<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, May 15, 2021 at 12:19 AM David Chadwick <<a href="mailto:d.w.chadwick@verifiablecredentials.info">d.w.chadwick@verifiablecredentials.info</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p><br>
</p>
<div>On 14/05/2021 15:54, Nat Sakimura
wrote:</div></div></blockquote><div>[..snip..] </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p> </p>
<blockquote type="cite">
<div dir="ltr">
<div>Additionally, it may contain a Holder identifier.
<br>
</div>
</div>
</blockquote>
<p>How this is performed is currently not standardised. So
lets keep it simple for now and assume that the subject
is the holder.<br>
</p>
</div>
</blockquote>
<div>OK. One reason I tend to try to delineate Holder and the
Subject is that I do think of a Malicious or Compromised
Holder besides PoA etc.</div></div></div></blockquote>
<p>I don't know of any way to determine if the holder's device has
been compromised and whether the RP is talking to the real owner
or to a thief/attacker. FIDO tries to do this with its ceremony,
but that can be broken. Even worse, the RP cannot tell if it is
the real holder with a gun held to his head by an attacker or a
holder freely entering into the relationship with the RP. So, it
is impossible to protect against every conceivable threat. We
should document our assumptions so that people know what the
boundaries of our proposal are, and what is out of scope.<br></p></div></blockquote><div>Agreed. We have to set the expectations at the right level. </div><div>At the same time, I am in the opinion that this information asymmetry is one of the factors that RPs really did not buy-in into the previous similar schemes so some kind of trust mechanism needs to be implemented. e.g., Hardware and OS assisted remote attestations, over-writable presentations, etc. </div><div><br></div><div>That was one of the reasons why I was interested in the Trust Framework discussion this Thursday, by the way. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><p>
</p>
<p><br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>At a later point in time, Verifier asks for
Verifiable Presentation to the subject through the
Holder. </div>
<div>Holder creates proof with the consent of the
Subject (where is it documented?), <br>
</div>
</div>
</blockquote>
<p>this is not documented an any standard as far as I
know. The W3C standard suggests several ways in which
the relationship between the holder and subject can be
identified, but these are only suggestions.<br>
</p>
</div>
</blockquote>
<div>Hmmm. </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p> </p>
<p>This is why I suggest we keep it simple for now, and
only cater for subject=holder. Once this is documented
to your satisfaction we can move on to the more complex
cases of delegation of authority and power of attorney
(guardianship).<br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div>constructs a VP that includes claims included in
VC and presents it to the Verifier. </div>
<div><br>
</div>
<div>If the subject is OK to be correlated, the story
is simple. However, if the subject wants to remain
pseudonymous or anonymous, it gets complicated. <br>
</div>
</div>
</blockquote>
<p>It is IMPOSSIBLE for the subject to remain 100%
anonymous. The fact that the claims (in most cases)
contain one or more identifying attributes means that
some PII is transferred from the issuer to the verifier.
Pseudonymous is more realistic. Furthermore the issuer
always knows who it has issued the VC to, and this has a
unique serial number.<br>
</p>
</div>
</blockquote>
<div>Re: "IMPOSSIBLE", I suppose you are talking about long
term VC. Am I right? <br>
</div>
</div>
</div>
</blockquote>
<p>No short lived as well. Because the issuer always knows who it
has issued the VC to. And the RP knows who the issuer is. So the
RP can ask the Issuer to reveal the holder in cases of abuse. I
believe that even the ZKP anonymous credentials scheme wanted to
(or did) build this into their group signature scheme.</p></div></blockquote><div>Ah, it is the case of CP+RP–U Unlinkability (unlinkability of multiple visits of U to RP even if CP and RP collude) per ISO/IEC 27551. </div><div>That's a good point. By using partially anonymous, partially unlikable authentication per ISO/IEC 29191, such that the holder and the serial are blinded to the RP and the presentation is signed by a group signature, it may be possible, but that is going to be pretty complicated. If I find time, I might ask about it to my co-editor of ISO/IEC 27551 Pascal Pailler and the editor of ISO/IEC 29191 Prof. Kazue Sako. </div><div><br></div><div>[..snip..]</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p> </p>
<blockquote type="cite">
<div dir="ltr">
<div>(2) How can Verifier verify the signature on VC?
</div>
</div>
</blockquote>
<p>With jwt the verifier gets the signature on the VC to
verify. So that is easy. The same goes for the VP. <br>
</p>
<p>But that is not the interesting question. It is how can
the verifier prove possession?. There are multiple ways
the verifier can independently authenticate the holder
if it needs to e.g. it can request that its un/pw be in
the VP, it can look at the photo in the VC and compare
it to the face of the person presenting the VP etc. But
this is outside the scope of the W3C standard.<br>
</p>
<p><br>
</p>
</div>
</blockquote>
<div>I see. </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p> </p>
<blockquote type="cite">
<div dir="ltr">
<div>Yes, ZKP etc., but then VC itself should not be
present in the VP. Even the signature itself of VC
will break pseudonymity, not to mention anonymity. <br>
</div>
</div>
</blockquote>
<p>ZKPs only prove that the presenter knows a master
secret and this can be shared between multiple users.<br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div>(3) Also, if there is a one-to-one relationship
between the Holder and Subject, Hoder cannot reveal
its persistent identifiers or keys. <br>
</div>
</div>
</blockquote>
<p>this is why our implementation uses ephemeral keys</p>
</div>
</blockquote>
<div>Got it. One of the reasons I wrote about the delineation
of the subject and the holder is that I was wondering if
Holders can share the identifiers and use group signature to
avoid the linking of the subject through the holder
identification. Has there been any discussion on something
like it? <br>
</div>
</div>
</div>
</blockquote>
<p>I am not that knowledgable about the various ZKP schemes. You
need to ask a cryptographer.</p></blockquote><div>Got it. I will ask Pascal and Kazue. </div><div><br></div><div>[..snip..]</div><div><br></div><div>Best regards, </div></div><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Nat Sakimura<div>NAT.Consulting LLC</div></div></div></div>