Re: Response to GSMA from the W3C from Orie Steele on 2023-09-18 (public-vc-wg@w3.org from September 2023)

From: Orie Steele <orie@transmute.industries>
Date: Mon, 18 Sep 2023 13:19:29 -0500
To: Sebastian Elfors <sebastian.elfors@idnow.de>
Cc: Sebastian Crane <seabass-labrax@gmx.com>, Brent Zundel <Brent.Zundel@gendigital.com>, W3C VC Working Group <public-vc-wg@w3.org>, Ivan Herman <ivan@w3.org>, Kristina Yasuda <Kristina.Yasuda@microsoft.com>, Wayne Cutler <wcutler@gsma.com>, "Liaisons," <team-liaisons@w3.org>, Helene Vigue <hvigue@gsma.com>
Message-ID: <CAN8C-_KdjhnMbdxra4wZAT6hx2Yw7QmmnfXopEEyx=ScxPHW4Q@mail.gmail.com>
Thanks for referring to
https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/66

I can see from the thread that the application and crypto layers are both
considered, and that JSON-LD / RDF claims are supported via JSON
serialization using SD-JWT.

I can also see security issues being discussed regarding "JSON-LD" which
seem to be confusing Data Integrity Proofs as a securing mechanism, with
JSON-LD / RDF as a claims data model.

W3C VCWG recently added a lot of text to the specification on "processing
the core data model as JSON", in other words, not doing any JSON-LD
processing.

https://github.com/w3c/vc-data-model/pull/1202

We are also in the process of writing the section on the "benefits of
processing the core data model as JSON-LD", where we expect the topic of
RDF / transforms to be commented on, and its benefits documented in
language that is accessible and accurate.

https://github.com/w3c/vc-data-model/pull/1270

It would be good to understand if GSMA intends to process credentials as
JSON or JSON-LD / RDF, because VC DI BBS currently *only supports verifying
/ processing credentials as JSON-LD* (JSON is not supported).

I urge caution when discussing JSON-LD, and not to conflate JSON with extra
terms that might not be well understood as RDF, with JSON-LD that MUST be
converted to application/n-quads before a signature can be produced or
verified.

The former does not have canonicalization as a dependency, and is supported
by SD-JWT, the latter REQUIRES implementations of this algorithm which is
developed by a separate W3C working group: https://www.w3.org/TR/rdf-canon/,
and is supported by vc-di-bbs.

Regards,

OS



On Mon, Sep 18, 2023 at 10:49 AM Sebastian Elfors <sebastian.elfors@idnow.de>
wrote:

> Dear Sebastian C, all,
>
> There are a couple of additional pieces of information to be considered
> for the GSMA liaison request.
>
> ETSI has recently published the ETSI TR 119 476 technical report on
> selective disclosure (see
> https://www.etsi.org/deliver/etsi_tr/119400_119499/119476/01.01.01_60/tr_119476v010101p.pdf).
> This has been discussed in a different mail thread at W3C VC WG but it's
> worthwhile to bring to everyones attention also in this mail thread for
> completeness and visibility. This ETSI report describes in detail why and
> how IETF SD-JWT and ISO mDL MSO have been chosen as formats for selective
> disclosure of PIDs in the Type 1 configuration of the EUDI Wallet. The
> report was authored by Peter Altmann and me, and we are still open to
> receive feedback on it.
>
> GSMA has created an issue in the EUDI Wallet GitHub repository to discuss
> the use of BBS+ as ZKP for the EUDI Wallet (
> https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/66).
> It's an informative read, and there are comments made by Paul Bastian
> (Bundesdruckerei) and Peter Altmann (member of the EUDIW Toolbox Expert
> Group), which explains why the EUDIW Toolbox Group decided to not choose
> BBS+, AnonCreds or Idemix as PID for the EUDI Wallet Type 1 configuration.
>
> In a nutshell, the EU public sector will only accept SOG-IS approved
> cryptographic algorithms when issuing the PID for the EUDI Wallet Type 1
> configuration, hence the choices of ISO mDL MSO and IETF SD-JWT.
>
> However, the EUDI Wallet ARF allows for other cryptos and formats for Type
> 2 configurations of the EUDI Wallet, and here BBS+ and similar ZKP schemes
> could be of interest. So GSMA could focus on certifying hardware-based
> solutions with BBS+ support, such as a SIM-cards with embedded BBS+
> algorithms. Peter and I are happy to join a meeting with GSMA to discuss
> this, if possible.
>
> Kind regards,
> Sebastian
>
> -----Original Message-----
> From: Sebastian Crane <seabass-labrax@gmx.com>
> Sent: Friday, 15 September 2023 18:22
> To: Brent Zundel <Brent.Zundel@gendigital.com>
> Cc: W3C VC Working Group <public-vc-wg@w3.org>; Ivan Herman <ivan@w3.org>;
> Kristina Yasuda <Kristina.Yasuda@microsoft.com>; Wayne Cutler <
> wcutler@gsma.com>; Liaisons, <team-liaisons@w3.org>; Helene Vigue <
> hvigue@gsma.com>
> Subject: Response to GSMA from the W3C
>
> [You don't often get email from seabass-labrax@gmx.com. Learn why this is
> important at https://aka.ms/LearnAboutSenderIdentification ]
>
> CAUTION: This email originated from outside the organization. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
> Dear Brent,
>
> Thank you for finding time during the TPAC meeting to discuss the GSMA
> liaison request. Since I was on the queue to speak when the meeting closed,
> I shall instead write my thoughts below.
>
> The GSMA's offer for collaboration in our BBS-based data integrity
> specification is a significant vote of confidence in the ability of
> Verifiable Credentials to provide the desired privacy enhancements for the
> EU's Digital Identity programme. The resources that will become available
> to the VCWG from this collaboration are to be considerable.
>
> I believe it would be appropriate for the VCWG to collaboratively form a
> response for you to send, as this will give us the opportunity to present
> the diversity of expertise that we possess as a group, and as a result will
> best communicate to the GSMA which of our participants are able to inform
> them in specific areas of interest. Considering the saturation of our
> available meeting time, I suggest a CryptPad or GitHub document could be
> used for this purpose in order to conclude such drafting efficiently.
>
> Additionally, as a European myself and a keen advocate of the
> Self-Sovereign Identity efforts, I would like to volunteer myself as an
> individual who will be able to help guide their collaboration in a way
> which is effective between the stakeholders (in this case, primarily the
> W3C, IETF, GSMA, European Commission and of course the citizens and
> residents of Europe who stand to benefit from this work). I would be
> grateful if you could include my offer directly in your correspondence with
> the GSMA's contacts.
>
> Best wishes,
>
> Sebastian
>
>

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>
Received on Monday, 18 September 2023 18:19:46 UTC