Holder-Binding: Needs Privacy & Correlation, Centralization/Lock-in Considerations #988
Comments
|
There's nothing wrong with parties that want to create centralization. There is nothing that says it has to be decentralized we should make this work for both without privacy concerns.
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Christopher Allen ***@***.***>
Sent: Wednesday, November 30, 2022 9:04:22 AM
To: w3c/vc-data-model ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [w3c/vc-data-model] Holder-Binding: Needs Privacy & Correlation, Centralization/Lock-in Considerations (Issue #988)
I have a concern that some proposed holder-binding approaches may have unanticipated privacy & correlation issues and also that holder-binding may be an entree for parties to create centralization or lock-in, or worse, create human-rights issues.
I'd like to see any proposal for holder-binding to offer, in a clear and separate section, how their proposal addresses these concerns.
—
Reply to this email directly, view it on GitHub<#988>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AB4R4YZPM2KNSBS3HJ6RDT3WK6CJNANCNFSM6AAAAAASP3LHWQ>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
On the contrary, VCs were designed for decentralized use cases precisely because there are plenty of ways to solve these problems for centralized use cases and NONE that address the needs in a decentralized manner. It's trivial for a central player to define their own format, schema, and semantics. That's what big players do. That is a different problem than what we are here for. The work of VCs is to provide a way to verify attestations without dependence on a trusted mediator, including overreliance on the issuer for anything other than checking to see if a VC remains in good standing, and even for that, we have designed solutions that specifically avoid the phone home problem common to centralized architectures. So, I refute categorically that centralized solutions have any merit for driving the design decisions of this work. More pragmatically, if it works in a decentralized manner, it can ALWAYS work for centralized players. So "centralized" players can use decentralized technology, but the inverse is not always true. People who need decentralized solutions cannot rely on centralized parties like IANA and the ITU and Facebook because for their use cases, such reliance would undermine the entire point of the innovation. If you want to build centralized solutions with decentralized tech, go for it. If you want to innovate to build centralized tech with similar properties, go for it. Somewhere else. If you want to argue that a decentralized solution should adjust its design to better satisfy centralized players, please don't. That's not what this work is about. |
|
* If you want to argue that a decentralized solution should adjust its design to better satisfy centralized players, please don't. That's not what this work is about.
WOW, This WG is open to all that meet the W3C requirements for joining, the WG can work on anything within the charters scope and what the WG agrees to do. There is nothing in the charter that says what we work on must be decentralized, I realize that may be what you want.
From: Joe Andrieu ***@***.***>
Sent: Wednesday, November 30, 2022 5:46 PM
To: w3c/vc-data-model ***@***.***>
Cc: Anthony Nadalin ***@***.***>; Comment ***@***.***>
Subject: Re: [w3c/vc-data-model] Holder-Binding: Needs Privacy & Correlation, Centralization/Lock-in Considerations (Issue #988)
There's nothing wrong with parties that want to create centralization. There is nothing that says it has to be decentralized we should make this work for both without privacy concerns.
On the contrary, VCs were designed for decentralized use cases precisely because there are plenty of ways to solve these problems for centralized use cases and NONE that address the needs in a decentralized manner. It's trivial for a central player to define their own format, schema, and semantics. That's what big players do. That is a different problem than what we are here for.
The work of VCs is to provide a way to verify attestations without dependence on a trusted mediator, including overreliance on the issuer for anything other than checking to see if a VC remains in good standing, and even for that, we have designed solutions that specifically avoid the phone home problem common to centralized architectures.
So, I refute categorically that centralized solutions have any merit for driving the design decisions of this work.
More pragmatically, if it works in a decentralized manner, it can ALWAYS work for centralized players. So "centralized" players can use decentralized technology, but the inverse is not always true. People who need decentralized solutions cannot rely on centralized parties like IANA and the ITU and Facebook because for their use cases, such reliance would undermine the entire point of the innovation.
If you want to build centralized solutions with decentralized tech, go for it.
If you want to argue that a decentralized solution should adjust its design to better satisfy centralized players, please don't. That's not what this work is about.
—
Reply to this email directly, view it on GitHub <#988 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB4R4Y3OKA7SNJMCLLMZ2CLWK77PLANCNFSM6AAAAAASP3LHWQ> .
