Re: [identity-credentials] Clarity of definitions: Credentials, unbound identity, identity hardening, and bound identity from Adrian Hope-Bailie on 2015-05-28 (public-webpayments-ig@w3.org from May 2015)

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Thu, 28 May 2015 07:40:13 +0200
To: Dave Raggett <dsr@w3.org>
Cc: Erik Anderson <eanders@pobox.com>, Web Payments IG <public-webpayments-ig@w3.org>
Message-ID: <CA+eFz_KoWyZR8Yz_5hNBSwwBPrApRQ8CYCjMdz2H0NX-BXw01w@mail.gmail.com>

On 27 May 2015 at 20:14, Dave Raggett <dsr@w3.org> wrote:

>
> On 27 May 2015, at 15:28, Adrian Hope-Bailie <adrian@hopebailie.com>
> wrote:
>
> To harden this identity we must "tie it to reality". The problem is,
> anyone with the document in Example3 can present it and claim to be the
> subject of that document. In order to harden this identity we require a way
> for the holder to prove they are also the subject.
>
> This can be achieved through technology by having biometric data in the
> document that can be verified by the consumer or the presenter must be able
> to sign a challenge with one of the keys used to sign the document or....
> some other mechanism.
>
> I am not suggesting this is a requirement. These are just examples. The
challenge with simply having a document that contains real-world attributes
is that anyone can attest to being the subject of the document, even if the
document itself is signed.

I would define hardening as a means to prove that the holder of the
identity is also the subject of the identity.

Without biometrics, I agree that one needs some PKI based solutions where
the holder can prove they are the subject. I would imagine the easiest way
to do this is for the holder to prove they have a secret that was defined
when the identity was first compiled and signed by a trusted authority that
attests to the connection between the content of the identity and the
real-world entity.


> The requirement to embed biometric data isn’t obvious to me.  I would
> instead expect that we would have assertions about identities, e.g. a web
> identity used in a transaction and based upon an ecliptic curve key pair
> that applies to the {user, device, account} combo. This could be tied to a
> real world identity with attributes such as full name, address, data of
> birth, financial institution, account number etc.
>
> Essentially, KYC is addressed through a certificate that ties a web
> identity to a real world identity. Privacy considerations might weaken this
> to allow for a deferred binding that is only revealed upon a court order /
> legal proceedings.
>
> —
>    Dave Raggett <dsr@w3.org>
>
>
>
>

Received on Thursday, 28 May 2015 05:40:41 UTC