update normative statements in ZKP section #818
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -2942,8 +2942,8 @@ <h3>Zero-Knowledge Proofs</h3> | |||||||||
| <p> | ||||||||||
| A zero-knowledge proof is a cryptographic method where an entity can prove to | ||||||||||
| another entity that they know a certain value without disclosing the actual | ||||||||||
| value. A real-world example is proving that an accredited university has | ||||||||||
| granted a degree to you without revealing your identity or any other personally | ||||||||||
| identifiable information contained on the degree. | ||||||||||
| </p> | ||||||||||
| <p> | ||||||||||
|
|
@@ -2975,45 +2975,50 @@ <h3>Zero-Knowledge Proofs</h3> | |||||||||
| </ul> | ||||||||||
|
|
||||||||||
| <p> | ||||||||||
| This specification describes a data model that supports selective disclosure | ||||||||||
| with the use of zero-knowledge proof mechanisms. The examples below highlight | ||||||||||
| how the data model can be used to issue, present, and verify zero-knowledge | ||||||||||
| <a>verifiable credentials</a>. | ||||||||||
| </p> | ||||||||||
|
|
||||||||||
| <p> | ||||||||||
| For a <a>holder</a> to use a zero-knowledge <a>verifiable presentation</a>, | ||||||||||
| they need an <a>issuer</a> to have issued a <a>verifiable credential</a> in a manner | ||||||||||
| that enables the <a>holder</a> to derive a proof from the originally issued | ||||||||||
| <a>verifiable credential</a>, so that the <a>holder</a> can present the | ||||||||||
| information to a <a>verifier</a> in a privacy-enhancing manner. | ||||||||||
| This implies that the <a>holder</a> can prove the validity of the | ||||||||||
| <a>issuer's</a> signature without revealing the values that were signed, or when | ||||||||||
| only revealing certain selected values. The standard practice is to do so by | ||||||||||
| proving knowledge of the signature, without revealing the signature itself. | ||||||||||
| There are two requirements for <a>verifiable credentials</a> when they are to be | ||||||||||
| used in zero-knowledge proof systems. | ||||||||||
| </p> | ||||||||||
|
|
||||||||||
| <ul> | ||||||||||
| <li> | ||||||||||
| The <a>verifiable credential</a> MUST contain a Proof, using the | ||||||||||
| <code>proof</code> <a>property</a>, so that the <a>holder</a> can derive a | ||||||||||
| <a>verifiable presentation</a> that reveals only the information than the | ||||||||||
| <a>holder</a> intends to reveal. | ||||||||||
| </li> | ||||||||||
| <li> | ||||||||||
| If a <a>credential</a> definition is being used, the <a>credential</a> | ||||||||||
| definition MUST be defined in the <code>credentialSchema</code> <a>property</a>, | ||||||||||
| so that it can be used by all parties to perform various cryptographic | ||||||||||
| operations in zero-knowledge. | ||||||||||
| </li> | ||||||||||
| </ul> | ||||||||||
|
|
||||||||||
| <p> | ||||||||||
| The following example shows one method of using <a>verifiable credentials</a> in | ||||||||||
| zero-knowledge. It makes use of a Camenisch-Lysyanskaya Signature | ||||||||||
| [[?CL-SIGNATURES]], which allows the presentation of the <a>verifiable | ||||||||||
| credential</a> in a way that supports the privacy of the | ||||||||||
| <a>holder</a> and <a>subject</a> through the use of selective disclosure of the | ||||||||||
| <a>verifiable credential</a> values. Some other cryptographic systems which rely | ||||||||||
| upon zero-knowledge proofs to selectively disclose attributes can be found in the | ||||||||||
| [[?LDP-REGISTRY]] as well. | ||||||||||
| </p> | ||||||||||
|
|
||||||||||
| <pre class="example nohighlight" title="A verifiable credential that supports CL Signatures"> | ||||||||||
|
|
@@ -3046,7 +3051,6 @@ <h3>Zero-Knowledge Proofs</h3> | |||||||||
| }</span> | ||||||||||
| } | ||||||||||
| </pre> | ||||||||||
| <p> | ||||||||||
| The example above provides the <a>verifiable credential</a> definition by using | ||||||||||
| the <code>credentialSchema</code> <a>property</a> and a specific proof that is | ||||||||||
|
|
@@ -3057,26 +3061,27 @@ <h3>Zero-Knowledge Proofs</h3> | |||||||||
| The next example utilizes the <a>verifiable credential</a> above to generate a | ||||||||||
| new derived <a>verifiable credential</a> with a privacy-preserving proof. The | ||||||||||
| derived <a>verifiable credential</a> is then placed in a | ||||||||||
| <a>verifiable presentation</a>, so that the <a>verifiable credential</a> | ||||||||||
| discloses only the <a>claims</a> and additional credential metadata that the | ||||||||||
| <a>holder</a> intended. To do this, all of the following requirements are | ||||||||||
| expected to be met: | ||||||||||
| </p> | ||||||||||
|
|
||||||||||
| <ul> | ||||||||||
| <li> | ||||||||||
| Each derived <a>verifiable credential</a> within a <a>verifiable | ||||||||||
| presentation</a> MUST contain all information necessary to verify the | ||||||||||
| <a>verifiable credential</a>, either by including it directly within the | ||||||||||
| credential, or by referencing the necessary information. | ||||||||||
| </li> | ||||||||||
| <li> | ||||||||||
| A <a>verifiable presentation</a> MUST NOT leak information that would enable | ||||||||||
| the <a>verifier</a> to correlate the <a>holder</a> across multiple | ||||||||||
| <a>verifiable presentations</a>. | ||||||||||
| </li> | ||||||||||
| <li> | ||||||||||
| The <a>verifiable presentation</a> SHOULD contain a <code>proof</code> | ||||||||||
| <a>property</a> to enable the <a>verifier</a> to check that all derived | ||||||||||
| <a>verifiable credentials</a> in the <a>verifiable presentation</a> were issued | ||||||||||
| to the same <a>holder</a> without leaking personally identifiable information | ||||||||||
|
Comment on lines
3085
to
3086
There was a problem hiding this comment.