You are receiving this because you commented. <https://github.com/notifications/beacon/AB4R4Y4I7UV47O2P43K65WLWK77PLA5CNFSM6AAAAAASP3LHWSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSPOR4U2.gif> Message ID: ***@***.*** ***@***.***> >
|
|
So I see @ChristopherA suggestion as a fair concern. I assume we are all pointing to the holder binding work that is proposed by @awoie and that group? Including me to just put that on the table If so, all I read into @ChristopherA proposal is basically that: When someone creates a holder binding type, the document standard for that type have to adress these parameters, so it is clear for everyone, that using this holder binding type will need centralized ways of doing things. Basically that the standard to that says you can build whatever type you want also states that you need to input this information into the type document. If this is not related to the holder binding work I earlier mentioned, then have a quick look at the presentation: https://docs.google.com/presentation/d/1k88h_41dcAdstXMzvfN7OR-mVbSUVbrp7FMnt3LqHok/edit#slide=id.p to see what I mean with types. Paper coming soon :D @awoie, anything we can release early? |
|
Verifiable Credentials have been designed to handle decentralized use cases from the start. I suspect nearly everyone who worked on them in the first WG thought this was self-evident and understood it to be a major driving purpose behind the work. Of course, this does not preclude centralized use cases, given the asymmetry of the two organizational methods. As @jandrieu said, decentralized solutions can work for centralized use cases, but the same is not always true in reverse. So, you're right that centralized use cases are certainly welcome, but where there is conflict, the design prioritizes decentralization because of this asymmetry. |
|
Sorry but the charter and working group set the priority not whether something is centralized or decentralized.
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Dave Longley ***@***.***>
Sent: Thursday, December 1, 2022 10:06:33 AM
To: w3c/vc-data-model ***@***.***>
Cc: Anthony Nadalin ***@***.***>; Mention ***@***.***>
Subject: Re: [w3c/vc-data-model] Holder-Binding: Needs Privacy & Correlation, Centralization/Lock-in Considerations (Issue #988)
@nadalin<https://github.com/nadalin>,
Verifiable Credentials have been designed to handle decentralized use cases from the start. I suspect nearly everyone who worked on them in the first WG thought this was self-evident and understood it to be a major driving purpose behind the work.
Of course, this does not preclude centralized use cases, given the asymmetry of the two organizational methods. As @jandrieu<https://github.com/jandrieu> said, decentralized solutions can work for centralized use cases, but the same is not always true in reverse. So, you're right that centralized use cases are certainly welcome, but where there is conflict, the design prioritizes decentralization because of this asymmetry.
—
Reply to this email directly, view it on GitHub<#988 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AB4R4Y4MWSHP3DCJOHGUQ4DWLDSKTANCNFSM6AAAAAASP3LHWQ>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Yes, the WG is open as you say, and yes, it can work on anything the WG decides, within the scope of the charter. So let's talk about the charter, starting with the opening statement on scope:
So let's talk about that experience, which at a minimum includes the VC 1.1 specification itself. From the abstract:
It is well understood by those of us who contributed to that specification that cryptographic security and respecting privacy is achieve through decentralization. Rather than rely on a centralized authority, who might use a verification protocol to surveil the use of credentials by users, refuse certain cryptography, and restrict or prevent the use or verification, VCs use cryptography to verify authenticity without phoning home and completely under the control of the user. Note also several of the innately decentralizing ecosystem characteristics distilled from the VC Use Cases document and presented directly in the specification itself:
And that's just from the core spec itself. What is contrary to the charter is willfully ignoring the experience gained through implementation, deployment and usage of Verifiable Credentials (VCs). As is intentionally undermining user-control, open-world cryptographic verification, and decentralization, rather than "extend[ing] Verifiable Credential foundations". You don't get to show up and claim the prior work doesn't exist, nor that it was created for different purposes than it was. There is ample evidence of exactly what that experience has been and what those foundations are. Since you were an active commenter on the last spec prior to publication, I have to accept that you understand VCs and how they work. As such, your comments are disingenuous at best and willfully disrespectful and unethical at worst. As such, I'll happily contextualize any assertions you make that, in fact, ignore that experience, such as your insistence that VCs are not inherently decentralized. They are. They were designed to be that way. Until and unless you can convince a consensus of this Working Group otherwise, they will continue to be defined that way. |
|
Still nothing about decentralization in the charter, I realize that is what you want but its not there.
