The link between biometrics and VCs should be clarified for privacy and human rights reasons

[agropper]

There are currently four open issues that relate to VCs with humans as a subject. They are:

1. Can SSI avoid linking control with possession? #195
2. update normative statements in ZKP section w3c/vc-data-model#818
3. Explicit reference should be added about binding the VC to the holder w3c/vc-data-model#789
4. https://github.com/decentralized-identity/waci-presentation-exchange/discussions/96

VC Cases:

1. The VC includes a biometric

• no wallet or other holder is normatively involved

2. The VC includes an ID in a contemporaneous (at issue and verification) check of a biometric credential

• no wallet or other holder is normatively involved

3. The VC is stored in a “certified” wallet with secure element

• Issuers and Verifiers validate the certificate before dealing with the VC
• The wallet displays a local biometric and securely signs a nonce to be verified along with the biometric
• The use of the VC is then physically tied to a particular biometric-enabled certified ankle bracelet or chip

4. The VC includes a link to a centralized biometric database.

• No wallet or other holder is normatively involved because issuers and verifiers check the database

11. The VC has a human subject but no biometric or link to biometric

• There is no way to prevent a controller of the VC from sharing their private key to enable a fraudulent presentation.

5. The VC does not have a human subject

• Biometrics are irrelevant and holders are a matter of chain-of-custody for the VC.

Are there cases other than the five above? (or rewording to improve the five cases)

How should biometrics in and around VCs be considered in our various workgroups?

[vsnt]

@agropper I'd like to suggest you open a work item and write a community report that enumerates your concerns on this topic. The community can then discuss/respond/publish it and reference for future concerns.

[agropper]

My medium-long comment on a VC data model issue focuses on biometrics and VCs: w3c/vc-data-model#831 (comment) It focuses on privacy rather than human rights but I think it's a good start to our conversation by defining a few terms.

I'm not clear on what it means to open a work item. Maybe we can use this thread as a kind of charter discussion for anyone that's interested in this topic.

[agropper]

Adding this note as a way of tracking the relationship to closed #195 (comment).

These issues are set related to the discussions of mitigating human rights risks of standardized digital credentials here w3c/vc-data-model#831
here https://lists.w3.org/Archives/Public/public-credentials/2022Jan/0068.html
and here https://lists.w3.org/Archives/Public/public-credentials/2022Jan/0013.html

[vsnt]

Adrian, I'd like to close this issue as well. The community appreciates your concern in this area, but we need a clear focused work item proposed with a specific category of deliverable. I invite you to review the Work Item Process for an overview of the requirements: https://w3c-ccg.github.io/workitem-process/

I am happy to go over the process with you if you need any assistance. Thank you!

[agropper]

The other co-chair suggested this as well and I have reached out publicly https://lists.w3.org/Archives/Public/public-credentials/2022Jan/0101.html and privately for co-collaborators. - Adrian

…

On Thu, Jan 13, 2022 at 4:08 PM vsnt ***@***.***> wrote: Adrian, I'd like to close this issue as well. The community appreciates your concern in this area, but we need a clear focused work item proposed with a specific category of deliverable. I invite you to review the Work Item Process for an overview of the requirements: https://w3c-ccg.github.io/workitem-process/ I am happy to go over the process with you if you need any assistance. Thank you! — Reply to this email directly, view it on GitHub <#211 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABB4YLEF76M6UZNDI2AEDLUV45MJANCNFSM5EBFQQWQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>