Identosphere 221: Pressing DOGE to work on Digital Identity • EU Commission violates GDPR • Legislative Recommendations at W3C CCG
We curate the latest in Verifiable Credentials and Self Sovereign Identity: standards development, regulation, upcoming events, and commentary from the blog-o-sphere. Your support is appreciated.
With support from the DHS S&T, and U.S. Citizen and Immigration Service, the W3C Working Group has been developing the online digital ID standards.
VCDM 2.0 introduces several enhancements, including processing clarifications, transitions into an tangible data model, media types, and data model simplifications while still maintaining the VCDM 1.1 baseline.
I’ve been saying that to follow what’s happening in NHI standards, some of the core work you need to follow is happening in the IETF: SPICE, WIMSE, and SCITT. Everybody loves WIMSE with its workload identity architecture, and building the credential format in SPICE that can meet the needs of NHIs is of course brilliant (I’m not biased, you’re biased!). But thinking about this from the bottom up is what SCITT (Supply Chain Integrity, Transparency, and Trust) is all about, and it’s time to learn more about it and its close allies, SPIFFE (which isn’t happening in the IETF) and, yes, WIMSE. (I’ll cover SPICE in a future blog post.)
The case, which made headlines at the beginning of the year, involved a German citizen who, in March 2022, visited the now-inactive “futuru.europa.eu” website, a platform run by the European Commission. While registering for an event, the individual used the “Sign in with Facebook” option. However, this seemingly innocuous action resulted in the Commission transmitting the individual’s personal data, including their IP address and browser metadata, to Meta’s servers in the United States.
Daniel Gillmor and Jay Stanley from #ACLU gave a great presentation on ". ACLU recommends that new digital ID systems should have the following properties: (1) no access to police, (2) no “Phone Home”, (3) selective disclosure, (4) unlinkability, (5) open ecosystem, (6) verifier accountability, (7) no individual kill switch, and other protocol-external requirements. Watch the recording of the presentation (start at 12m)
The Identus identity solution is built on the robust foundational work of the Atala PRISM protocol, which enables a degree of flexibility that other solutions lack – the Identus SDKs work with a multitude of platforms, such as web (through Typescript) and mobile (through Swift and Kotlin) – and delivers a comprehensive suite of tools for decentralized identity solutions.
A super simple “BooksWeLike” app—a place where I can review books and see what my friends are reading and enjoying.
What makes this app different is how it handles data. Unlike traditional apps where data lives in a centralized database, my app will let users store their own data in Solid Pods.
Instant payment regulation: Fraudsters can exploit short processing time to make transactions before detection
GDPR: Protects consumers' privacy, making it challenging for banks to share fraud information between institutions
European digital identity wallet: Privacy-oriented and does not allow profiling; difficulties monitoring direct person-to-person payments or asset transfers under current regulations
Camino's compliance-first approach with mandatory KYC for smart contract deployments and KYB for validators ensures a trusted and professional ecosystem for travel companies. Adhering to regulatory standards enhances legitimacy and simplifies onboarding, reducing risks in global/cross-border collaboration. This fosters confidence among partners and regulators, making blockchain adoption smoother and more secure for the travel industry
To address the credit assessment needs of financial institutions, this paper proposes a Customer Self-Sovereign Identity and access-control framework (CSSI) based on SSI technology. Customers can securely store assessable assets and credit data on the blockchain using this framework. These data are then linked to a digital account address. With customer authorization, financial institutions processing loan applications can comprehensively evaluate customers’ repayment capabilities and conduct risk management by accessing this credit data.
Techruption Ben Smits, Virág Szijjártó, TNO June 2022
Reinventing how career records are shared across the global market. Empowering individuals, businesses and educational institutions through transformational blockchain technology – public, open, trusted and self-sovereign. Turn career achievements into digital credentials. Verified, secured and truly global. Own them, use them to access better opportunities.
To create a valid JWT: $JWT = $EncodedHeader + "." + $EncodedPayload
Get private key of certificate: $PrivateKey = ([System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Certificate))
This paper discusses, in practical terms, what goes into implementing interoperable solutions in partnership with public administrations. Based on 20+ years of DG’s experience, the paper demystifies key components needed to build robust, resilient, and interoperable data systems, focusing on the “how” of data standardization, data governance, and implementing technical infrastructure.
IDs. We introduce CRSet, a revocation mechanism that allows an issuer to encode revocation information for years worth of VCs as a Bloom filter cascade. Padding is used to provide deniability for issuer metrics. Issuers periodically publish this filter cascade on a decentralized storage system. Relying Parties (RPs) can download it to perform any number of revocation checks locally. Compared to existing solutions, CRSet protects the metadata of subject, RPs, and issuer equally. At the same time, it is non-interactive, making it work with wallet devices having limited hardware power and drop-in compatible with existing VC exchange protocols and wallet applications. We present a prototype using the Ethereum blockchain as decentralized storage.
Quantum computers will break most of the cryptographies used today, so we will need to develop post-quantum cryptography #PQC, along with cryptographic agility and pliability, to future-proof security. In Verifiable Credentials #VC and Verifiable Presentations #VP, PQC needs to have (1) short signature verification time first and foremost, (2) short signature generation time, (3) small signature size, and (4) small public key size. ML-DSA-44 (Module-Lattice-Based Digital Signature Algorithm), ML-DSA-65, and ML-DSA-87 fit these requirements. PQ/T (Post-Quantum and Traditional) hybrid cryptographic schemes combine both PQC and traditional signature algorithms, and it is secure as long as one of the algorithms holds. One of the ways to combine signature schemes is the concatenation combiner that archives the weak non-separability #WNS property. Watch the recording of the presentation and discussion (start at 8:30):
I don’t think of myself as an expert in non-human identity (NHI). Instead, I’d say I’m NHI-curious and eager to share what I’m learning. Lately, I’ve been going down a rabbit hole about when and how to indicate if someone—or something—is human. I’m clearly not alone in asking this. Last year, I was one of many co-authors on a paper, Personhood Credentials: Artificial Intelligence and the Value of Privacy-Preserving Tools to Distinguish Who is Real Online, exploring these questions and challenges. Spoiler: we ended with a call for further discussion.
That credential will contain the public key of the agent, signed with the private key of a bank in the framework. Since my bank knows the public key of the other bank it can easily check the credential is authentic. But how does it know that the credential is being used by the correct agent? It must then check that the agent has control of the private key that corresponds to the public key in the credential.
Our local-first architecture houses user data directly on your mobile device. This means your innermost thoughts will remain in your control and yours only.
this study optimizes identity identification and authentication methods with a privacy-preserving solution for cross-chain asset transactions. This enhances the identity management mechanism, safeguarding user privacy. Initially using ring signature algorithms to anonymize user identities, the study now employs Decentralized Identity (DID) and Verifiable Credentials (VC) for unified identity identification and authentication across chains. This approach grants users control over their identities, removes blockchain barriers, and adapts to multiple scenarios. Comparative analysis includes gas consumption, transaction delays, and performance evaluations of both solutions.
