG8sIFdvcm..." we
> render it directly... and if our wallet only supports one of those
> options, that's all we can do for now and we can try to improve it in
> the future?
>
> So we leave it as an "item to be discussed" for later plugfests?
>
> -- manu
>
Received on Thursday, 26 May 2022 18:31:23 UTC