What’s In Your Wallet? + Who Is In Your Wallet?

From IIW

What’s In Your Wallet? & Who’s In Your Wallet?

Day/Session:Wednesday 5J

Convener:Darrell O’Donnell & Drummond Reed

Notes-taker(s): (1) Darrell O’Donnell, (2) Heather Vescent, (3) Alex Laws

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

(1) Darrell O’Donnell’s DKMS Link (full write-up/presentation) bit.ly/dkmsv3




What are in your wallet

  • Crypt
  • Keys
  • Records
  • Credentials

Who are in your wallet

Do not want to talk about crypto wallets.

What’s in your wallet that you really need.

What does my digital wallet do for me (as a developer) or for my mom (no cell phone)?

Is there a delegation role for me to take care of it for her.

What kind of credentials?

Digital Driver’s License

Service card (BC) the card + attributes

What is a vault vs a wallet?

I want to be able to get at it.

Records of communications.

Who have I been interacting with via a wallet.

The terms wallets and agents.

Wallet is a storage - in the sovrin world.

We used to carry phone numbers in our wallet, pictures of our kids.

As a developer, it’s an SDK.

There’s different levels to what a wallet is.

See it more like its an app

What happens when Apple makes a wallet sdk that meets all out needs?

My app has wallet capabilities.

Are we securing the data in the secure elements?

Who is in your wallet - with you?

Re: medical records.

Break the glass situations for medical.

Cloud of 3rd parties…

Bank, financial advisor, can you have their software agent,

Loyalty program membership

Or part of a credit union.

The wallet becomes a capable thing.

You want certain agents to see certain parts.

Scheduled drivers license - prove over 21.

Does my wallet protect me - they are asking for your police version of the dr license.


Can you do that for me in a business environment.

What’s the role of a bank or FB friends.

-- Drummond gave update/history of DKMS, DHS S&T


Definition of Agent/Wallet

What does it mean to issue or use a wallet?

What & Who is in your wallet? Stuff...

What's in your wallet? crypto/keys/records/credentials

Who's in your wallet? Healthcare/ Bank/CU/Family

_ignore the crypto side_

crowd Q. what is the audience for this dicussion? devs? 'normal' people? my mom?

- all of the above, more about what the defn is


- keys: important, stored securely (TEE) OR on a server

- credentials: 

    - identity document ex BC service card     - corp registration

- records

    - what utility does it have?

    - fidelity of a receipt -> line items with diff classifications

    - ownership/warranty

    - communications records

    - this is getting bloated

vault vs wallet?

- don’t want to carry everything around

cQ. a wallet is an app. an agent is in the cloud? many vs some people

- in sovrin wallet is secure storage

there is some ambiguity, but _I_ don’t care

definition of wallet is a moving target

- ex no long keep phone number in wallet, photos of kids etc

    - they have been moved to 

wallet is akin to real wallet, keeps stuff I need

**WHO is in the wallet

- ehr and a telco

    - break the glass (in emergency) based on other credentials (ie doctor)

    - NOT key recovery

- bank knows where I spend money, loyalty rewards cards

specific people can see specific parts of the wallet

ex digital driver ... proof of age ...

guardianship, who can sign FOR you

key recovery

- will you remember where you put the backup in 10weeks, years

- Facebook friends.. don’t really trust that

2 levels of the wallet

- ssi, ux questions, how to actually manage this (ie key corvery),  how it works behind the scenes

DKMS (hyperledger indy)

- dids -> blockchain -> privacy problem

- BC only for identifiers

- dids only useful if YOU control keys -> DKMS

how to solve key recovery, interoperability, portability

android vs apple wallet users

apple 50% use

android 5%

DHS problem, standard for interoperability between DKMS wallets?

- recommend that it becomes a standard (OASIS has some work, KMPI key management interop interface, enterprise level)

- prevent vendor lock in

DHS wants to complete 'baseline' functionality, in HL indy, by Q1 2019

- they will fund review of indy code base, then to OASIS

edge/cloud agent/wallet

- agent acts on a wallet, wallet is storage, agent is actor

- agent is either at edge (under user control) or cloud (not on HW controlled by user)

    - cloud can by HSM (hW sec module)

    - this is a policy decision

analog to email (clients/servers)

edge agents must be able to connect directly

- ex pulled over by LEO without cell signal

- DKMS covers protocols for agents to communicate

    - not structure of wallet

    - but interfaction between agents

edge to cloud agent can have strong auth (agent/agent comms)

- recovery from other device sin network (ir family)

cQ. does key manger mean private key management, or pk exchange/rotation


- in sovrin did is part of base58(pubkey)

cq. dmks covers way more that centralize key manage

- yes

nist 800-135(?) design of crypt key management systems

    - meta spec for designing kms

    - what applies to dkms (80% overlay, 15% sorta, 5% irrelevants)

cQ. how social recovery works?

- see dkms report (indy-sdk)

- agents automate the process except the most social step

    - id verification should be out of band (between the trustee and key owner)

- encrypted wallet backup to cloud

- add trustees as you make connections 

    - nothing for user to do, but select who do they trust

cQ. wallet sync between owners edge agents

- yes/no

- design NEVER shares private keys across wallets, only did's

cQ. do you share link secret?


- used for zkp

- BLS has no correlations

- derived keysa are a special use case, ie group key for multidevice comms

cQ. is cloud agent mandatory?

- NO

- edge agents aren’t' required either

- some parts are more challenges

    - message routing without cloud agent

    - ie pub/sub router

- edge agent can comm directly with did layer (BC)

Who’s in your wallet? your connections

did-did channels (pairwise pseudonymous) can be used for ANYTHING

cQ. data edge agent wants to store NOT in the wallet?

- that’s a vault, secure store that’s not in wallet

- vault is cold storage of wallet data?? not what you want right now

- vault stores credentials?

- vault encrypted by keys in the wallet


DKMS Spec: https://github.com/hyperledger/indy-sdk/blob/master/doc/design/005-dkms/DKMS%20Design%20and%20Architecture%20V3.md

DKMS is an entire approach