From: Joe Andrieu ***@***.***>
Sent: Monday, December 5, 2022 4:09 PM
To: w3c/vc-data-model ***@***.***>
Cc: Anthony Nadalin ***@***.***>; Mention ***@***.***>
Subject: Re: [w3c/vc-data-model] Holder-Binding: Needs Privacy & Correlation, Centralization/Lock-in Considerations (Issue #988)
* If you want to argue that a decentralized solution should adjust its design to better satisfy centralized players, please don't. That's not what this work is about.
WOW, This WG is open to all that meet the W3C requirements for joining, the WG can work on anything within the charters scope and what the WG agrees to do. There is nothing in the charter that says what we work on must be decentralized, I realize that may be what you want.
Yes, the WG is open as you say, and yes, it can work on anything the WG decides, within the scope of the charter.
So let's talk about the charter, starting with the opening statement on scope:
Building on the experience gained through implementation, deployment and usage of Verifiable Credentials (VCs), this Working Group will extend Verifiable Credential foundations with new standardized technologies to improve the use of this technology on the Web.
So let's talk about that experience, which at a minimum includes the VC 1.1 specification itself.
From the abstract:
This specification provides a mechanism to express these sorts of credentials <https://www.w3.org/TR/vc-data-model/#dfn-credential> on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable.
It is well understood by those of us who contributed to that specification that cryptographic security and respecting privacy is achieve through decentralization. Rather than rely on a centralized authority, who might use a verification protocol to surveil the use of credentials by users, cryptography and restrict or prevent the use or verification, VCs use cryptography to verify authenticity without phoning home and completely under the control of the user.
Note also several of the innately decentralizing ecosystem characteristics distilled from the VC Use Cases document:
1. Issuers can issue verifiable credentials about any subject.
2. Acting as issuer, holder, or verifier requires neither registration nor approval by any authority, as the trust involved is bilateral between parties.
3. Verifiable presentations allow any verifier to verify the authenticity of verifiable credentials from any issuer.
4. Holders can receive verifiable credentials from anyone.
5. Holders can interact with any issuer and any verifier through any user agent.
6. Holders can share verifiable presentations, which can then be verified without revealing the identity of the verifier to the issuer.
7. Holders can store verifiable credentials in any location, without affecting their verifiability and without the issuer knowing anything about where they are stored or when they are accessed.
8. Holders can present verifiable presentations to any verifier without affecting authenticity of the claims and without revealing that action to the issuer.
9. A verifier can verify verifiable presentations from any holder, containing proofs of claims from any issuer.
10. Verification should not depend on direct interactions between issuers and verifiers.
11. Verification should not reveal the identity of the verifier to any issuer.
12. The specification must provide a means for issuers to issue verifiable credentials that support selective disclosure, without requiring all conformant software to support that feature.
13. The data model and serialization must be extendable with minimal coordination.
14. Revocation by the issuer should not reveal any identifying information about the subject, the holder, the specific verifiable credential, or the verifier.
And that's just from the core spec itself.
What is contrary to the charter is willfully ignoring the experience gained through implementation, deployment and usage of Verifiable Credentials (VCs). As is intentionally undermining user-control, open-world cryptographic verification, and decentralization, rather than "extend[ing] Verifiable Credential foundations". You don't get to show up and claim the prior work doesn't exist, nor that it was created for different purposes than it was. There is ample evidence of exactly what that experience has been and what those foundations are.
Since you were an active commenter on the last spec prior to publication, I have to accept that you understand VCs and how they work. As such, your comments are disingenuous at best and willfully disrespectful and unethical at worst.
As such, I'll happily contextualize any assertions you make that, in fact, ignore that experience, such as your insistence that VCs are not inherently decentralized. They are. They were designed to be that way. Until and unless you can convince a consensus of this Working Group otherwise, they will continue to be defined that way.
—
Reply to this email directly, view it on GitHub <#988 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB4R4Y4TCG76UBRPU4RC77DWLZ73BANCNFSM6AAAAAASP3LHWQ> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AB4R4Y3KDRLYA5XRO6U2PYTWLZ73BA5CNFSM6AAAAAASP3LHWSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSPY2NWI.gif> Message ID: ***@***.*** ***@***.***> >
|
Now you're just being obtuse. |
|
Sorry but what you hav pointed out your interpretation not what's in the charter please point to the charter where it says we work only on decentralization
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Joe Andrieu ***@***.***>
Sent: Tuesday, December 6, 2022 12:45:27 PM
To: w3c/vc-data-model ***@***.***>
Cc: Anthony Nadalin ***@***.***>; Mention ***@***.***>
Subject: Re: [w3c/vc-data-model] Holder-Binding: Needs Privacy & Correlation, Centralization/Lock-in Considerations (Issue #988)
Still nothing about decentralization in the charter, I realize that is what you want but its not there.
