> On Jul 28, 2022, at 5:39 PM, Richard Barnes <[email protected]> wrote: >
> Supposing such a system exists, consider the following scheme: > > 1. At issuance time, the holder executes the issuance protocol N times, each > time with a fresh random subject key pair and fresh blinding of the selective > disclosable claims. > 2. As a result, the holder obtains N credentials with different subject > public keys and different signatures > 3. The holder presents each credential exactly once > 4. The holder goes back to step (1) when they need a new pile of credentials > > It seems like this trivial scheme meets most of the requirements I've seen > expressed so far: This is indeed how a single-use unlinkable form using more traditional cryptography should be expected to work, such as in ISO 18013-5 mDL mDocs. <snip> > Anyway, it seems like the above system achieves the stated goals of > unlinkability and selective disclosure, with no fancy cryptography or new > JSON structs required aside from the SD stuff. What critical requirement is > this missing that would motivate a significant new engineering effort? The most significant one is reliance on an ongoing, active relationship with an issuer, who has online infrastructure for issuance that the holder is authorized to use. This makes them somewhat brittle as a digital replacement for traditional documents in particular use cases. A more recent example where this is an issue is in various covid vaccination credentials. The broadly published credential formats do not anonymously credential the user. Indeed, most actually represent a full medical record, with sensitive data including real names, clinic locations and vaccination history. The primary limitation that this resulted from was the infeasibility of having each medical provider run their own issuing infrastructure. In some environments, even if a clinic had such infrastructure it would be infeasible to authenticate users to vend out ongoing single-use credentials as they did not have such a longer-lived relationship with the vaccine receiver. The lack of authentication is a reason for the real name to be included - it can then be correlated with other identity documents such as a passport. It is also impractical to assume that all clinics will remain operational over the usable lifetime of such a credential. There are other features which are out of scope for the initial charter which are not feasible with approaches based on typical cryptography, such as privacy-preserving revocation of mis-issued credentials, or releasing predicate proofs of additional calculated information about such a credential (e.g. release “vaccination received less than one year ago” without releasing the exact date and time) -DW _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
