Aggregate verifiable claims from Kjetil Kjernsmo on 2017-01-16 (public-webpayments-ig@w3.org from January 2017)

From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Date: Mon, 16 Jan 2017 07:50:54 -0600
To: public-webpayments-ig@w3.org
Message-Id: <2480500.N4OvM9NeqF@owl>

All,

I'm very interested in the verifiable claims work that this group is doing, 
but I have not had time to participate. I hope to be able to do so in the 
future.

I have read through the use cases, and I think I may have another class of 
things: Aggregate verifiable claims.

Consider for example, creditworthiness. A subject may have credit cards in 
many banks, and the banks may not be in the position to exchange 
information about the subjects they issue credit cards to. It may be in 
the bank's best interest not to do so, as it would reveal too much of the 
compitition situation to rivals, and it may be in the subject's best 
interest not to do so, to not reveal information about themselves. In some 
jurisdictions, it may even be illegal to  gather such information.

Thus, creditworthiness may be difficult to prove or assess.

Now, I think it would be very interesting if a subject could aggregate all 
outstanding debt without disclosing which bank (now in the issuer role) or 
how much debt they have in each back. The aggregate should be verifiable by 
the bank (in the inspector role), without each issuer being known.

This has several components: It must be possible to ensure that the ground 
data was verifiable, it must be possible to ensure that data was not 
modified before aggregate, it must be possible to verify that the 
aggregation operation itself was correct. Finally, aggregation implies a 
closed world assumption, which is in the general case impossible to 
verify.

This last problem is interesting, but in practical cases, it should be 
possible to address. There is a finite number of banks, closure could be 
made by using a shared and trusted exhaustive list of issuers.

Now, it would be neat if there's some cryptographical way to ensure all of 
the above (except closed world), so that only the current user roles need 
to be involved. I'm not well versed in that literature though, so I'm 
assuming a trusted third party would have to be involved to verify the 
ground data and perform the aggregation, and then sign the aggregation. I 
hope it should be doable, and I hope it is an interesting use case for 
your current work.

Best,

Kjetil

Received on Monday, 16 January 2017 13:51:01 UTC