2F/ SovrinID Card – What should it do?
Sovrin ID Card
Thursday 2F
Convener: Steve Fulling
Notes-taker(s): Tyler Ruff
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Sovrin ID card notes
What should it do?
It could be blank, but then what happens when we drop our cards next to each other? Which is which?
Could it sync with your phone? Yes.
The idea of the card is having a low trust point, something tangible people can give to introduce themselves. It would be an intermediary between a human, their agent, and the relying party. As an RP you could scan it and it could pop up a picture of the owner. Picture doesn't have to be on the card. It could just have an RFID chip. It could be the last business card you ever have.
Someone asked: Why don't we just use token technologies? Because we're talking about a card that has a photo, what makes the card feel like yours? How do you limit the the correlation to the card.
Having key fobs and things like that does make sense. Some people that have no technology could use this as their first non-gov't identification. What requirements are there for what should be on (in?) the card?
1. A photo of the person
The biometric should never leave the card
2. The card should have an RFID.
It shouldn't be tamperable. We should discuss how trust-able it is. There's an enrollment process which ensures the binding is accurate. Probably involves cryptographic control. There is tech out there which makes it impossible to spoof. How do we trust that the binding is authentic?
Couldn't someone produce fake Sovrin ID cards?
The trust model validates the market fit for a card like this. Independent identity needs to move from institutional identification to independent identity proofing.
Does this card serve as an "introduction card"? It shouldn't have correlatable attributes on it. If I had one card for all my membership cards.
A chip or card reader or something like that, like the card system works today, would generate a random identifier each time it was scanned?
Paco: Digital passport gets signed by the private key of the issuer. The problem with it is you don't want to disclose all your information. YOTI lets you selectively disclose.
"When you can verify who don't need trust". When you look at a caard, you're trusting the issuer. There's two attestations from people who know you. One of them has to sign the back of a photo.