Difference between revisions of "Proof of Control"

Revision as of 23:10, 24 January 2021

Full Title

Proof of Control applies to credentials that are meant to show that the user at the end of a communications link has control of that credential.

Context

• Decentralized ID presents a problem with assurance of the trustworthiness of the wallet apps.

Goal: to convert establish a level of assurance that he user is who they claim to be.

Level 1 - the user signs a nonce with their credential and returns it to the requester. Level 2 - the user signs a nonce and provides proof of the security of the device holding the credential.

Solution

there are two ways to get a trusted signer on the phone.

1. register an app that is trusted. If that is the method the easiest way is to register the actual instance of the wallet itself to the user.
2. depend on the trusted element in the phone to boot up an assurance element - the TPM code in the TEE could do that, but it depends on a trusted server in the could. All of these depend on a web of trust that is not based on any human intervention. Not sure what the rWOT guys think about that? (nb this could be accomplished with a webauthn token like that from Yubikey)

References

• This wiki is part of the larger problem of Apps on User Devices.
• Also part of the wiki page on Proof of Presence.
• A related problem is described in the Over 21 with Proof of Presence Use Case.