<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 14/05/2021 17:51, Nat Sakimura
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAJcjuELEOXZOXAoxzuPy+2o-HvbDb_QV+gVKaRe2ntSd4ttAEw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Sat, May 15, 2021 at
12:19 AM David Chadwick <<a
href="mailto:d.w.chadwick@verifiablecredentials.info"
moz-do-not-send="true">d.w.chadwick@verifiablecredentials.info</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p><br>
</p>
<div>On 14/05/2021 15:54, Nat Sakimura wrote:</div>
</div>
</blockquote>
<div>[..snip..] </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p> </p>
<blockquote type="cite">
<div dir="ltr">
<div>Additionally, it may contain a Holder
identifier. <br>
</div>
</div>
</blockquote>
<p>How this is performed is currently not
standardised. So lets keep it simple for now
and assume that the subject is the holder.<br>
</p>
</div>
</blockquote>
<div>OK. One reason I tend to try to
delineate Holder and the Subject is that I do
think of a Malicious or Compromised Holder besides
PoA etc.</div>
</div>
</div>
</blockquote>
<p>I don't know of any way to determine if the holder's
device has been compromised and whether the RP is
talking to the real owner or to a thief/attacker. FIDO
tries to do this with its ceremony, but that can be
broken. Even worse, the RP cannot tell if it is the real
holder with a gun held to his head by an attacker or a
holder freely entering into the relationship with the
RP. So, it is impossible to protect against every
conceivable threat. We should document our assumptions
so that people know what the boundaries of our proposal
are, and what is out of scope.<br>
</p>
</div>
</blockquote>
<div>Agreed. We have to set the expectations at the right
level. </div>
<div>At the same time, I am in the opinion that this
information asymmetry is one of the factors that RPs really
did not buy-in into the previous similar schemes so some
kind of trust mechanism needs to be implemented. e.g.,
Hardware and OS assisted remote attestations, over-writable
presentations, etc. </div>
<div><br>
</div>
<div>That was one of the reasons why I was interested in the
Trust Framework discussion this Thursday, by the way. <br>
</div>
</div>
</div>
</blockquote>
<p>But the interesting thing is that the VC model mirrors exactly
what happens in the real world today with plastic cards,
passports, driving licenses etc. So why have all the physical RPs
bought into this model and these credentials are ubiquitous? Is it
that the issuer is also the verifier (like a supermarket loyalty
card), or is it that the RP makes money from the deal (as with
credit card usage) or that the physical credentials are hard to
forge (as with passports) or the physical credential contains the
passport photo of the subject? Or that the trust and liability
model for each is well understood? Maybe its a bit of each.<br>
</p>
<p>Remember that none of these physical credentials are attack
proof. They all have vulnerabilities. So are we trying too hard
with electronic credentials to make them 100% secure when 99% or
less might be more than sufficient for most use cases?</p>
<p>I think COVID-19 "passports" are going to accelerate acceptance
of electronic credentials and people will adapt to them quite
easily and quickly.<br>
</p>
<p>I remember back in the 1990s when the WWW was just starting to
become popular and online shopping was starting up. The detractors
said "you cant trust this, the seller will take your money and not
deliver anything" and a few instances of this did occur. But look
at the world now. Online shopping is huge. Everyone trusts it,
even though you could easily be scammed. I see the same thing
happening with VCs. (but then I am biased :-)<br>
</p>
<p>Kind regards</p>
<p>David<br>
</p>
<blockquote type="cite"
cite="mid:CAJcjuELEOXZOXAoxzuPy+2o-HvbDb_QV+gVKaRe2ntSd4ttAEw@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p> </p>
<p><br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>At a later point in time, Verifier asks
for Verifiable Presentation to the subject
through the Holder. </div>
<div>Holder creates proof with the consent
of the Subject (where is it documented?),
<br>
</div>
</div>
</blockquote>
<p>this is not documented an any standard as far
as I know. The W3C standard suggests several
ways in which the relationship between the
holder and subject can be identified, but
