-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #148 from w3c/2023-08-25-cleanup
Miscellaneous cleanup
- Loading branch information
Showing
4 changed files
with
692 additions
and
674 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,131 @@ | ||
| <section> | ||
| <h3>Citizenship by Parentage</h3> | ||
| <h4>Background</h4> | ||
| <p> | ||
| Sam wants to claim US citizenship because his mother is American. Sam has a | ||
| digital birth certificate from Kenya, where he was born while his Mother was | ||
| in the Peace corps. He also has a digital version of his mother's US passport. | ||
| Because his mother’s name changed between his birth and the issuance of the | ||
| passport, Sam also has a marriage license with her maiden and married names. | ||
| Sam is applying for a new passport from the US Secretary of State. | ||
| </p> | ||
| <h4>Distinction</h4> | ||
| <p> | ||
| This use case is challenging because the mother’s name changed, by marriage, | ||
| between the issuance of the birth certificate and passport. | ||
| </p> | ||
| <h4>Scenario</h4> | ||
| <p> | ||
| Sam’s mother emailed him the certificate, license, and passport as independent | ||
| <a>Verifiable Credentials</a>. He then creates a <a>verifiable presentation</a> | ||
| which includes those credentials, a statement of their relationship to each | ||
| other and his relationship to his mother. He then visits the US Secretary of | ||
| State website, creates an account, starts the application for a passport, and | ||
| uploads his new <a>verifiable presentation</a> as supporting evidence. After | ||
| processing the application, Sam is issued both a traditional passport and a | ||
| new digital passport. | ||
| </p> | ||
| <h4>Verifiable Credentials</h4> | ||
| <dl class="dl-horizontal"> | ||
| <dt> | ||
| Birth Certificate | ||
| </dt> | ||
| <dd> | ||
| Establishes relationship to mother with maiden name | ||
| </dd> | ||
|
|
||
| <dt> | ||
| Marriage License | ||
| </dt> | ||
| <dd> | ||
| Establishes mother's name change | ||
| </dd> | ||
|
|
||
| <dt> | ||
| Mother’s Passport | ||
| </dt> | ||
| <dd> | ||
| Establishes mother's US citizenship | ||
| </dd> | ||
|
|
||
| <dt> | ||
| Sam’s Passport | ||
| </dt> | ||
| <dd> | ||
| Establishes Sam is the child in the birth certificate | ||
| </dd> | ||
| </dl> | ||
|
|
||
| <h4>Verifiable Presentation</h4> | ||
| <p> | ||
| A <a>verifiable presentation</a> which includes those three <a>credentials</a>, | ||
| adds his name, photo, and demographic data along with the assertions that — | ||
| </p> | ||
| <ul> | ||
| <li> | ||
| He is the child in the birth certificate. | ||
| </li> | ||
| <li> | ||
| The mother in the birth certificate, the person in the passport, the spouse in | ||
| the marriage license are all the same person. | ||
| </li> | ||
| </ul> | ||
| <h4>Trust Hierarchy</h4> | ||
| <p> | ||
| Sam is legally liable for his claim to the rights of citizenship. The state | ||
| department is on the hook for verifying the underlying credentials and Sam’s | ||
| <a>claims</a>, including correlating against any additional data they might | ||
| already have. | ||
| </p> | ||
| <h4>Threat model</h4> | ||
| <ul> | ||
| <li> | ||
| <strong>Threat: Terrorist / Identity fraud.</strong> A bad actor could be | ||
| impersonating Sam to attain a passport. Of course, if a bad actor were to be | ||
| able to collect the required <a>verifiable credentials</a>—mother’s | ||
| passport, birth certificate, and marriage license, that actor has already | ||
| significantly compromised the system. | ||
| <ul> | ||
| <li> | ||
| <strong>Response:</strong> Identity assurance based on the <a>presentation</a> | ||
| and other data, above and beyond what is in the <a>presentation</a> and the | ||
| <a>claims</a>. | ||
| </li> | ||
| <li> | ||
| <strong>Response:</strong> Identity assurance based on the contents of the | ||
| <a>claims</a>, potentially with enhanced data embedded in the <a>claims</a>, | ||
| i.e., data not currently in passports, birth certificates, or marriage license. | ||
| For example, a biometric template could be embedded in the birth certificate | ||
| <a>claim</a> and that template could be used for interactive identity assurance | ||
| at the time of submitting the <a>presentation</a>. | ||
| </li> | ||
| </ul> | ||
| </li> | ||
| <li> | ||
| <strong>Threat: Exposure of private information.</strong> By storing | ||
| potentially compromising information in <a>credentials</a> and sending them | ||
| over the network, we are increasing the attack surface for the <a>subjects</a> | ||
| of those credentials. | ||
| <ul> | ||
| <li> | ||
| <strong>Response:</strong> Encrypt the <a>claims</a> (once by issuer, every | ||
| <a>verifier</a> gets the same encrypted blob) | ||
| </li> | ||
| <li> | ||
| <strong>Response:</strong> Encrypt the <a>claims</a> uniquely for each | ||
| <a>verifier</a>. This may leak usage data to the <a>issuer</a>, assuming the | ||
| <a>holder</a> must ask for a new, encrypted <a>credential</a> for each | ||
| <a>verifier</a>. | ||
| </li> | ||
| <li> | ||
| <strong>Response:</strong> Blind the <a>claims</a> uniquely for each | ||
| <a>verifier</a>. | ||
| </li> | ||
| <li> | ||
| <strong>Response:</strong> Encrypt the <a>presentation</a> uniquely for each | ||
| <a>verifier</a>. No <a>issuer</a> involved. | ||
| </li> | ||
| </ul> | ||
| </li> | ||
| </ul> | ||
| </section> |
Oops, something went wrong.