Re: [Identity-discuss] US/DHS/SVIP Call + Industry Day || Privacy Preserving Digital Credential Wallets and Verifiers
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 11 August 2023 21:59 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: identity-discuss@ietfa.amsl.com
Delivered-To: identity-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4C84C151553 for <identity-discuss@ietfa.amsl.com>; Fri, 11 Aug 2023 14:59:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsjOYYALDDTh for <identity-discuss@ietfa.amsl.com>; Fri, 11 Aug 2023 14:59:33 -0700 (PDT)
Received: from mail-oo1-f53.google.com (mail-oo1-f53.google.com [209.85.161.53]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 213A1C15109D for <identity-discuss@iab.org>; Fri, 11 Aug 2023 14:59:33 -0700 (PDT)
Received: by mail-oo1-f53.google.com with SMTP id 006d021491bc7-56d263da4f2so1942528eaf.0 for <identity-discuss@iab.org>; Fri, 11 Aug 2023 14:59:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691791172; x=1692395972; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yUwStr9z/LF7h+uaHjRbP9PtdpcZBupUXkm/qFUqZ9A=; b=OU1694DwsEDXaUcVEjTtepzWAdD1cxeD1vbmNeNh70IPSlAi4sm7ihsVwK5Cnu7Wwv 5mqddRjYXJYV/SXRyFJGK37sGSGvMMDifmkBTqAcYmdg//zWp7KLmx1WH1qnp+8iF+Fw dc1d2S6n+VfMTuyye8iFSpzDN+CCddLWhz79lHjHV0j7SQJb+f11HIZUmiRggt/NSNIQ iZtKlRZsR+JLzLI77gSCgFdcmTVHCrce/QAsa2RZgQrS5kUnuFXG4VagI8XdC2mT2AQW Tafxv6TEFUTIfZ9ftPKlLSaFJmsFGsljVHGJWNgO8y8qhLXO8IZ2OROp/Vdc7FfKq44G O4NA==
X-Gm-Message-State: AOJu0YxNCOuj1mIGKP1CxI35VlcNMwV/2Vi96qbG0KVUO0zVtJUD6ZWw aSEb3zzegzJgRsvHZrkLqNNhVq+ssFAoeTB2f+o=
X-Google-Smtp-Source: AGHT+IHEZ1b9YFlgdzRgQSdMrqIKWNByUKcM0yBMVZ5K93E3+H8YAjcZ3LBxhN3HHEPmvwd4PJgX4DrCb7hx6lswKdU=
X-Received: by 2002:a4a:275b:0:b0:56d:2d49:13c2 with SMTP id w27-20020a4a275b000000b0056d2d4913c2mr2236133oow.4.1691791172232; Fri, 11 Aug 2023 14:59:32 -0700 (PDT)
MIME-Version: 1.0
References: <BY3PR09MB733259BC3F6C6AF787FD682C8B409@BY3PR09MB7332.namprd09.prod.outlook.com> <PH8PR09MB8926EAC24BF285D71F4803CBD4489@PH8PR09MB8926.namprd09.prod.outlook.com> <PH0PR09MB7977A93B583B870F2E00DA30C5489@PH0PR09MB7977.namprd09.prod.outlook.com> <BLAPR09MB7235E86BB5CE0F5C53EFEF0CA0489@BLAPR09MB7235.namprd09.prod.outlook.com> <BY3PR09MB7332CBF53C260A2C36ABD4118B489@BY3PR09MB7332.namprd09.prod.outlook.com> <BLAPR09MB723506641E278741C97EAEB9A04EA@BLAPR09MB7235.namprd09.prod.outlook.com> <PH0PR09MB7977765CF754F9F6807B38B7C54EA@PH0PR09MB7977.namprd09.prod.outlook.com> <PH0PR09MB797762215CC8DEF47C747A9DC54EA@PH0PR09MB7977.namprd09.prod.outlook.com> <BLAPR09MB7235866F2F81336716B27825A04EA@BLAPR09MB7235.namprd09.prod.outlook.com> <PH0PR09MB79776533A9FEFB92AD54A210C54EA@PH0PR09MB7977.namprd09.prod.outlook.com> <BLAPR09MB6961275866DEDCD943117B6BB04EA@BLAPR09MB6961.namprd09.prod.outlook.com> <SA0PR09MB7243754463E4E746E5E14A81A04EA@SA0PR09MB7243.namprd09.prod.outlook.com> <PH0PR09MB797708E051A9B5045810C033C54EA@PH0PR09MB7977.namprd09.prod.outlook.com> <PH0PR09MB79775FC17063C25BDA06146DC54EA@PH0PR09MB7977.namprd09.prod.outlook.com> <PH0PR09MB7977D894321FF5CAC2345CB4C501A@PH0PR09MB7977.namprd09.prod.outlook.com> <PH0PR09MB79775DB35B0022A7A8A7384DC501A@PH0PR09MB7977.namprd09.prod.outlook.com> <1775C608E8210B85.27447@lists.openwallet.foundation> <PH0PR09MB7977FC8DA5F7423551FBDBA4C513A@PH0PR09MB7977.namprd09.prod.outlook.com> <CAD9ie-uxEgVBL2EUJW_eG0H31+6h-nUvDpW3JYw0qo0UEz2RCw@mail.gmail.com>
In-Reply-To: <CAD9ie-uxEgVBL2EUJW_eG0H31+6h-nUvDpW3JYw0qo0UEz2RCw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 11 Aug 2023 17:59:16 -0400
Message-ID: <CAMm+LwimwGuicESw=EPRiJQ3LumuKuSU8g6u2tKzyzwq0xXhxQ@mail.gmail.com>
To: Dick.Hardt@gmail.com
Cc: "John, Anil" <anil.john=40hq.dhs.gov@dmarc.ietf.org>, "identity-discuss@iab.org" <identity-discuss@iab.org>
Content-Type: multipart/alternative; boundary="000000000000daeb220602acd36f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/identity-discuss/DM5mh75m18qhKc9xfEsTNtXt02Q>
Subject: Re: [Identity-discuss] US/DHS/SVIP Call + Industry Day || Privacy Preserving Digital Credential Wallets and Verifiers
X-BeenThere: identity-discuss@iab.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Proposed IAB Program on Wholistic Human-Oriented Discussions on Identity Systems \(WHODIS\)" <identity-discuss.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/identity-discuss>, <mailto:identity-discuss-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/identity-discuss/>
