Proof of Control

From MgmtWiki
Revision as of 18:59, 24 January 2021 by Tom (talk | contribs) (Created page with "==Full Title== Proof of Control applies to credentials that are meant to show that the user at the end of a communications link has control of that credential. ==Context=...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Full Title

Proof of Control applies to credentials that are meant to show that the user at the end of a communications link has control of that credential.

Context

  • Decentralized ID presents a problem with assurance of the trustworthiness of the wallet apps.

Goal: to convert establish a level of assurance that he user is who they claim to be.

Level 1 - the user signs a nonce with their credential and returns it to the requester. Level 2 - the user signs a nonce and provides proof of the security of the device holding the credential.


Solution

there are two ways to get a trusted signer on the phone.

  1. register an app that is trusted. If that is the method the easiest way is to register the actual instance of the wallet itself to the user.
  2. depend on the trusted element in the phone to boot up an assurance element - the TPM code in the TEE could do that, but it depends on a trusted server in the could. All of these depend on a web of trust that is not based on any human intervention. Not sure what the rWOT guys think about that? (nb this could be accomplished with a webauthn token like that from Yubikey)

References