these are only suggestions.<br>
</p>
</div>
</blockquote>
<div>Hmmm. </div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p> </p>
<p>This is why I suggest we keep it simple for
now, and only cater for subject=holder. Once
this is documented to your satisfaction we can
move on to the more complex cases of
delegation of authority and power of attorney
(guardianship).<br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div>constructs a VP that includes claims
included in VC and presents it to the
Verifier. </div>
<div><br>
</div>
<div>If the subject is OK to be correlated,
the story is simple. However, if the
subject wants to remain pseudonymous or
anonymous, it gets complicated. <br>
</div>
</div>
</blockquote>
<p>It is IMPOSSIBLE for the subject to remain
100% anonymous. The fact that the claims (in
most cases) contain one or more identifying
attributes means that some PII is transferred
from the issuer to the verifier. Pseudonymous
is more realistic. Furthermore the issuer
always knows who it has issued the VC to, and
this has a unique serial number.<br>
</p>
</div>
</blockquote>
<div>Re: "IMPOSSIBLE", I suppose you are talking
about long term VC. Am I right? <br>
</div>
</div>
</div>
</blockquote>
<p>No short lived as well. Because the issuer always knows
who it has issued the VC to. And the RP knows who the
issuer is. So the RP can ask the Issuer to reveal the
holder in cases of abuse. I believe that even the ZKP
anonymous credentials scheme wanted to (or did) build
this into their group signature scheme.</p>
</div>
</blockquote>
<div>Ah, it is the case of CP+RP–U Unlinkability
(unlinkability of multiple visits of U to RP even if CP and
RP collude) per ISO/IEC 27551. </div>
<div>That's a good point. By using partially anonymous,
partially unlikable authentication per ISO/IEC 29191, such
that the holder and the serial are blinded to the RP and the
presentation is signed by a group signature, it may be
possible, but that is going to be pretty complicated. If I
find time, I might ask about it to my co-editor of ISO/IEC
27551 Pascal Pailler and the editor of ISO/IEC 29191 Prof.
Kazue Sako. </div>
<div><br>
</div>
<div>[..snip..]</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p> </p>
<blockquote type="cite">
<div dir="ltr">
<div>(2) How can Verifier verify the signature
on VC? </div>
</div>
</blockquote>
<p>With jwt the verifier gets the signature on the
VC to verify. So that is easy. The same goes for
the VP. <br>
</p>
<p>But that is not the interesting question. It is
how can the verifier prove possession?. There
are multiple ways the verifier can independently
authenticate the holder if it needs to e.g. it
can request that its un/pw be in the VP, it can
look at the photo in the VC and compare it to
the face of the person presenting the VP etc.
But this is outside the scope of the W3C
standard.<br>
</p>
<p><br>
</p>
</div>
</blockquote>
<div>I see. </div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p> </p>
<blockquote type="cite">
<div dir="ltr">
<div>Yes, ZKP etc., but then VC itself should
not be present in the VP. Even the signature
itself of VC will break pseudonymity, not to
mention anonymity. <br>
</div>
</div>
</blockquote>
<p>ZKPs only prove that the presenter knows a
master secret and this can be shared between
multiple users.<br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div>(3) Also, if there is a one-to-one
relationship between the Holder and Subject,
Hoder cannot reveal its persistent
identifiers or keys. <br>
</div>
</div>
</blockquote>
<p>this is why our implementation uses ephemeral
keys</p>
</div>
</blockquote>
<div>Got it. One of the reasons I wrote about the
delineation of the subject and the holder is that I
was wondering if Holders can share the identifiers
and use group signature to avoid the linking of the
subject through the holder identification. Has there
been any discussion on something like it? <br>
</div>
</div>
</div>
</blockquote>
<p>I am not that knowledgable about the various ZKP schemes.
You need to ask a cryptographer.</p>
</blockquote>
<div>Got it. I will ask Pascal and Kazue. </div>
<div><br>
</div>
<div>[..snip..]</div>
<div><br>
</div>
<div>Best regards, </div>
</div>
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">Nat Sakimura
<div>NAT.Consulting LLC</div>
</div>
</div>
</div>
</blockquote>
</body>
</html>