This group is locked. No changes can be made to the group while it is locked.
Re: Hypothetical COVID-19 Credential VC Data Model v2
Replying with permission to the lists... excellent questions:
On Mon, Apr 20, 2020 at 11:43 AM Blaž Podgorelec <blaz.podgorelec@...> wrote:
In systems like OAuth OIDC, it's possible to revoke existing bearer tokens when a new one is issued, because there is a single centralized issuer, and they control the subject identifiers "iss" and "sub".
In decentralized systems there are multiple issuers, and the situation is actually even worse than you describe... I might get a negative test from vendor A, and then keep getting retested at other vendors until I can hit the false positive rate for the test and get a positive test.... how will the vendors know that this is the 3rd time I was tested in the last week?
Typically we call these kinds of attacks a https://en.wikipedia.org/wiki/Sybil_attack ... and they are pretty common in any free to join / decentralized system.
Solutions range from requiring biometric in person checks (preventing the attacker from generating more than 1 unique id, or some other form of relying on a strong central issuer)... When the subject can control their identifier, and the issuer has no way of knowing if this person has ever been tested before... the problem will persist.
It's a great question, I'm sorry I don't have a better answer for it other than defaulting to some centralized registry... it's a hard problem... and there are lots of papers on the topic: