Here's an attempt to write up comments to submit on this charter. I'm not sure I understood ekr's reply to mt, though. So corrections and clarifications are certainly welcome.
Sorry for the delay circling back to this. -David We don't think the W3C should be putting resources behind standardization of verifiable claims. We're not convinced of either sufficient demand for this or sufficient incubation of the technology. However, based on the proposed architecture at https://w3c.github.io/webpayments-ig/VCTF/architecture/ , linked from the charter, we're very concerned about the privacy properties of this work if the W3C were to proceed with it. This architecture appears to propose a system in which verification of claims leaks substantial information about a user. For example, presenting a credential that is tied to an identity of a user allows for tracking of that identity across sites, which the user may not want. Or if, for example, a site accepts claims from various government authorities for proof of a user's age, then presentation of a claim of age from the California DMV would provide the data that the user lives in California, even if that was not the information requested or needed. There has been substantial work on using cryptography to allow proof of specific claims without leaking information, such as https://www.microsoft.com/en-us/research/project/u-prove/ . However, this effort seems to ignore that work and instead propose a design with much worse privacy properties. If the W3C were to pursue this work, we think it would be best to pursue a system with strong privacy properties such as this one. However, if that is not done, we would be particularly opposed to a system that ties claims to a single identity for the user, which would be most prone to unsanctioned tracking. However, even transitory and pseudonomous identifiers can leak substantial information, contrary to the expectations of the user (in the proposed architecture, the Holder), particularly if some or all of the Issuer, Identifier Registry, and Inspector cooperate to track the Holder. -- 𝄞 L. David Baron http://dbaron.org/ 𝄂 𝄢 Mozilla https://www.mozilla.org/ 𝄂 Before I built a wall I'd ask to know What I was walling in or walling out, And to whom I was like to give offense. - Robert Frost, Mending Wall (1914)
signature.asc
Description: PGP signature
_______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
