- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 10 Jun 2014 12:01:07 -0400
- To: public-webpayments@w3.org
On 06/10/2014 01:22 AM, Tim Holborn wrote: > Great work!! V.Impressed with the architecture of the solution. Thanks. :) > Especially impressed that it’s in GitHub. We're just open sourcing the code so that others can look at it and understand that we're not trying to squat on the intellectual property. We'll release into the public domain or CC0 soon, we just haven't done it yet due to lack of time to make a pass through all of the source code and label it appropriately > I think the device credential (x509v3 cert); perhaps linking to a > FQDN or other challenge - in addition to the passphrase. else, > perhaps simply use a combination of credentials depending on the > device profile. The linking is done via the identity document rather than in the x509 cert. In fact, we don't use x509 certs because it's overkill - don't need them for this system. You just need to store the public key fingerprint. > I hope that explains things. Are you saying: The number of credentials / authentication mechanisms that you use are a function of which device you're using and which website you're trying to authenticate with? If so, we agree and the Identity Credentials stuff is designed to allow that variability. Doing a $10K transfer from an Internet Cafe should require more credentials/authentication than doing the same transfer from your home computer. > FUNCTIONAL REQUIREMENTS? - In relation to the ‘Age Verification’ - I > assume your looking for a DOB? (therefore inferring the age of the > person?) or are you getting a Form of AGE Rating Approve / Deny > Method [2][3]? No, specifically not looking for a DOB because that leaks information that you don't need to leak. There are basically, two types of credentials that could verify that you're over the age of 18 (for example). The first is to transmit your DOB, which not only proves that you're of a certain age, but it also leaks exactly how old you are and when you were born. The second is to just transmit a credential that states "This person is over the age of 18". The latter doesn't leak your date of birth or exact age and is thus more privacy-protecting than the former. > - In relation to ‘minors’ (meaning children or others who require a > financial / medical / power of attorney or guardian); I assume a > means to link identities is required. Therefore, being able to ‘link > identities’; for particular purpose. Yes, required and supported. > Great work!!! I got my head around it quickly and easily. Good to hear, one of the things we were worried about was that there were too many concepts in there and that getting them all at once would be difficult, but from what I've read so far, seems like you got it w/o much issue. :) -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc.
Received on Tuesday, 10 June 2014 15:59:45 UTC