Difference between revisions of "Proof of Presence"
(→Context) |
(→Solution) |
||
| Line 19: | Line 19: | ||
# register an app that is trusted. If that is the method the easiest way is to register the actual instance of the wallet itself to the user. | # register an app that is trusted. If that is the method the easiest way is to register the actual instance of the wallet itself to the user. | ||
# depend on the trusted element in the phone to boot up an assurance element - the TPM code in the TEE could do that, but it depends on a trusted server in the could. All of these depend on a web of trust that is not based on any human intervention. Not sure what the rWOT guys think about that? (nb this could be accomplished with a webauthn token like that from Yubikey) | # depend on the trusted element in the phone to boot up an assurance element - the TPM code in the TEE could do that, but it depends on a trusted server in the could. All of these depend on a web of trust that is not based on any human intervention. Not sure what the rWOT guys think about that? (nb this could be accomplished with a webauthn token like that from Yubikey) | ||
| + | The traveler Identification process is compliant with ICAO standards. The process that a passenger would take to securely identify themselves in the IATA Travel Pass uses government issued ePassports to create a digital travel credential as per the standards developed through ICAO. The process has six steps: | ||
| + | #Download the free IATA Travel Pass to their Smart phone and login | ||
| + | #Take a selfie with the smart phone | ||
| + | #Complete a liveness test as instructed by the phone – i.e., move their head, close their eyes in front of the camera as instructed | ||
| + | #Scan the data on the two lines at the bottom of the passport photo page with their smart phones and scan the data-chip on the passport as prompted by the phone | ||
| + | #The IATA Travel Pass then matches the photo with the passport data (which contains a digital biometric photo of the passport holder) to verify that (1) the passport belongs to the person in front of the phone and (2) that the passport is genuine and has not been tampered with. | ||
| + | #The verified digital travel credential is then stored on the passenger's phone and can be used as their ‘digital passport/ ID’. | ||
==References== | ==References== | ||
Revision as of 23:11, 24 January 2021
Contents
Full Title
Proof of Presence of user and app: Proposed work item pending funding.
Context
- Decentralized ID presents a problem with assurance of the trustworthiness of the wallet apps.
Goal: to convert a verifiable credential into a verifiable presentation that includes online proof of presence of the subject of the Verifiable Presentation.
Orie Steele (Transmute) 5:46 AM @Tom Jones I did some work on biometric verifiable presentations a while ago. I used BioID Face Recognition & Liveness Detection Software. BioID provides software-based biometric authentication with presentation attack detection using face recognition and liveness detection. Most likely you would make a presentation that included a short lived liveness credential and the credential of primary concert to the Verifiable Presentation, for example: {DriversLicense, BiometricLivenessCheck}.
Tom Jones 7:42 AM @Orie Steele (Transmute) thanks - I guess you are saying that some other element in the phone must be trusted to create creds.
Stephen Curran (Cloud Compass) 7:55 AM I think that's a great use case and it would be good to make that possible. But you've nailed it that for such a credential to work, there has to be an element on the phone that is a "trusted" issuer -- something that the verifier can trust. In theory an open source, signed wallet might be able to do that, I suspect it will need to be at the phone OS level.
Solution
there are two ways to get a trusted signer on the phone.
- register an app that is trusted. If that is the method the easiest way is to register the actual instance of the wallet itself to the user.
- depend on the trusted element in the phone to boot up an assurance element - the TPM code in the TEE could do that, but it depends on a trusted server in the could. All of these depend on a web of trust that is not based on any human intervention. Not sure what the rWOT guys think about that? (nb this could be accomplished with a webauthn token like that from Yubikey)
The traveler Identification process is compliant with ICAO standards. The process that a passenger would take to securely identify themselves in the IATA Travel Pass uses government issued ePassports to create a digital travel credential as per the standards developed through ICAO. The process has six steps:
- Download the free IATA Travel Pass to their Smart phone and login
- Take a selfie with the smart phone
- Complete a liveness test as instructed by the phone – i.e., move their head, close their eyes in front of the camera as instructed
- Scan the data on the two lines at the bottom of the passport photo page with their smart phones and scan the data-chip on the passport as prompted by the phone
- The IATA Travel Pass then matches the photo with the passport data (which contains a digital biometric photo of the passport holder) to verify that (1) the passport belongs to the person in front of the phone and (2) that the passport is genuine and has not been tampered with.
- The verified digital travel credential is then stored on the passenger's phone and can be used as their ‘digital passport/ ID’.
References
- This wiki is part of the larger problem of Apps on User Devices.
- A related problem is described in the Over 21 with Proof of Presence Use Case.
