Identosphere 168: Wallet Strategy Series Part 1 • Rendering VCs • Failures of PKI 53yr history • Trust is not a Destination • C2PA and CAI workflows
You weekly guide to the latest news events and other info surrounding development and implementation of decentralized identity and verifiable credentials. Thanks for your continued support.
3+ years and still aggregating industry info: No Marketing, No Sponsorship, Just the top stories in the Verifiable Credentials galaxy!
Consider supporting our efforts by PayPal, or Patreon!
If you have end of the year small leftovers in your budget - please consider giving some to us :) Contact Kaliya (kaliya [at] identitywoman.net) to get an invoice or find other paths to payment - like ACH or Wires
• January 9 - Verifiable Conditions by theblockstalk • January 16 - Q1 2024 Open Discussion • January 23 - VC Test Suite by bigbluehat • January 30 - DID DHT (Decentralized Identifiers - Distributed Hash Table) by @decentralgabe Join us every Tuesday at 9am PST
I do not have any special information informing these predictions—many are nothing more than speculation! So obviously nothing here is investment advice, and I hope you’ll let me know if you disagree with any of these—then we can see how things pan out in 12 months!
The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.
Hyperledger Aries Cloud Agent Python (ACA-Py) The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.
This SmartReport consists of two infographics that show the way data flows through the Learning and Employment Record Ecosystem. It outlines the organizations and companies that are involved in the issuance, sharing, and consumption of specific verifiable credential data standards in the United States in 2024.
It's winner announcement time! We're thrilled to have been a part of DevCareer's first-ever hackathon. DevCareer's mission is to cultivate new talent and make a difference in Africa through tech, and having that talent play around with our Web5.js sdk was an invaluable experience. The level of creativity resulted in us having not 3 but 5 winning projects! 🚀
The render method allows issuers to have some influence on how their credentials are presented, addressing issues related to display customization and reducing integration costs.
the challenges faced during implementation
the use of SVG templates and the need to switch to HTML and CSS for better support of longer user names
importance of a round-trip lifecycle between digital and paper formats
Applying c2pa to the JPG yields the JSON manifest, which has a selection of useful EXIF fields. It turns out the signing relies on traditional PKI-wrapped certs; there’s one associated uniquely with this camera, with a proper signing chain through a Leica cert, all apparently rooted at D-Trust, part of Germany’s Bundesdruckerei which also prints money. All very conventional, and whatever programming language you’re using has libraries to parse and verify. Sadly, ASN.1 will never die.
Does your strategy treat your wallet as a key component of your product offering?
Are you optimizing for your wallet’s user growth and retention?
Do all your users adopt your wallet as an early phase of your product’s onboarding flow?
Are you crafting your wallet to perfectly suit your industry vertical, problem domain, product, and feature set?
Will your wallet help to differentiate your product to build a strong, defensible moat around your business?
If you answered yes to most or all of these questions, you have great product-strategy instincts. And applying them in the realm of decentralized identity wallets is going to backfire.
Users can now filter their activity feed so that only messages that require attention are displayed. For example, this can help users identify pending credential offers.
Improved wallet performance as credential offers are now only validated when the user selects to accept the offer.
Improved performance as credential status is no longer displayed on the credential activity card.
As mentioned, digital wallets are getting all the attention in the move to cryptographically verifiable credentials. But why do we spend so much time designing digital experience and trust frameworks around a component that has played no part in system security?
It discusses different types of assurance for entity identities, authentication credentials and session assurance. In some cases I have ideas about how to create a new trust legal identity assurance framework. In others, I don't have clear ideas, thus suggesting ideas for discussion.
In this episode, you’ll hear Jon discuss the early days of Auth0, including how they got their first $1m of revenue. Then we spent time diving in to how new technologies get adopted—Jon even went as far as saying that technology adoption is always incremental, not revolutionary.
We've refined and formalized the definition of TreeLDR's layouts, simplifying their definition and how developers can interact with them.
We are working on the layout book, containing an overview and formal specification of TreeLDR's layouts.
We've extracted the RDF handling part of TreeLDR's layout compiler into a separate project, InfeRDF. This "RDF engine" is dedicated to the inference and interpretation of RDF datasets so TreeLDR can entirely focus on its main feature: the layouts.
The Savannah Fruits Company is teaming up with farmer connect to create the first blockchain end-to-end shea value-chain traceability system this side of the Sahara. The Savannah Fruits Company already records where their products are sourced from and the details of over 40,000 shea collectors and processors in their supply chain.
The prospect of government entities having the ability to track all personal transactions and interactions is not just a privacy concern; it’s a fundamental human rights issue.
Information is shared on a need-to-know basis, eliminating the problem of your personal information being held by all service providers that you come in contact with.
Traditional CAs and the vLEI ecosystem do have a lot of similarities. For example, both CAs and the vLEI have a hierarchical structure. Here are a few important differences in the context of organization identity
The inevitable threat of generative AI can only be met by adding verifiable credentials. But the good news is that verifiable credential technology is easy and quick to add to existing systems. Indicio provides a complete, award-winning solution — Indicio Proven® — including a KYC credential.
Can ID Document Verification methods be considered strong authentication methods? Often, strong authentication methods utilise at least two factors from the list of something the user knows (e.g. password, pin code, answer to a security question), something the user has (e.g. security token, digital certificate, an ID card, a phone with a built-in hardware token, software token), and something the user is (e.g. typically biometrics such as fingerprint, iris scan, vein scan etc.).
Our approach integrates Public Key Infrastructure (PKI) with blockchain to establish a decentralized system for managing digital certificates, ensuring authenticity and inviolability of public keys. We leverage cryptographic algorithms, notably ECDSA and RSA, for digital signature verification, and employ smart contracts to automate and secure the authentication process, eliminating reliance on centralized authority. Additionally, we implement Decentralized Identity Verification (DID) systems, allowing users to control and share their identity securely. Our methodology includes a comprehensive literature review of current protocols, vulnerability analysis, and the development of blockchain-enhanced protocols. These are rigorously tested in simulated environments against known MITM attack vectors & scenarios.
Abstract—The Public Key Infrastructure existed in critical infrastructure systems since the expansion of the World Wide Web, but to this day its limitations have not been completely solved. With the rise of government-driven digital identity in Europe, it is more important than ever to understand how PKI can be an efficient frame for eID and to learn from mistakes encountered by other countries in such critical systems. This survey aims to analyze the literature on the problems and risks that PKI exhibits, establish a brief timeline of its evolution in the last decades and study how it was implemented in digital identity projects.
In addition to the major three technology firms supporting passkeys — Apple, Google, and Microsoft — third-party password providers, such as 1Password and Bitwarden, implemented their own support for managing the credentials. Dozens, and likely hundreds, of major websites have followed suit, implementing the necessary support for passkey authentication.
In the absence of consistent, comprehensive legal standards, organizations developing and deploying immersive technologies should go beyond legal mandates to earn public trust by fashioning their data practices around a risk-based approach to body-related data. This framework:
Assists organizations across the immersive technology ecosystem by providing a starting point from which to further customize their privacy practices.
Facilitates conversations about body-related data and privacy internally within organizations and externally with relevant stakeholders.
Educates employees about the purposes and risks of data practices.
Helps organizations operationalize privacy principles and best practices into the design of their body-related data practices, particularly in the context of immersive technologies.
Helps organizations understand what legal obligations their body-related data practices might trigger, as well as the privacy and fairness considerations they raise.
