Proof of Control
Proof of Control applies to credentials that are meant to show that the user at the end of a communications link has control of that credential.
- Decentralized ID presents a problem with assurance of the trustworthiness of the wallet apps.
Goal: to convert establish a level of assurance that he user is who they claim to be.
Level 1 - the user signs a nonce with their credential and returns it to the requester. Level 2 - the user signs a nonce and provides proof of the security of the device holding the credential.
there are two ways to get a trusted signer on the phone.
- register an app that is trusted. If that is the method the easiest way is to register the actual instance of the wallet itself to the user.
- depend on the trusted element in the phone to boot up an assurance element - the TPM code in the TEE could do that, but it depends on a trusted server in the could. All of these depend on a web of trust that is not based on any human intervention. Not sure what the rWOT guys think about that? (nb this could be accomplished with a webauthn token like that from Yubikey)