[Openid-specs-digital-credentials-protocols] Security and Trust document
torsten at lodderstedt.net
torsten at lodderstedt.net
Tue Sep 26 14:11:35 UTC 2023
Hi Jo,
will you be attending IIW? I’m asking since there will be live demos of OID4VC implementations.
> > > The beauty of the W3C-based decentralised identity model is that credentials can be shared from different issuers in a combined presentation from the same endpoint without that correlation.
I agree. OpenID4VC was designed for this model. It differentiates to interfaces: issuer to wallet (OpenID 4 Verifiable Credential Issuance/OID4VCI) and wallet to verifier (OpenID 4 Verifiable Presentations/OID4VP).
So a holder requests and receives credentials via OID4VCI and stores them in her wallet.
A verifier requests and receives one or more credential presentations via OID4VP. The issuer is not involved into the presentation process.
Both protocols are credential format agnostic, so they can be used in conjunction with any credential format. It is even possible to combine credential presentations in different formats in the same response.
There are profiles/examples for W3C VC, SD-JWT VC, ISO mdoc, SD-JWT VC.
You may want to take a look onto one of our latest decks https://www.slideshare.net/TorstenLodderstedt/openid-4-verifiable-credentials-haip-update.
best regards,
Torsten.
Torsten.
Am 21. Sept. 2023, 11:44 +0200 schrieb Jo Spencer <jo at sezoo.digital>:
> Hi Torsten,
>
> Just to be clear. I'm not an OIDC4VP expert. I'm keen for anyone who is to demonstrate how it would cater to these capabilities.
>
> Cheers, Jo
>
> Jo Spencer
> Co-Founder | Digital Trust Evangelist | Sezoo
> Partner | Payments | Banking | Architecture | 460degrees
>
> M: +61 (0) 433 774 729
> E: jo at sezoo.digital
> L: https://www.linkedin.com/in/jospencer-1pg/
> T: https://twitter.com/spencerjed
>
> Sezoo acknowledges the Traditional Owners of the country throughout Australia and their continuing connection to land, sea and community. We pay our respects to them, their cultures and to Elders past, present and emerging.
>
>
>
> > On Thu, 21 Sept 2023 at 19:38, <torsten at lodderstedt.net> wrote:
> > > Hi Jo,
> > > Am 19. Sept. 2023, 18:45 +0200 schrieb Jo Spencer via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net>:
> > > > Hi Joseph,
> > > >
> > > > You're quite right, a protocol is just that, a protocol. The challenge that protocol only mechanisms have is that they can struggle to represent data from third parties as part of the protocol without endpoint / identity correlation. The beauty of the W3C-based decentralised identity model is that credentials can be shared from different issuers in a combined presentation from the same endpoint without that correlation. With guardianship or delegated scenarios, this is particularly important.
> > >
> > > I fail to understand why this is not possible with OID4VC. That’s exactly what OID4VC was designed for. Can you please describe why that shouldn’t work?
> > >
> > > thanks,
> > > Torsten.
> > >
> > > >
> > > > My challenge to the OpenID protocols is to demonstrate how the same features of truly decentralised (Autonomic IDentifier (AID) based) interaction protocols could be incorporated. If you want to know more about AIDs and non-correlatable protocols, you could have a look at KERI - https://keri.one/keri-resources/.
> > > >
> > > > Cheers, Jo
> > > >
> > > > Jo Spencer
> > > > Co-Founder | Digital Trust Evangelist | Sezoo
> > > > Partner | Payments | Banking | Architecture | 460degrees
> > > >
> > > > M: +61 (0) 433 774 729
> > > > E: jo at sezoo.digital
> > > > L: https://www.linkedin.com/in/jospencer-1pg/
> > > > T: https://twitter.com/spencerjed
> > > >
> > > > Sezoo acknowledges the Traditional Owners of the country throughout Australia and their continuing connection to land, sea and community. We pay our respects to them, their cultures and to Elders past, present and emerging.
> > > >
> > > >
> > > >
> > > > > On Wed, 20 Sept 2023 at 00:44, Joseph Heenan <joseph at authlete.com> wrote:
> > > > > > Hi Jo
> > > > > >
> > > > > > Thanks for sharing all these documents. I’ve done by best to read them but may have missed things.
> > > > > >
> > > > > > For clarity, the OpenID for Verifiable Presentations and OpenID for Verifiable Credential Issuance only define the protocol mechanisms for transferring credentials from an issuer to a wallet and from a wallet to a verifier. They do not concern themselves with contents or format of the digital credential.
> > > > > >
> > > > > > Further up the thread we identified some terminology that could be cleaned up to make things clearer.
> > > > > >
> > > > > > Other than that, it is not clear to me what more the two protocols named above could do. If you have a concrete case where these protocols don’t allow sufficient information to be transferred from the wallet to the issuer or from the wallet to the verifier it would be helpful if you could share that please.
