Re: [EXT] Re: LS from GSMA EIG to W3C from Orie Steele on 2023-09-13 (public-vc-wg@w3.org from September 2023)

From: Orie Steele <orie@transmute.industries>
Date: Wed, 13 Sep 2023 17:54:01 -0500
To: Paul Bastian <paul.bastian@posteo.de>
Cc: W3C VC Working Group <public-vc-wg@w3.org>
Message-ID: <CAN8C-_JvuO2Nbthgor8qcQ5kRQ6Zpv+kR-Xn-vmXe=8Ts=cyYg@mail.gmail.com>
Additional context on the potential capabilities of BBS.

It has the potential for more compact selective disclosure, but at the cost
of canonicalization and non standard crypto operations when compared to
sd-jwt.

I don't believe there is any possibility that this work item will
meaningfully address unlinkability.

Based on the other dependencies, for example the hmac blinding of
application n-quads, and other mandatory to support VCDM properties, such a
proof created and proofValue.

This means most of the potential use of BBS, is redundant to ecdsa-sd (the
data integrity proof approach) and sd-jwt (the just sign the bytes
approach).

For this reason I don't feel the work item can provide value over the
existing alternatives.

And BBS being based on relatively new crypto is a reason not too recommend
it, over the other alternatives.

I do think that BBS might provide some value that is not achievable by data
integrity proofs, or sd-jwt, assuming a new envelope format like JWP or CWP
is paired with it, but that is not part of the current W3C working group
approach.

If you are interested that, I suggest contributing to the work happening on
this topic at IETF.

Happy to help collaborate on draft text that captures the opportunity for
BBS, but my current recommendation would be to simply not spend the cycles
on it, and instead focus them on sd-jwt and ecdsa-sd.

Regards,

OS




On Wed, Sep 13, 2023, 5:35 PM Paul Bastian <paul.bastian@posteo.de> wrote:

> To give some perspective, you should follow this thread [1] at the eIDAS
> ARF. It seems GSMA suddenly woke up and realized they need to be part of
> it. I've given them seven reasons why BBS+ is currently not favored for the
> PID, but they seem not to understand. So I assume they are privacy
> advocates at any cost or they might have a hidden agenda.
>
> Br, Paul
>
> [1]
> https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/66
> On 13.09.23 17:20, Orie Steele wrote:
>
> Seems like the next step is to draft the response from the working group,
> and then bring it to the team for approval.
>
> Part of that response should be the lessons learned on this topic based on
> the progress made with:
>
> https://www.w3.org/TR/vc-di-ecdsa/#selective-disclosure-functions
> https://github.com/w3c/vc-di-ecdsa/pulse/monthly
>
> and the lack of progress made on:
> https://www.w3.org/TR/vc-di-bbs/
> https://github.com/w3c/vc-di-bbs/graphs/code-frequency
>
> And to clarify my previous message, the W3C is not doing any work with BBS
> that does not rely on RDF DataSet Canonicalization, it would be good to
> hear a direct answer on if that dependency is a requirement for GSMA, and
> for such a liaison agreement to be valuable to both sides.
>
> It would also be good to hear from @Tobias Looker
> <tobias.looker@mattr.global> on this topic.
>
> Regards,
>
> OS
>
> On Wed, Sep 13, 2023 at 9:51 AM Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>
>> On Wed, Sep 13, 2023 at 9:01 AM Orie Steele <orie@transmute.industries>
>> <orie@transmute.industries> wrote:
>> > It sounds like they are interested in BBS but I don't know if they care
>> if it's in a JSON, CBOR or JSON-LD envelope, or understand  the
>> differences. I did not read their request as prioritizing BBS+ based data
>> integrity proofs.
>>
>> Quoting directly from the GSMA request:
>>
>> """
>> W3C to detail how BBS+ and ZKPs will be integrated in the global VC /
>> VP ecosystem starting with the BBS Cryptosuite
>> (https://github.com/w3c/vc-di-bbs) and to inform GSMA EIG about the
>> timeline of their specification.
>> """
>>
>> > If a formal response from W3C is requested, does the working group need
>> to do anything or is the decision with the W3C members or staff?
>>
>> The WG is typically involved in drafting the response with approval
>> from the W3C Team... but it's possible that this has changed over the
>> years. I defer to Ivan on the process, here.
>>
>> -- manu
>>
>> --
>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>> Founder/CEO - Digital Bazaar, Inc.
>> https://www.digitalbazaar.com/
>>
>
>
> --
>
>
> ORIE STEELE Chief Technology Officer www.transmute.industries
>
> <https://transmute.industries>
>
>
Received on Wednesday, 13 September 2023 22:54:22 UTC