W3C home > Mailing lists > Public > public-webpayments@w3.org > June 2014

Re: Proof of Concept: Identity Credentials Login

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 10 Jun 2014 12:01:07 -0400
Message-ID: <53972BC3.3070108@digitalbazaar.com>
To: public-webpayments@w3.org
On 06/10/2014 01:22 AM, Tim Holborn wrote:
> Great work!!  V.Impressed with the architecture of the solution.

Thanks. :)

> Especially impressed that it’s in GitHub.

We're just open sourcing the code so that others can look at it and
understand that we're not trying to squat on the intellectual property.
We'll release into the public domain or CC0 soon, we just haven't done
it yet due to lack of time to make a pass through all of the source code
and label it appropriately

> I think the device credential (x509v3 cert); perhaps linking to a
> FQDN or other challenge - in addition to the passphrase. else,
> perhaps simply use a combination of credentials depending on the
> device profile.

The linking is done via the identity document rather than in the x509
cert. In fact, we don't use x509 certs because it's overkill - don't
need them for this system. You just need to store the public key
fingerprint.

> I hope that explains things.

Are you saying: The number of credentials / authentication mechanisms
that you use are a function of which device you're using and which
website you're trying to authenticate with? If so, we agree and the
Identity Credentials stuff is designed to allow that variability.

Doing a $10K transfer from an Internet Cafe should require more
credentials/authentication than doing the same transfer from your home
computer.

> FUNCTIONAL REQUIREMENTS? - In relation to the ‘Age Verification’ - I
>  assume your looking for a DOB? (therefore inferring the age of the
> person?) or are you getting a Form of AGE Rating Approve / Deny
> Method [2][3]?

No, specifically not looking for a DOB because that leaks information
that you don't need to leak. There are basically, two types of
credentials that could verify that you're over the age of 18 (for
example). The first is to transmit your DOB, which not only proves that
you're of a certain age, but it also leaks exactly how old you are and
when you were born. The second is to just transmit a credential that
states "This person is over the age of 18". The latter doesn't leak your
date of birth or exact age and is thus more privacy-protecting than the
former.

> - In relation to ‘minors’ (meaning children or others who require a
> financial / medical / power of attorney or guardian); I assume a
> means to link identities is required.  Therefore, being able to ‘link
> identities’; for particular purpose.

Yes, required and supported.

> Great work!!! I got my head around it quickly and easily.

Good to hear, one of the things we were worried about was that there
were too many concepts in there and that getting them all at once would
be difficult, but from what I've read so far, seems like you got it w/o
much issue. :)

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
Received on Tuesday, 10 June 2014 15:59:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:31 UTC