Difference between revisions of "Proof of Presence"
(→Context) |
(→Context) |
||
Line 17: | Line 17: | ||
there are two ways to get a trusted signer on the phone. | there are two ways to get a trusted signer on the phone. | ||
# register an app that is trusted. If that is the method the easiest way is to register the actual instance of the wallet itself to the user. | # register an app that is trusted. If that is the method the easiest way is to register the actual instance of the wallet itself to the user. | ||
− | # depend on the trusted element in the phone to boot up an assurance element - the TPM code in the TEE could do that, but it depends on a trusted server in the could. All of these depend on a web of trust that is not based on any human intervention. Not sure what the rWOT guys think about that? (nb this could be accomplished with a webauthn token like that from Yubikey | + | # depend on the trusted element in the phone to boot up an assurance element - the TPM code in the TEE could do that, but it depends on a trusted server in the could. All of these depend on a web of trust that is not based on any human intervention. Not sure what the rWOT guys think about that? (nb this could be accomplished with a webauthn token like that from Yubikey) |
==References== | ==References== |
Revision as of 12:44, 22 January 2021
Full Title
Proof of Presence of user and app: Proposed work item pending funding.
Context
- Decentralized ID presents a problem with assurance of the trustworthiness of the wallet apps.
Goal: to convert a verifiable credential into a verifiable presentation that includes online proof of presence of the subject of the Verifiable Presentation.
Orie Steele (Transmute) 5:46 AM @Tom Jones I did some work on biometric verifiable presentations a while ago. I used BioID Face Recognition & Liveness Detection Software. BioID provides software-based biometric authentication with presentation attack detection using face recognition and liveness detection. Most likely you would make a presentation that included a short lived liveness credential and the other credential you cared about like VP: [DriversLicense, BiometricLivenessCheck]
Tom Jones 7:42 AM @Orie Steele (Transmute) thanks - I guess you are saying that some other element in the phone must be trusted to create creds.
Stephen Curran (Cloud Compass) 7:55 AM I think that's a great use case and it would be good to make that possible. But you've nailed it that for such a credential to work, there has to be an element on the phone that is a "trusted" issuer -- something that the verifier can trust. In theory an open source, signed wallet might be able to do that, I suspect it will need to be at the phone OS level.
there are two ways to get a trusted signer on the phone.
- register an app that is trusted. If that is the method the easiest way is to register the actual instance of the wallet itself to the user.
- depend on the trusted element in the phone to boot up an assurance element - the TPM code in the TEE could do that, but it depends on a trusted server in the could. All of these depend on a web of trust that is not based on any human intervention. Not sure what the rWOT guys think about that? (nb this could be accomplished with a webauthn token like that from Yubikey)
References
- This wiki is part of the larger problem of Apps on User Devices.
- A related problem is described in the Over 21 with Proof of Presence Use Case.