search

creator-assertions / identity-assertion

Creator Assertions Working Group :: Identity Assertion
https://creator-assertions.github.io/identity/
Other
3 stars 5 forks source link

Privacy when verifying VCs #41

Open scouten-adobe opened 4 months ago

scouten-adobe commented 4 months ago

C2PA 1.x spec had the following statement, which is still accurate. Not sure if it can be avoided:

In most W3C verifiable credential workflows, the information about the subject (e.g., the cryptographic keys) is fetched on demand at the time of validation. While that is an acceptable model, it does open up a possible attack vector by providing an attacker with an externally-visible signal about what the validator is validating. Therefore, this specification also supports having the information captured and embedded at the time of signature. This not only prevents leakage, but also makes it very clear what data the signer is asserting about the credential’s subject.

scouten-adobe commented 4 months ago

Discussed in 20 February 2024 meeting.

@scouten-adobe to call subgroup meeting

Via @OR13: There are some limitations on privacy that come from building on top of verifiable credentials, depending on how you define the credential format.