So when you guys talk about ongoing reliance with an issuer, is the converse case you have in mind that the issuer gives me a long-lived thing, and then they never need to be heard of again?
That seems like a pretty exotic property compared to how current authentication systems work. Even in the good old Web PKI, with 2-year certificates, the issuer had to stay alive to serve OCSP responses or CRLs. Even driver's licenses and passports have revocation! Is the requirement here that the holder needs to be able to generate an indefinite number of unlinkable presentations from a single issuance transaction? I'm having trouble imagining how you achieve that along with other properties, so an intro to the relevant crypto would be helpful. --RLB [1] https://www.nhtsa.gov/research-data/national-driver-register-ndr On Thu, Jul 28, 2022 at 6:42 PM David Waite <[email protected]> wrote: > > > > On Jul 28, 2022, at 5:39 PM, Richard Barnes <[email protected]> wrote: > > > > > Supposing such a system exists, consider the following scheme: > > > > 1. At issuance time, the holder executes the issuance protocol N times, > each time with a fresh random subject key pair and fresh blinding of the > selective disclosable claims. > > 2. As a result, the holder obtains N credentials with different subject > public keys and different signatures > > 3. The holder presents each credential exactly once > > 4. The holder goes back to step (1) when they need a new pile of > credentials > > > > It seems like this trivial scheme meets most of the requirements I've > seen expressed so far: > > This is indeed how a single-use unlinkable form using more traditional > cryptography should be expected to work, such as in ISO 18013-5 mDL mDocs. > > <snip> > > > Anyway, it seems like the above system achieves the stated goals of > unlinkability and selective disclosure, with no fancy cryptography or new > JSON structs required aside from the SD stuff. What critical requirement > is this missing that would motivate a significant new engineering effort? > > > The most significant one is reliance on an ongoing, active relationship > with an issuer, who has online infrastructure for issuance that the holder > is authorized to use. This makes them somewhat brittle as a digital > replacement for traditional documents in particular use cases. > > A more recent example where this is an issue is in various covid > vaccination credentials. > > The broadly published credential formats do not anonymously credential the > user. Indeed, most actually represent a full medical record, with sensitive > data including real names, clinic locations and vaccination history. > > The primary limitation that this resulted from was the infeasibility of > having each medical provider run their own issuing infrastructure. In some > environments, even if a clinic had such infrastructure it would be > infeasible to authenticate users to vend out ongoing single-use credentials > as they did not have such a longer-lived relationship with the vaccine > receiver. The lack of authentication is a reason for the real name to be > included - it can then be correlated with other identity documents such as > a passport. > > It is also impractical to assume that all clinics will remain operational > over the usable lifetime of such a credential. > > There are other features which are out of scope for the initial charter > which are not feasible with approaches based on typical cryptography, such > as privacy-preserving revocation of mis-issued credentials, or releasing > predicate proofs of additional calculated information about such a > credential (e.g. release “vaccination received less than one year ago” > without releasing the exact date and time) > > -DW
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
