Re: [GNAP] About the use case called "Self sovereign identity (SSI)"
Fabien Imbault <fabien.imbault@gmail.com> Fri, 21 August 2020 13:39 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CB203A0744 for <txauth@ietfa.amsl.com>; Fri, 21 Aug 2020 06:39:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kjDj37RV89TI for <txauth@ietfa.amsl.com>; Fri, 21 Aug 2020 06:39:53 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E6FF3A0849 for <txauth@ietf.org>; Fri, 21 Aug 2020 06:39:53 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id s1so1710032iot.10 for <txauth@ietf.org>; Fri, 21 Aug 2020 06:39:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=k/5IQbWip9a5ryE7wLLEeZveYJhtIrGeToCYEVERWuk=; b=YkGX7YvT1Qd2+7a2zUCa/XCTa8av1Ut9QG3j2Pi3tOZpm0zuRmbyPo4JpU5ijPElYl Tu5SBSc4M0tkBKRMGqPQew+up+rhqewceD4zDBoTLQdpFUxkTf494KMRDIK+sgMCOkw7 i9hCOG1y+nSsDIWzKV1FKraVqyXbSPaXCVR4ZUZDucvLp1SllGCh5+21anmnmffyO0hA 10/3gczdkiEqINAWj+HcKkwORjn8jWyBbft2+uMfv8hTem7wgyEmQwVpY7ZykkeVI22n CXLUesPx6CikrQwycxIrV9ZwbnjmGTx6m0ZpIDR8l/SUSKbl3lhBC0TmL8XXy6fcmWSb PaHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=k/5IQbWip9a5ryE7wLLEeZveYJhtIrGeToCYEVERWuk=; b=HF4k/SdJllljMeX4jJFoe6JPQESYU8XPKHalDDaNCFdRc0EbwQkhMUf9d3VaKCSa/Q YY3nL+z/cmfIvKucasIjnjraeufn8L4qNLSzFSo5t8aSiX+qTp4VNKhqi9ddDQd9UNXW WErrMHMuX6NOJswKTjup5zM9A8fvnve1eEyIEinIOBPVSVPE4Z5ZhSVyMlorG2hC+DHo 3Xiq4Vqle0qOEdo8v9m6f33eAhhHCyZ7U+3Tn8qkY7a6GwK2iePF8QQnxXHU5BVnxbb2 mMAT8vPri86KV27Zi4ldH8jF8WSVLNjXsPzNvwIMFMUWgsBK6y7L9gBMy+owCBD1/fif G1iA==
X-Gm-Message-State: AOAM532PLO2TAjuxYUvvkY5v8pG/SMWoF4MwnLHQMoreL9ZObE7XA3Yr MGMJ5UC8T6tKR8/Ob/9SseDUSkzUDOi56jrKi0I=
X-Google-Smtp-Source: ABdhPJzIV9Rk7X+5xbQ0xL+OS8/opGBJ4qoEiTyMs0VmzW9FvkSj97r1kP4KoXZKA3ZB7wucYH4y/zK+JoLQADLrzS4=
X-Received: by 2002:a02:7092:: with SMTP id f140mr2743771jac.8.1598017192628; Fri, 21 Aug 2020 06:39:52 -0700 (PDT)
MIME-Version: 1.0
References: <84df3d97-841d-5dea-477b-465866bcffaa@free.fr> <F07775DA-58ED-4C3E-A780-3D8864DD8DF7@mit.edu> <CAOW4vyPV-S7O2UtZGM1NXi1a-Mx5QRPAgi9fbEa=d4A1jxTDPQ@mail.gmail.com>
In-Reply-To: <CAOW4vyPV-S7O2UtZGM1NXi1a-Mx5QRPAgi9fbEa=d4A1jxTDPQ@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 21 Aug 2020 15:39:38 +0200
Message-ID: <CAM8feuQGuSiCqD3aQx0bGhTOwDGO8NyHju+YKqLDRBSdQkic_w@mail.gmail.com>
To: Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org>
Cc: Justin Richer <jricher@mit.edu>, Denis <denis.ietf@free.fr>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001c9d5705ad635f67"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Hu61fDe_5RXGwu94U_o61dkzSlU>
Subject: Re: [GNAP] About the use case called "Self sovereign identity (SSI)"
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2020 13:39:56 -0000
The use case is a bit complex (payment, etc.), but I think there are 2 important items in relation to SSI : - it is interesting to integrate just like it is with OIDC or FIDO for instance, SSI is now part of the ecosystem (ex: DID Auth / SIOP is considered by openid) - you get the ability to handle somes cases better with verified credentials (which the example illustrates: it's better to confidently check the age before you even issue the token). "On the Internet, nobody knows you're a dog" -> maybe not any more (at least if the issuer wants to keep his reputation intact). Btw it helps for privacy too (zkp). Of course, one can still use GNAP or SSI separately (This use case can be solved without using an AS and a RS -> maybe but it can also be solved with AS and RS). And I don't think it changes the core design of what we're discussing. Fabien On Fri, Aug 21, 2020 at 3:14 PM Francis Pouatcha <fpo= 40adorsys.de@dmarc.ietf.org> wrote: > > On Fri, Aug 21, 2020 at 9:02 AM Justin Richer <jricher@mit.edu> wrote: > >> The SSI trick is not the ticket — the SSI portion