Now you're just being obtuse.
—
Reply to this email directly, view it on GitHub<#988 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AB4R4Y4P4YIOP7IFJ55WQWDWL2SEPANCNFSM6AAAAAASP3LHWQ>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
I quoted exactly where the charter explicitly defines the scope of work as building on experience to date. Then I quoted language directly from the specification that clarifies not just the experience to date, but the consensus of the group doing this work. Together, that explains why I find your assertion that "There is nothing that says it has to be decentralized." to be not only in error, but intentionally disingenuous. The entire work to date has been to make VCs that do not depend on overcentralization. The whole point has been to be decentralized. You can see that if you actually take the time to review the experience to date, as captured in the publications of the Working Group itself. You may call that "my interpretation", but I stand by it as a representation of the actual consensus of this working group based on its own publications. Your comment doesn't represent anything except your personal opinion. |
|
@nadalin — Please take the extra minute on each email response you send to issues on GitHub, and edit the quoted material to which you are responding down to the bare essentials (which might be as few as zero lines) needed to understand your response. It helps NO-ONE, least of all you, to post a one-line reply to a hundred-line comment and include that entire hundred-line comment in your own reply message. TOFU ("text over, fullquote under") posting makes no sense when the entire thread, including the comment to which you're replying, is available up-window. This is not quite so bad when GitHub collapses that quoted material — so it's only visible if we click the button — but GitHub is not perfect at this collapse, as you can observe in this issue at #988 (comment) and #988 (comment). There are numerous examples in other issues and PRs. |
Operationally, are you saying that the usual privacy & security considerations sections are inadequate to the extension-registry spec or are you asking for a separate section in the VC2 spec itself? In either case, I haven't been contributing thus far to the RWOT group but I do feel strongly that this pattern is worth specifying (in large part because it will still happen if we don't specify it, and in a more footgunny way). I would gladly volunteer to help write and/or edit those clear and separate sections when the time comes as the other participants see fit. |
|
@bumblefudge We discussed this today. Are you still interested in writing something up? |
|
The issue was discussed in a meeting on 2023-04-04
View the transcript1.1. Holder-Binding: Needs Privacy & Correlation, Centralization/Lock-in Considerations (issue vc-data-model#988)See github issue vc-data-model#988. Kristina Yasuda: This is about holder binding and correlation.. |
|
We should say that the holder/subject should be able to satisfy the holder binding to prevent potential human rights and centralization issues. Basically, that there is a risk that issuers add holder binding methods that the holder/subject cannot satisfy by themselves. We should also say that in the same way as with other claims about the subject, issuers have to be very careful with correlation risks and should be guided to use non-correlatable information in the claims they make about the subject if possible. @ChristopherA is there anything that you want to specifically call out in the privacy considerations section? PR #1054 already says that verifiers don't have to use holder binding (or confirmation method) and can use any other claims from the VC instead to gain more confidence that the intended holder is on the other end of the transaction. @ChristopherA Does that work for you, or do want something more specific to be included in the text? IMO, if @ChristopherA is fine with the above, we can start a draft a PR that adds language to the privacy considerations section @bumblefudge if you want to help and then we can merge that PR once PR #1054 gets merged. |
|
put me in, coach! I think waiting for #1054 to be finalized and merged would make it a lot simpler, if that's ok with the group |
|
IMO, holder binding can also improve privacy by preventing unauthorized usage of the digital identity that is represented by the verifiable credential but obviously there is also risks related to privacy that have to be described. |
|
This issue is blocked by the holder binding discussion. |
|
With the direction that the group has elected to go (reserving Marking as |
|
No objections raised to closing since marked |
I have a concern that some proposed holder-binding approaches may have unanticipated privacy & correlation issues and also that holder-binding may be an entree for parties to create centralization or lock-in, or worse, create human-rights issues.
I'd like to see any proposal for holder-binding to offer, in a clear and separate section, how their proposal addresses these concerns.
The text was updated successfully, but these errors were encountered: