W3C Verifiable Claims WG

[Jeff Burdges]

I should give you guys a heads up about the W3C's "Verifiable Claims
Working Group". https://www.w3.org/2017/vc/

It's original incarnation was basically a government identity scheme for
the web. I raised concerns on the W3C payment groups discussion
threads, which felt ignored, and with W3C people like Wendy Seltzer,
which perhaps helped.

In fact, there were fluffy ideas about doing things like proving your
age without identifying yourself, but these guys mostly do not
understand much cryptography, and they did not understand, or did not
care, that the unique information in most signature schemes creates a
unique identifier that would violates a browser's cross-origin policy
for stuff like cookies.

In any case, browser APIs out-of-scope for this WG, but they remain
interested, so..

I've raised an issue on their brand new github repo for high lighting
that personal information requires a far more approaches, like ring
signatures, ala proof-of-person-hood parties, or single-use blind
signatures.

https://github.com/w3c/verifiable-claims/issues/1

It's maybe good if more people weigh in that signatures identify users
in ways that fundamentally violate the cross origin policy.

Also, thank you for providing an example of doing online identity
well. ;)

Best,
Jeff