On Wed, Dec 28, 2016 at 3:52 PM, L. David Baron <dba...@dbaron.org> wrote:
> Here's an attempt to write up comments to submit on this charter. > I'm not sure I understood ekr's reply to mt, though. So corrections > and clarifications are certainly welcome. > > Sorry for the delay circling back to this. > > -David > > We don't think the W3C should be putting resources behind > standardization of verifiable claims. We're not convinced of either > sufficient demand for this or sufficient incubation of the technology. > > However, based on the proposed architecture at > https://w3c.github.io/webpayments-ig/VCTF/architecture/ , > linked from the charter, we're very concerned about the privacy > properties of this work if the W3C were to proceed with it. > > This architecture appears to propose a system in which verification of > claims leaks substantial information about a user. For example, > presenting a credential that is tied to an identity of a user allows for > tracking of that identity across sites, which the user may not want. Or > if, for example, a site accepts claims from various government > authorities for proof of a user's age, then presentation of a claim of > age from the California DMV would provide the data that the user lives > in California, even if that was not the information requested or needed. > This seems correct. I would add: Even if claims are not directly tied to identity, it appears that the proposed architecture would allow the Issuer and the Inspector to collude to determine which Holder a claim applies to. > There has been substantial work on using cryptography to allow proof of > specific claims without leaking information, such as > https://www.microsoft.com/en-us/research/project/u-prove/ . However, > this effort seems to ignore that work and instead propose a design with > much worse privacy properties. > > If the W3C were to pursue this work, we think it would be best to pursue > a system with strong privacy properties such as this one. However, if > that is not done, we would be particularly opposed to a system that ties > claims to a single identity for the user, which would be most prone to > unsanctioned tracking. However, even transitory and pseudonomous > identifiers can leak substantial information, contrary to the > expectations of the user (in the proposed architecture, the Holder), > particularly if some or all of the Issuer, Identifier Registry, and > Inspector cooperate to track the Holder. > Yes, this seems good. -Ekr > > -- > 𝄞 L. David Baron http://dbaron.org/ 𝄂 > 𝄢 Mozilla https://www.mozilla.org/ 𝄂 > Before I built a wall I'd ask to know > What I was walling in or walling out, > And to whom I was like to give offense. > - Robert Frost, Mending Wall (1914) > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