Suggested change
Somehow I missed this in previous reviews.
There was a problem hiding this comment. Indy anoncreds zkp-credentials, which were used as the exemplar for much of the material in this section, require that issued credentials be bound to a holder. One reason for this is that anoncreds aren't bound to a subject, but are rather issued to the subject, so binding to the holder is a way to accomplish connection of the credential to the subject. Another is to give verifiers more confidence that credentials are linked even when the disclosed claims are kept to a minimum. Binding to a holder also makes sharing credentials more detectable and unwieldy, which is seen as valuable in the anoncreds ecosystem. That said, there are more zkp-credential schemes now than there were when the section was written, and not all of them require holder binding, even though many still consider that best practice. This is why the MUST is being changed to a SHOULD. There was a problem hiding this comment. This suggestion appears to be the same as the current text in there. I presume this review comment was more about raising the questions which I think @brentzundel addressed. Please let me know if there's any additional changes that I missed to resolve this comment. There was a problem hiding this comment.
Correct. However, I do not think that the answers provided by @brentzundel remove my concerns with this section. I am mostly concerned about the "bound"/"binding" terminology in use here, which I think is a significantly stronger relationship than is actually present between these VCs and their Subjects or Holders. I think it would be better to say that xyz property/ies in the Credentials under specific discussion are (or SHOULD be or MUST be) set to strings or URIs which identify the Holder who is expected to Present the VC to any Verifiers downstream. Then, the Verifier is expected to check that either some other qrs property/ies were (or SHOULD have been or MUST have been) set to strings or URIs which identify the Subject, OR the Subject is always the same as the Holder identified by the values of xyz property/ies, ... Or something along those lines. I think that "anoncreds aren't bound to a subject, but are rather issued to the subject, so binding to the holder is a way to accomplish connection of the credential to the subject" translates roughly to "anoncreds are Issued to their Subject, which is defined as a sapient being, and which is not identified as the Subject within the VC. Identifying the Holder is an indirect way to accomplish association of the VC with its Subject," which Subject is not really obscured by this method, since the identified Holder is always the Subject and anyone who can access the value of the field identifying the Holder is thereby able to access to identifier of the Subject. Leading to another concern with this section, since it seems that the Subject anonymity desired to be delivered through ZKP, at least in part by identifying one Holder who must be the Subject, instead of identifying the Subject, isn't actually delivered. I'm sure I'm missing something exceedingly clever, and I hope someone can explain it in terms I can understand and that we can swiftly adopt (and/or edit slighly to adopt) for this section. There was a problem hiding this comment.
+1. And if there are cases where there aren't actually any properties in the VC itself with this information because some mechanisms include it via secrets and/or proof data, then that can be stated as an option as well. I think it's important that we indicate that we're talking about setting expectations -- and not assert a level of control that isn't possible. It's also fine to say that there are mechanisms that attempt to impede adversaries that try to subvert these expectations, but such statements should include a friendly warning that they all have limitations that need to be well understood by implementers (and readers should consult external documentation for that). There was a problem hiding this comment. Do we want to action this within this PR - if so can you propose some suggested changes based on the discussions so far. There was a problem hiding this comment. @kdenhartog -- There are no changes to make here in this PR based on this comment. |
||||||||||
| that the <a>holder</a> did not intend to share. | ||||||||||
|
|
||||||||||
Uh oh!
There was an error while loading. Please reload this page.