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > Joseph
> > > > > >
> > > > > >
> > > > > > > On 17 Sep 2023, at 12:23, Jo Spencer via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
> > > > > > >
> > > > > > > Hi Tom and Team,
> > > > > > >
> > > > > > > I think you're spot on, Tom. "Guardianship" is a topic that John Phillips and I [Sezoo, based in Melbourne, Australia] have been working on, within the W3C VC-based environment for some time. The W3C VC data model caters to the subject and holder being different, very well.
> > > > > > >
> > > > > > > It's been a particular "passion" capability of ours that digital interactions can forget (probably because it's typically quite complex for 2-party digital interactions). We believe that delegation or guardianship is a critical feature of a trusted interaction mechanism (and protocol), and has to be standardised. Whilst we focused on guardianship, delegation, support or ownership are similar relationship based considerations that should also be able to be supported in a consistent model.
> > > > > > >
> > > > > > > Our work and experience on providing verifiable evidence of guardianship rights and duties and supported access to online content started in 2019 when John and I were co-chairs on the Sovrin Guardianship Working Group for the development of an Implementation Guide and Requirements document for Guardianship using W3C Verifiable Credentials. The results published in 2021 can be found here:
> > > > > > >
> > > > > > > Implementation Guide: https://drive.google.com/file/d/1vBePVx8n3MRDWcePkwVDya9ab4BHEyU_/view?usp=sharing
> > > > > > > Technical Requirements: https://drive.google.com/file/d/1M21PznPAd0H6z1t4ODl-jiEoXZjEhwcb/view?usp=sharing
> > > > > > >
> > > > > > > These links and the introduction/explanation can be found here: https://sovrin.org/a-deeper-understanding-of-implementing-guardianship/
> > > > > > >
> > > > > > > As a part of these initiatives, a mental model for guardianship was developed with collaboration with TNO in NL and published under the ESSIFLabs initiative: https://essif-lab.github.io/framework/docs/terms/pattern-guardianship/.
> > > > > > >
> > > > > > > More recently, we've supported the update of the Sovrin Whitepaper on Guardianship - https://sovrin.org/wp-content/uploads/Guardianship-Whitepaper-V2.0.pdf - which may be a very good starting document for those that are interested.
> > > > > > >
> > > > > > > We developed a Guardianship addendum for the Good Health Pass Collaborative Blueprint which considered the challenges of supported travel, made more important during the Covid pandemic. The realisation during that activity was that guardianship and supported mechanisms are often informal and based on social expectations, rather than digital credentials. Enabling supported scenarios using digital credentials into the whole process of travel was a significant challenge and probably more than the GHPC could influence.
> > > > > > >
> > > > > > > John Phillips and I have published a number of further papers and work on this topic, all of which are available on our website (https://www.sezoo.digital/resources/) and our LinkedIn profiles (https://www.linkedin.com/in/11dot2/recent-activity/articles/ and https://www.linkedin.com/in/jospencer-1pg/recent-activity/articles/)
> > > > > > >
> > > > > > > It's critical that any interaction protocol supports delegation, support or guardianship and clearly articulates the difference between the Holder and Subject. Impersonation has to be avoided as this is the antithesis of trusted digital interactions. The combined presentation of credentials from multiple sources (e.g. a guardianship VC from a government entity and other credentials from other service providers) would appear to be central to these types of solutions. We too have been concerned that the OIDC4VP protocols are deficient in this, but we'd be keen to learn more from those who are closer to the details. But we are very keen to promote these considerations in solution design activities.
> > > > > > >
> > > > > > > Of course, I'd be happy to talk about this topic in the group (if this can be possible in an Australian-friendly timeslot), or directly.
> > > > > > >
> > > > > > > Cheers, Jo
> > > > > > > Jo Spencer
> > > > > > > Co-Founder | Digital Trust Evangelist | Sezoo
> > > > > > > Partner | Payments | Banking | Architecture | 460degrees
> > > > > > >
> > > > > > > M: +61 (0) 433 774 729
> > > > > > > E: jo at sezoo.digital
> > > > > > > L: https://www.linkedin.com/in/jospencer-1pg/
> > > > > > > T: https://twitter.com/spencerjed
> > > > > > >
> > > > > > > Sezoo acknowledges the Traditional Owners of the country throughout Australia and their continuing connection to land, sea and community. We pay our respects to them, their cultures and to Elders past, present and emerging.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > On Fri, 15 Sept 2023 at 04:38, Tom Jones via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
> > > > > > > > >
> > > > > > > > > All parties communicate with each other using a set of protocols, or just "protocol" in the following. In the case of OpenID4VP, the protocols are OpenID for Verifiable Credential Issuance [@!OpenID.VCI] and OpenID for Verifiable Presentations [@!OpenID.VP], with an optional use of SIOP v2 [@!OpenID.SIOPv2].
> > > > > > > > > thx ..Tom (mobile)
> > > > > > > > >
> > > > > > > > > > On Thu, Sep 14, 2023, 4:17 AM David Chadwick <d.w.chadwick at truetrust.co.uk> wrote:
> > > > > > > > > > > Hi Tom
> > > > > > > > > > > if you read my proposed text I think it caters for the use cases you are suggesting. If it does not, can you say why not please
> > > > > > > > > > > thanks
> > > > > > > > > > > David
> > > > > > > > > > > On 14/09/2023 05:35, Tom Jones wrote:
> > > > > > > > > > > > you guys are missing the point - i guess i was not clear.