List-Post: <mailto:identity-discuss@iab.org>
List-Help: <mailto:identity-discuss-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/identity-discuss>, <mailto:identity-discuss-request@iab.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2023 21:59:37 -0000
On Fri, Aug 11, 2023 at 3:15 PM Dick Hardt <dick.hardt@gmail.com> wrote: > Hey Jon, thanks for posting this. > > I don't know if you intended it, but the “Preventing Forgery & > Counterfeiting of Certificates and Licenses > <https://www.dhs.gov/science-and-technology/blockchain-portfolio>” links > to your Blockchain Portfolio page. > > FWIW: I'm amused by "*support the broad range of credentials possible > with W3C VCDM/DID standards*" > > The DID "standard" consists of there being a string that starts with > "did:" that eventually resolves to a key > The DID scheme appears to be following the URN scheme anti-pattern. Back at the dawn of the Web, a group of people showed up who were very insistent that they knew a lot about naming and had lots of ideas that absolutely HAD to be put into the specs. One of these was to rename URLs URI because the identifier might not support location. OK, whatever. So having been bullied into recognizing the existence of URLs and URNs as different things, the next demand was that URLs should start url: and URNs should start urn: and Web browsers should insist on this tremendously important 'idea'. So needless to say, that was kicked out quickly enough. But the sad legacy was that there was now a separate registry for URNs and some notion that since this existed, it should be used for something. And so instead of assigning a legacy identifier a URI prefix, foo: they got urni:foo: Some standardized mechanisms for identifying keys would be really useful. But that isn't what a DID is, a DID is simply an opaque string that identifies 'something' in a particular scheme and has no defined semantics outside that scheme, even the inference it identifies a cryptographic key is kinda fuzzy. So basically the only thing DIDs have achieved is avoiding cluttering up the URI registry. My current proposal for naming things with hashes is UDF, https://datatracker.ietf.org/doc/draft-hallambaker-mesh-udf/ When I presented that as part of the Mesh BOF in Singapore, someone asked if I had read RFC6920: https://www.rfc-editor.org/rfc/rfc6920.html Fortunately, I always read drafts I am an author on. The main difference between ni and UDF is that the assumption in ni was that the hashes would never be seen by a user and hence it uses Base64 encoding and an existing registry of hash algorithms. ni:///sha-256;f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk The starting point for UDF was 'what would OpenPGP hashes look like if we redid them using a modern approach but with the aim of having something that would still work on a business card. So the corresponding UDF is something like: MB5S-R4AJ-3FBT-7NHO-T26Z-2E6Y-WFH4 That is by definition a SHA-2-512 digest algorithm being used (UDFs can be truncated to any length). You can also use SHA-3-512, specify nonces, private key generation seeds, and some other interesting stuff. Having one way to identify keys throughout an application is really useful. But make sure it is compatible with case-insensitive file systems, so use Base32, not 64. Note however, that it is an identifier for the key, it is NOT a name, since it has type secondness, a given RSA or ECDH key will have exactly one UDF value which can be specified at whatever precision is required to achieve the desired work factor. I have deliberately not specified a URI scheme for UDF because the idea is you might use them as building blocks inside of a scheme. So I might have an OpenPGP entry in my contacts: mailto:alice@xample.com;opgp=MB5S-R4AJ-3FBT-7NHO-T26Z-2E6Y-WFH4
- [Identity-discuss] US/DHS/SVIP Call + Industry Da… John, Anil
- Re: [Identity-discuss] US/DHS/SVIP Call + Industr… Dick Hardt
- Re: [Identity-discuss] US/DHS/SVIP Call + Industr… Phillip Hallam-Baker
- Re: [Identity-discuss] US/DHS/SVIP Call + Industr… John, Anil