Check status privacy

[fabrii]

I have read in some parts of the spec, that the registry should expose the revocation lists. For example, it is mentioned in the following diagram https://github.com/w3c/vc-data-model/blob/main/diagrams/ecosystemdetail.svg used in the v2 spec. In the arrow from verifier to issuer we can see: "does not preserve privacy, repeatable".

On the other side, we have specs as https://www.w3.org/TR/vc-status-list/, where the privacy is guaranteed even when the list is exposed by the issuer. Isnt the ecosystemdetail image misleading?

[dlongley]

Perhaps "may not preserve privacy" would be better language in the diagram. Other more verbose language could explain the nuance but probably not fit in the diagram. Someone else might have another suggestion for what we could to help here.

The minimum privacy goal is for the issuer to be unable to tell which credential is having its status checked. If the verifier (or the protocol they use) reveals that, then privacy has not been preserved. There may be some designs where the verifier can still talk to the issuer to get credential status information -- without revealing which credential is being checked. This is the status list approach. In this case the issuer still unavoidably learns about the verifier likely knowing about some credential they issued, but they don't know which one it is.

There's also always side-channel information leakage considerations -- whereby an issuer could learn more than what information is strictly in the protocol. However, every scheme requires the issuer's buy-in already. So there's an expectation that the issuer would like to avoid violating the user's privacy and reap the benefits from being able to honestly advertise they are doing so. Going out of their way to correlate user activity should harm their reputation.

[fabrii]

I agree with your proposal. May not preserve privacy seems a better fit.

Personally, if I have two options to publish the list (registry vs issuer), and in both I can preserve privacy, I am inclined to prefer the one that is easier to implement and has fewer failure points.

Storing the list in the registry implies that the issuers must be synchronized with the registry and send all their revocations in a timely manner. I fail to see if there are any other points in favor of publishing in the registry. One thing I picture is the uniformization of the status url domain, but that likely not outweighs the integration costs.

If I'm right, I think the spec should mention both solutions as valid.

[OR13]

Seems like an issue for the other repo?

[iherman]

The issue was discussed in a meeting on 2023-06-28

• no resolutions were taken

View the transcript

2.14. Check status privacy (issue vc-data-model#1148)

See github issue vc-data-model#1148.

Brent Zundel: #1148 Check status privacy.
… person raising it is not a member of the working group. That's great. Perhaps someone here has an idea of the issue?

Orie Steele: +1 dlongley.

dlongely: issue is in the text in the diagram to change it to may preserve privacy. An editorial change.

Andres Uribe: I can take it.

Orie Steele: Suggest changing the text to "might not preserve privacy".

Brent Zundel: andres agrees to take #1148.

[brentzundel]

This has been addressed in PR #1174 and this issue will be closed when that PR is merged.