What does High Assurance mean? #231
Conversation
|
I considered adding a bullet that the profile also give the holder (some) assurance about the identity of the verifier she discloses her credential data to. Any thought? |
Sakurann
requested review from
GarethCOliver,
Sakurann,
awoie,
c2bo,
danielfett,
hlozi,
jogu,
martijnharing,
paulbastian and
tplooker
|
|
||
| This document defines a set of requirements for the existing specifications to enable interoperability among Issuers, Wallets and Verifiers of Credentials where a high level of security and privacy is required. This document is an interoperability profile that can be used by implementations in various contexts, be it a certain industry or a certain regulatory environment. | ||
|
|
||
| The meaning of "high assurance" in the context of this profile is: |
There was a problem hiding this comment.
There are many concepts in the description here that I do not see in the HAIP profiles. Where are the requirements mentioned about:
- Policies and procedures
- Holder authentication / Holder binding
- Claim authenticity
There was a problem hiding this comment.
HAIP defines on a technically level how holder authentication can be proved and claim authenticity is protected by way of requiring certain protocol and credential format features.
Out of scope are concrete holder authentication mechanisms (which ensure the holder can only sign the presentation) and policies and procedures (as this is a technical interop profile and not a policy definition).
Shall we add this?
There was a problem hiding this comment.
added suggest text to the PR
@andprian please review
There was a problem hiding this comment.
@tlodderstedt There is currently some confusion in the EU on the link between the HAIP profiles and the LoA High attainment. Could you clarify that while HAIP provides a good basis, it is not sufficient and extra elements that are out of scope would be needed for LoA High
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
Co-authored-by: Frederik Krogsdal Jacobsen <fkj@users.noreply.github.com>
|
WG discussion: @andprian to propose a text that high assurance here is not EU LoA High |
Co-authored-by: Frederik Krogsdal Jacobsen <fkj@users.noreply.github.com>
Co-authored-by: Frederik Krogsdal Jacobsen <fkj@users.noreply.github.com>
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
@tlodderstedt , I suggest the following additional note:
|
|
Seems reasonable @andprian - I might suggest rewording the first sentence a little as it someone could read it as "HAIP is not suitable for LoA High":
|
Looks good |
|
|
||
| This document defines a set of requirements for the existing specifications to enable interoperability among Issuers, Wallets and Verifiers of Credentials where a high level of security and privacy is required. This document is an interoperability profile that can be used by implementations in various contexts, be it a certain industry or a certain regulatory environment. | ||
|
|
||
| The level of security and privacy defined in this profile includes the following assurance: |
There was a problem hiding this comment.
"defined" feels a bit awkward. Possibly this is slightly less awkward:
| The level of security and privacy defined in this profile includes the following assurance: | |
| This profile aims to achieve a level of security and privacy that includes the following properties: |
|
|
||
| The level of security and privacy defined in this profile includes the following assurance: | ||
|
|
||
| * Authenticity of claims: There is strong assurance that the claims within a Credential are valid and bound to the correct Holder. This involves the policies and procedures used to collect and maintain the claims, the authentication of the Holder during issuance, and the protection of claim authenticity both at rest (in the wallet) and during presentation. The scope for this profile is: security of the issuance process, protection of issued credentials, and mechanisms for the Verifiers to access trustworthy information about the Issuer. |
There was a problem hiding this comment.
| * Authenticity of claims: There is strong assurance that the claims within a Credential are valid and bound to the correct Holder. This involves the policies and procedures used to collect and maintain the claims, the authentication of the Holder during issuance, and the protection of claim authenticity both at rest (in the wallet) and during presentation. The scope for this profile is: security of the issuance process, protection of issued credentials, and mechanisms for the Verifiers to access trustworthy information about the Issuer. | |
| * Authenticity of claims: There is strong assurance that the claims within a Credential or Presentation are valid and bound to the correct Holder. This involves the policies and procedures used to collect and maintain the claims, the authentication of the Holder during issuance, and the protection of claim authenticity both at rest (in the wallet) and during presentation. The scope for this profile is: security of the issuance process, protection of issued credentials, and mechanisms for the Verifiers to access trustworthy information about the Issuer. |
As per #231 Also fix a couple of cases where we didn't use an Oxford Comma (we're pretty consistent about using them through the rest of the text).
resolves #189