search

w3c-ccg / community

COMMUNITY: W3C Credentials Community Group Community Repo
https://w3c-ccg.github.io/community
Other
42 stars 6 forks source link

The link between biometrics and VCs should be clarified for privacy and human rights reasons #211

Closed agropper closed 2 years ago

agropper commented 2 years ago

There are currently four open issues that relate to VCs with humans as a subject. They are:

  1. 195

  2. https://github.com/w3c/vc-data-model/pull/818
  3. https://github.com/w3c/vc-data-model/issues/789
  4. https://github.com/decentralized-identity/waci-presentation-exchange/discussions/96

VC Cases:

  1. The VC includes a biometric
    • no wallet or other holder is normatively involved
  2. The VC includes an ID in a contemporaneous (at issue and verification) check of a biometric credential
    • no wallet or other holder is normatively involved
  3. The VC is stored in a “certified” wallet with secure element
    • Issuers and Verifiers validate the certificate before dealing with the VC
    • The wallet displays a local biometric and securely signs a nonce to be verified along with the biometric
    • The use of the VC is then physically tied to a particular biometric-enabled certified ankle bracelet or chip
  4. The VC includes a link to a centralized biometric database.
    • No wallet or other holder is normatively involved because issuers and verifiers check the database
  5. The VC has a human subject but no biometric or link to biometric
    • There is no way to prevent a controller of the VC from sharing their private key to enable a fraudulent presentation.
  6. The VC does not have a human subject
    • Biometrics are irrelevant and holders are a matter of chain-of-custody for the VC.

Are there cases other than the five above? (or rewording to improve the five cases)

How should biometrics in and around VCs be considered in our various workgroups?

vsnt commented 2 years ago

@agropper I'd like to suggest you open a work item and write a community report that enumerates your concerns on this topic. The community can then discuss/respond/publish it and reference for future concerns.

agropper commented 2 years ago

My medium-long comment on a VC data model issue focuses on biometrics and VCs: https://github.com/w3c/vc-data-model/issues/831#issuecomment-960249901 It focuses on privacy rather than human rights but I think it's a good start to our conversation by defining a few terms.

I'm not clear on what it means to open a work item. Maybe we can use this thread as a kind of charter discussion for anyone that's interested in this topic.

agropper commented 2 years ago

Adding this note as a way of tracking the relationship to closed https://github.com/w3c-ccg/community/issues/195#event-5889029490.

These issues are set related to the discussions of mitigating human rights risks of standardized digital credentials here https://github.com/w3c/vc-data-model/issues/831 here https://lists.w3.org/Archives/Public/public-credentials/2022Jan/0068.html and here https://lists.w3.org/Archives/Public/public-credentials/2022Jan/0013.html

vsnt commented 2 years ago

Adrian, I'd like to close this issue as well. The community appreciates your concern in this area, but we need a clear focused work item proposed with a specific category of deliverable. I invite you to review the Work Item Process for an overview of the requirements: https://w3c-ccg.github.io/workitem-process/

I am happy to go over the process with you if you need any assistance. Thank you!

agropper commented 2 years ago

The other co-chair suggested this as well and I have reached out publicly https://lists.w3.org/Archives/Public/public-credentials/2022Jan/0101.html and privately for co-collaborators.

On Thu, Jan 13, 2022 at 4:08 PM vsnt @.***> wrote:

Adrian, I'd like to close this issue as well. The community appreciates your concern in this area, but we need a clear focused work item proposed with a specific category of deliverable. I invite you to review the Work Item Process for an overview of the requirements: https://w3c-ccg.github.io/workitem-process/

I am happy to go over the process with you if you need any assistance. Thank you!

— Reply to this email directly, view it on GitHub https://github.com/w3c-ccg/community/issues/211#issuecomment-1012516773, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABB4YLEF76M6UZNDI2AEDLUV45MJANCNFSM5EBFQQWQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>