> > > > > > > > > > > >
> > > > > > > > > > > > The current CBP-ONE app is used at the border of the US to schedule sessions to acquire asylum. Similarly the child trying to get access to the US may need creds. These children are the subjects of credential. They do not hold smartphones which are held by (for example) their father as guardian. In the US 51 million people do not have smart phones but may need digital creds for one reason or another. I suspect that in many countries the numbers are even more dire.
> > > > > > > > > > > >
> > > > > > > > > > > > If the wallet cannot handle the case where the subject is not the holder, then it should not be considered adequate to hold government creds because of the many eligible people \who cannot be accommodated.
> > > > > > > > > > > >
> > > > > > > > > > > > Somehow this spec (and the rest of the VC specs) needs to address the problem where the holder and the subject are not the same person.
> > > > > > > > > > > >
> > > > > > > > > > > > ..tom
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > > On Wed, Sep 13, 2023 at 3:32 AM David Chadwick via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On 12/09/2023 20:53, Joseph Heenan via Openid-specs-digital-credentials-protocols wrote:
> > > > > > > > > > > > > > > Hi Tom
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Focussing on this particular document, is your concern resolved if sentences like this:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > "Identity of Holder: A Verifier can trust that the party presenting the claims in a session with the Verifier is (controlled by) the subject of the claims.”
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > (From https://github.com/vcstuff/oid4vc-security-and-trust/blob/main/draft-oid4vc-security-and-trust.md#trust-in-the-issuer-holder-verifier-model)
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > are replaced with something like this:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > "Identity of Holder: A Verifier can trust that the party presenting the claims in a session with the Verifier is (controlled by) the party that the credential was intended to be issued to.”
> > > > > > > > > > > > > > I don't think the above is precise enough, since the credential could have been passed from the first holder to the second holder and then to the verifier. Therefore I propose
> > > > > > > > > > > > > > "Identity of Holder: A Verifier can trust that the party presenting the claims in a session with the Verifier is the party who is authorised to hold the credential (from the Verifier's perspective).”
> > > > > > > > > > > > > > The text in parentheses is important for at least the following reasons
> > > > > > > > > > > > > > a) the credential could be a bearer credential
> > > > > > > > > > > > > > b) the verifier may be willing to completely ignore who the issuer intended the credential to be presented by and therefore will allow anyone to present it, e.g. because the verifier gains a benefit from entering into a session with the holder.
> > > > > > > > > > > > > > We have real life examples the above in the physical world.
> > > > > > > > > > > > > > Kind regards
> > > > > > > > > > > > > > David
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > ?
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Thanks
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Joseph
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > On 12 Sep 2023, at 16:06, Tom Jones via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > One major problem with the OAuth model and this contribution is the conflation of the subject and the holder.
> > > > > > > > > > > > > > > > To be inclusive these two roles may be entirely different entities.
> > > > > > > > > > > > > > > > It seems to be that this conflation must be excised if OAuth is to be acceptected as the digital credential model to be used for government supplied rights and privileges.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > ..tom
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > On Mon, Sep 11, 2023 at 8:14 AM Daniel Fett via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
> > > > > > > > > > > > > > > > > > Hi all,
> > > > > > > > > > > > > > > > > > I'd like to contribute the "Security and Trust" document to the DCP WG: https://github.com/vcstuff/oid4vc-security-and-trust
> > > > > > > > > > > > > > > > > > It has been discussed earlier, but had no official status so far.
> > > > > > > > > > > > > > > > > > -Daniel
> > > > > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > > > > Openid-specs-digital-credentials-protocols mailing list
> > > > > > > > > > > > > > > > > > Openid-specs-digital-credentials-protocols at lists.openid.net
> > > > > > > > > > > > > > > > > > https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
> > > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > > Openid-specs-digital-credentials-protocols mailing list
> > > > > > > > > > > > > > > > Openid-specs-digital-credentials-protocols at lists.openid.net
> > > > > > > > > > > > > > > > https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > Openid-specs-digital-credentials-protocols mailing list
> > > > > > > > > > > > > > Openid-specs-digital-credentials-protocols at lists.openid.net
> > > > > > > > > > > > > > https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
> > > > > > > > > --
> > > > > > > > > Openid-specs-digital-credentials-protocols mailing list
> > > > > > > > > Openid-specs-digital-credentials-protocols at lists.openid.net
> > > > > > > > > https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
> > > > > > > --
> > > > > > > Openid-specs-digital-credentials-protocols mailing list
> > > > > > > Openid-specs-digital-credentials-protocols at lists.openid.net
> > > > > > > https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
> > > > > >
> > > > --
> > > > Openid-specs-digital-credentials-protocols mailing list
> > > > Openid-specs-digital-credentials-protocols at lists.openid.net
> > > > https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20230926/f08228ea/attachment-0001.html>
More information about the Openid-specs-digital-credentials-protocols
mailing list