here is "She indicates >> that she is a resident of Bamberg”. We’d like Alice to be able to do >> that in a verifiable and programatic way that we can enable in the protocol >> flow. >> > Yes. > The purpose of SSI in this use case is to illustrate that authz flows will > have many claim origins. Flows will have many situations where GS relies on > claims produced/presented by other ASs for a compound Authz decision. > Best regards > /Francis > >> >> — Justin >> >> On Aug 21, 2020, at 8:48 AM, Denis <denis.ietf@free.fr> wrote: >> >> >> Hello Francis, >> >> This WG has not been formed to address SSI (Self sovereign identity). >> This use case can be solved without using an AS and a RS >> and without using a "Self Sovereign Identity (SSI)" approach. >> >> - Alice visits the website of AC-Tickets. >> >> - Alice looks up and finds "Bamberg Symphony", the concert she >> wants to attend. >> >> - Alice is informed that she can get a discount price if she is >> a resident of Bamberg. >> >> - Alice fills a form and enters the requested information. >> She indicates that she is a resident of Bamberg and so she gets the >> discounted price. >> >> - Alice makes the payment using 3D secure. >> >> - Alice gets back a QR code on her phone that will be scanned >> when entering the concert hall. >> >> - Alice goes to the concert at Bamberg Symphony. >> >> - At the entrance gate, Alice presents her QR code which >> includes a unique identifier for this concert, the date and time of the >> concert, >> her seat number reservation, her family name and her first name and the >> fact that the ticket price is a discounted price available only >> for the residents of Bamberg. >> >> - If the person controlling the QR-codes at the gate has some >> doubt that Alice is indeed a resident of Bamberg, >> she asks Alice to present her ID card or her passport which includes her >> home address and even more important her picture. >> ("On the Internet, nobody knows you're a dog". Peter Steiner's cartoon, >> as published in The New Yorker on July 5, 1993). >> >> This is simple, efficient and easy to implement right now. >> >> This is roughly how train reservations are working on the French web site >> oui.sncf. Some one over 60 can request a discounted railway ticket . >> If the train controller has some doubt that the bearer of the discounted >> railway ticket is really over 60 after scanning the QR code, he will ask >> the person to show an identity card or a passport at the platform >> entrance or while in the train. Not only the year of birth will allow to >> make sure >> that the individual is indeed over 60 but in addition the name on the identity >> card or the passport will be checked against the name on the railway >> ticket and that picture matches with the face of the person in front of >> the train controller. >> >> Anyway, IMHO, I don't believe that this use case should be solved using >> GNAP. >> >> Denis >> >> PS. This use case has been posted here: >> >> https://github.com/ietf-wg-gnap/general/wiki/SSI-integration#alice-purchasing-a-concert-ticket-without-disclosing-her-identity >> >> -- >> TXAuth mailing list >> TXAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> >> >> > > -- > Francis Pouatcha > Co-Founder and Technical Lead > adorsys GmbH & Co. KG > https://adorsys-platform.de/solutions/ > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [GNAP] About the use case called "Self sovereign … Denis
- Re: [GNAP] About the use case called "Self sovere… Justin Richer
- Re: [GNAP] About the use case called "Self sovere… Francis Pouatcha
- Re: [GNAP] About the use case called "Self sovere… Francis Pouatcha
- Re: [GNAP] About the use case called "Self sovere… Fabien Imbault
- Re: [GNAP] About the use case called "Self sovere… Andrew Hindle