20J/ Device-free SSI: Ideas, Potentials and Challenges
Device-Free SSI: Ideas, Potentials & Challenges
Thursday 20J
Convener: Nuttawut Kongsuwan
Notes-taker(s): Charles E. Lehner
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Most realizations of self-sovereign identity (SSI) utilize some forms of local, personal digital wallets, especially smartphones. However, a large proportion of the world population, in fact, do not own nor have access to any smart device. In this session, we discussed the potential of device-free self-sovereign identity where a user can take full control of their digital identity without the need to have a smart device. We also discussed security requirements for such a solution and outline relevant cryptographic protocols that could be used to realize it.
ZOOM CHAT LOG:
Catherine Nabbala, 10:56:43 AM
For offline discussions, pls email: win@finema.co
Frederico Schardong, 11:01:05 AM
Some people argue that most biometrics (facial recognition, iris, etc) cannot be used for authentication, only for identification. The reasoning behind this is that we leave biometric prints everywhere we go and can't do much about it. We touch things, we show our faces, we look at things.
Drummond Reed, 11:02:54 AM
+1
Eric Welton (Korsimoro), 11:14:35 AM
@Frederic
I think there might be a possibility of merging the IBV, CBV, and key operations (along with liveness) to overcome some of that
at Thoughtful Biometrics Conference we had a couple of discussions on this topic - is the *only* viable use of biometrics either (a) unlocking TEE devices (using closed-supply-chain technology like an iPhone)
or (b) for surveillance - i'm not sold yet that the general wisdom about biometrics is the final story - although I am sympathetic to that concern
Frederico Schardong, 11:21:58 AM
Having a bunch of biometric combined increases the security assumption, which is always welcomed. There are other things like what if someone doesn't eyes and/or hands?
Matthewhall78, 11:24:17 AM
What specifically on the terminal needs to be protected? Is it the formula that generates P and R. Could you do some sort of verification of state that the formula has a VC that states it has not been tampered with? I don’t know just a thought.
Charles E. Lehner, 11:25:51 AM
Have one-time-use paper credentials been considered?
Frederico Schardong, 11:26:25 AM
+1
Takashi Minamii 11:29:45 AM
FYI:Hitachi's Solution (PBI)
Matthewhall78, 11:30:12 AM:
maybe one time use paper credentials could work as a means of going analog temporarily, but they could be verified after the fact. e.g. hey Matt, someone used a paper credential asserting to be you, what it you? Yes or No?
Charles E. Lehner, 11:32:01 AM:
I was thinking of one-time-pads
Matthewhall78, 11:32:06 AM:
Payment terminals all just had to change to add the “tap” function
Q&A
Question about KERI, key rotation
Reusable Fuzzy Extractor
Reused parameters not correlated
Chris Raczkowski, 11:42:21 AM:
Great session! I’m looking forward to following up with Finema on this topic - particularly with Sovrin’s plans for integrating biometric binding into an open-source SSI wallet and VCs. I have to jump, and prep for another session - and I’ll connect again via email and LinkedIn. Thanks!
Solution should be compatible with Confidential Storage Working Group, so you can move vendor, transfer keys/credentials.
Discussion about group shared phone. Shared biometric wallet that a family could log into. Anyone in the family could carry that phone around. Or community phone. May tend to be one person who uses it most.
Separate devices already having biometrics.
Governments not carrying about personal sovereignty, not excited to adopt. Need middleman, charity, W3C, etc., white-hat groups
NGOs. What are we trying to do?
Myanmar, NGO workers. Illegality to possess cryptographic materials.
APAC call
Thailand connections. Bangkok.
Using real name, vs. what people call you
LinkedIn connections.
Sovereign, vs. KYC. Supreme political entity. How to help individual in dire straits.
What technology using? Blockchain: Tendermint Consensus Engine, not Hyperledger Indie, but borrowing ideas from it. Using DID and VC
Covid in Bangkok
