Verified Wallet

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

A Verified Wallet is a piece of software that can be installed on a mobile computing device with a Secure Enclave that an App Assessor has determined to meet the Software Assessment Criteria for protecting user data both on-site and in-flight.

Synonym: Attested Wallet

Context

Existing Regulations

The FTC issued the Health Breach Notification Rule, on 2009-08-17 which requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization. Over a decade later, health apps and other connected devices that collect personal health data are not only mainstream—and have increased in use during the pandemic—but are targets ripe for scammers and other cyber hacks. Yet, there are still too few privacy protections for these apps.

Problems

  • There are existing policy, procedures and contracts that specified older, obesolete security methods that cannot be just changed without some rule making.
  • For example changing password on a set schedules or odd password complexity rues are still written into contracts.

Solutions

A set of Software Assessment Criteria that can be tested to verify that a wallet can be installed on a mobile device so that user's perusal data (Healthcare or other) will be protected from disclosure.

Terminology

  1. Subject
  2. Holder
  3. Trust Authority (The active Trust Authority will be the one involved in a current connection supported by the wallet.)
  4. Trusted Service Provider
  5. User Private Information.

Requirements

These are the requirements that a wallet Software Assessment Criteria MUST ensure.

  1. Store in protected storage a user credential that can be used to authenticate the holder to a service provider.
  2. Bind the wallet to one (or more) Trust Authorities.
  3. Validate any service provider to be sure that it is trusted by the active Trust Authority.
  4. Protect user private information.
  5. Control access to user private information.
  6. Establish user intent is freely provided before any protected information is released.

User Experience

Also see the wiki page on Wallet User Experience.

References