Strengthening Trust Boundaries for Holder Software in Verifiable Credential Processing

[awoie]

From PING review: w3cping/privacy-request#121 (comment):

Holder based tracking: Under the current design it's plausible that a generic holder software colloquially known as a wallet can syphon PII, credential usage, and other sensitive information about the subject in the same way that a Browser could with data like browsing history. This is semi highlighted by section 7.11 from the angle of storage, but not from the angle of processing. Given there's an inherent trust boundary between the subject and the holder that may need to be further defined here to match the UA model established between a browser and it's user where the holder is not a first party or a third party. The recommendations for this is to highlight the inherent trust boundary between the holder and subject to make it known that the holder software should be acting on behalf of the subject's interests.

[jandrieu]

There is no required relationship between a holder and a subject.

I could hold a VC whose subject is an abstract concept, such as "Gravity" and use that wherever it may be appropriate, regardless of whether or not it's even possible to act on "behalf" of Gravity.

So, there is no presumption of trust or trustlessness between Subject and Holder, in either direction. and hence no trust boundary to strengthen in the context of VCs.

However, it may be useful to clarify this fundamental if the discussion of subject != holder fails to explain this adequately.

[iherman]

The issue was discussed in a meeting on 2023-08-23

• no resolutions were taken

View the transcript

3.4. Strengthening Trust Boundaries for Holder Software in Verifiable Credential Processing (issue vc-data-model#1246)

See github issue vc-data-model#1246.

Brent Zundel: I am not sure what we could say about the topic considering our own charter.

Dmitri Zagidulin: +1 to post-cr on 1246.

Manu Sporny: +1 to handling this during CR.

Brent Zundel: I don't believe we are qualified as a WG to make this Pre-CR.

[kdenhartog]

@jandrieu I understand the use case you're arguing for, but that's not the primary use case being called out here. I agree some of my language wasn't nuanced enough but it relies upon the language defined within the specification.

The principle I've called out in the PING review is that the concept of a holder software (wallet) is synonymous with a User Agent. In the majority of prominent use cases today, the holder software being used by the holder is acting on behalf of the holder to manage verifiable credentials where the subject is the holder. Therefore, if there's a trust boundary between holder software (which I'm asserting there is) and holder and the subject is the same holder than by using the transitive property we can establish that there's a trust boundary between the holder software and the subject when the holder and subject are equal. Since the spec does not distinguish between holder software and holders this implies that the term "holder" is synonymous with both which is the same as browser not distinguishing between a user agent and a user. Instead, the User agent acts on behalf of the user in the same way as the holder software acts on behalf of the holder.

Now similar to the expectation that users don't want their browsers to syphon their browsing histories off to the browser software authors (even if it's about a different person such as the user entering someone else's email address), users don't want their wallets syphoning this VCs or usage of VCs off to the wallet makers. Given there are plenty of use cases where subject == holder within the ecosystem to date, my request on behalf of PING during the review was to further clarify this in that case so that it's established that this is not considered an acceptable practice and noted within the specification. I think we can all agree that this is fine to highlight. Does that clarify further what specific changes have been requested?

[iherman]

The issue was discussed in a meeting on 2023-09-15

• no resolutions were taken

View the transcript

3.3. Strengthening Trust Boundaries for Holder Software in Verifiable Credential Processing (issue vc-data-model#1246)

See github issue vc-data-model#1246.

Brent Zundel: This one is tricky w/ nature of charter, not chartered to deal w/ protocols, at same time, wondering what the best path forward is here.

Nick Doty: This is a relevant open question about whether the user by definition trusts the wallet or whether that wallet did something that doesn't protect their privacy. Again, I don't know what needs to be defined in which spec. Perhaps it's a protocol question, but we're in a situation where it's not clear -- is the wallet acting on behalf of user -- or is wallet a piece of software acting on some other entity's behalf -- user needs to protect.

Manu Sporny: themselves from that piece of software.

Nick Doty: That is a question we're going to have to answer, don't know if it needs to be in this spec or not, which party is user agent.

Dmitri Zagidulin: From phrasing of the comment, that last sentence is to highlight trust boundary, would it be sufficient to highlight the trust boundary -- wallet is in position of power, it is a user agent, it should be treated as such?

Kristina Yasuda: I do think we can address that, it's in scope, users are not directly tied to software they're using -- don't know if we should introduce term wallet, but adding a few sentences here should be appropriate.

Dmitri Zagidulin: do we actually use the term 'holder software'?

Dmitri Zagidulin: (I know we have 'holder').

Brent Zundel: I don't believe we do.

Joe Andrieu: Our presumption is wallet is user agent, but people will need to use wallets under control of other entities, when you're acting on behalf of us, having understanding of trust boundaries allows one to understand risks when using technology.

Nick Doty: +1 Joe.

Brent Zundel: We could add some guidance, but at this layer there's not much we can do what we can enable/enforce.

Manu Sporny: We do have privacy/security considerations, we can state things in there.

[iherman]

The issue was discussed in a meeting on 2023-09-26

• no resolutions were taken

View the transcript

2.5. Strengthening Trust Boundaries for Holder Software in Verifiable Credential Processing (issue vc-data-model#1246)

See github issue vc-data-model#1246.

Kristina Yasuda: We talked about this one two weeks ago with Nick from PING.
… I think overall, me, Brent, Manu, Dmitri, Joe, were saying that we can somewhat address this in the text. But we do not have anyone assigned.
… Is there anyone who would like to volunteer to do a PR? If this is clear enough?

Manu Sporny: I can probably take this, if I can't get to it maybe someone can take it off my plate. All they are asking for is a privacy consideration around the fact ... that digital wallets are in a privileged position and that should be highlighted.

Kristina Yasuda: Ok, if too much on your plate, bring it up on the call, assigning to you.

Manu Sporny: Thanks.

[msporny]

PR #1324 has been raised to address this issue. This issue will be closed if PR #1324 is merged.

[msporny]

PR #1324 has been merged, closing.