Difference between revisions of "Verified Wallet"
(→Context) |
(→References) |
||
(27 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Full Title or Meme== | ==Full Title or Meme== | ||
A [[Verified Wallet]] is a piece of software that can be installed on a mobile computing device with a [[Secure Enclave]] that an [[App Assessor]] has determined to meet the [[Software Assessment Criteria]] for protecting user data both on-site and in-flight. | A [[Verified Wallet]] is a piece of software that can be installed on a mobile computing device with a [[Secure Enclave]] that an [[App Assessor]] has determined to meet the [[Software Assessment Criteria]] for protecting user data both on-site and in-flight. | ||
+ | |||
+ | Synonym: Attested Wallet | ||
==Context== | ==Context== | ||
Line 6: | Line 8: | ||
* The best example of a trusted wallet in 2020 is a well-known smartphone app that can hold and release [[Blockchain]] cash like [[Bitcoin]]. | * The best example of a trusted wallet in 2020 is a well-known smartphone app that can hold and release [[Blockchain]] cash like [[Bitcoin]]. | ||
* With the extensions of [[Digital Identifier]]s like eID in the EU and user held personal health records as mandated by the 21st Century Cures act, it is time for users to be able to determine if an app is verified to meet their needs before the load it and trust their money or the most personal information to it. | * With the extensions of [[Digital Identifier]]s like eID in the EU and user held personal health records as mandated by the 21st Century Cures act, it is time for users to be able to determine if an app is verified to meet their needs before the load it and trust their money or the most personal information to it. | ||
+ | * The [https://www.ftc.gov/news-events/press-releases/2021/09/ftc-warns-health-apps-connected-device-companies-comply-health US FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule] They issued this [https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf STATEMENT OF THE COMMISSION On Breaches by Health Apps and Other Connected Devices] dated 2021-09-15 which noted that "when a health app, for example, discloses sensitive health information without users’ authorization, this is a “breach of security” under the Rule. Violations of the Rule face civil penalties of $43,792 per violation per day." | ||
+ | * The [https://www.bundesregierung.de/breg-de/aktuelles/oekosystem-digitale-identitaet-1960124 German Government announced] the completion of the first phase of a digital wallet for a [[Self-Sovereign Identity]] wallet on 2021-09-15 that needs to be sanctioned by the various members of the EU by 2022-09. | ||
+ | |||
+ | ==Existing Regulations== | ||
+ | |||
+ | The FTC issued the [https://www.ftc.gov/policy/federal-register-notices/health-breach-notification-rule-final-rule Health Breach Notification Rule], on 2009-08-17 which requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed '''or acquired without the consumers’ authorization'''. Over a decade later, health apps and other connected devices that collect personal health data are not only mainstream—and have increased in use during the pandemic—but are targets ripe for scammers and other cyber hacks. Yet, there are still too few privacy protections for these apps. | ||
+ | |||
+ | ==Problems== | ||
+ | * There are existing policy, procedures and contracts that specified older, obesolete security methods that cannot be just changed without some rule making. | ||
+ | * For example changing password on a set schedules or odd password complexity rues are still written into contracts. | ||
+ | |||
+ | ==Solutions== | ||
+ | |||
+ | A set of [[Software Assessment Criteria]] that can be tested to verify that a wallet can be installed on a mobile device so that user's perusal data (Healthcare or other) will be protected from disclosure. | ||
+ | |||
+ | ===Terminology=== | ||
+ | # Subject | ||
+ | # Holder | ||
+ | # Trust Authority (The active Trust Authority will be the one involved in a current connection supported by the wallet.) | ||
+ | # Trusted Service Provider | ||
+ | # User Private Information. | ||
+ | |||
+ | ===Requirements=== | ||
+ | These are the requirements that a wallet [[Software Assessment Criteria]] MUST ensure. | ||
+ | # Store in protected storage a user credential that can be used to authenticate the holder to a service provider. | ||
+ | # Bind the wallet to one (or more) Trust Authorities. | ||
+ | # Validate any service provider to be sure that it is trusted by the active Trust Authority. | ||
+ | # Protect user private information. | ||
+ | # Control access to user private information. | ||
+ | # Establish user intent is freely provided before any protected information is released. | ||
+ | |||
+ | ===User Experience=== | ||
+ | Also see the wiki page on [[Wallet User Experience]]. | ||
==References== | ==References== | ||
[[Category: Glossary]] | [[Category: Glossary]] | ||
+ | [[Category: User Agent]] | ||
[[Category: Trust]] | [[Category: Trust]] | ||
+ | [[Category: Identifier]] |
Latest revision as of 11:13, 10 October 2023
Contents
Full Title or Meme
A Verified Wallet is a piece of software that can be installed on a mobile computing device with a Secure Enclave that an App Assessor has determined to meet the Software Assessment Criteria for protecting user data both on-site and in-flight.
Synonym: Attested Wallet
Context
- This specification is designed to fill the needs of a mobile app that can be used to hold and release user credentials and personal information only as the user intends.
- The best example of a trusted wallet in 2020 is a well-known smartphone app that can hold and release Blockchain cash like Bitcoin.
- With the extensions of Digital Identifiers like eID in the EU and user held personal health records as mandated by the 21st Century Cures act, it is time for users to be able to determine if an app is verified to meet their needs before the load it and trust their money or the most personal information to it.
- The US FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule They issued this STATEMENT OF THE COMMISSION On Breaches by Health Apps and Other Connected Devices dated 2021-09-15 which noted that "when a health app, for example, discloses sensitive health information without users’ authorization, this is a “breach of security” under the Rule. Violations of the Rule face civil penalties of $43,792 per violation per day."
- The German Government announced the completion of the first phase of a digital wallet for a Self-Sovereign Identity wallet on 2021-09-15 that needs to be sanctioned by the various members of the EU by 2022-09.
Existing Regulations
The FTC issued the Health Breach Notification Rule, on 2009-08-17 which requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization. Over a decade later, health apps and other connected devices that collect personal health data are not only mainstream—and have increased in use during the pandemic—but are targets ripe for scammers and other cyber hacks. Yet, there are still too few privacy protections for these apps.
Problems
- There are existing policy, procedures and contracts that specified older, obesolete security methods that cannot be just changed without some rule making.
- For example changing password on a set schedules or odd password complexity rues are still written into contracts.
Solutions
A set of Software Assessment Criteria that can be tested to verify that a wallet can be installed on a mobile device so that user's perusal data (Healthcare or other) will be protected from disclosure.
Terminology
- Subject
- Holder
- Trust Authority (The active Trust Authority will be the one involved in a current connection supported by the wallet.)
- Trusted Service Provider
- User Private Information.
Requirements
These are the requirements that a wallet Software Assessment Criteria MUST ensure.
- Store in protected storage a user credential that can be used to authenticate the holder to a service provider.
- Bind the wallet to one (or more) Trust Authorities.
- Validate any service provider to be sure that it is trusted by the active Trust Authority.
- Protect user private information.
- Control access to user private information.
- Establish user intent is freely provided before any protected information is released.
User Experience
Also see the wiki page on Wallet User Experience.