Atomic credentials and selective disclosure

Selective disclosure has been the subject of many discussions, and several technical apparatuses have been considered for its implementation. Several papers are dedicated to this topic, including a complete survey in ETSI TR 119 476 (currently under approval), a performance evaluation here and many others.

The focus on selective disclosure is generated by the fact that, as a matter of fact, most organisations today are used to issue credentials grouping several “claims” (corresponding to single attributes, according to W3C VC data model).

The problem would obviously be solved at the root if we could deal with “atomic credentials”, i.e. credentials containing a single claim (see here). This option has however been challenged since it seems to open to misuse. This issue is highlighted e.g. in https://www.w3.org/TR/vc-imp-guide/ (and in many other places):

I believe that the example above is misleading, since it depends on a loose definition of what a claim is, i.e. its precise semantics. I assume that the claim <X has Y> should be read as “whoever can prove to be bound to X can also prove to be bound to Y”. In fact, I believe the community should agree on a precisely defined formal semantics for claims (an initial sketch of such formal semantics here ).

According to this reading, it makes no sense to state <“name:John Doe” has “mileage:15,000”>, since this would amount to stating “whoever can prove to be named John Doe can also prove to have mileage 15,000”. But “mileage” attribute is an attribute of John’s car, not of John. No issuer would ever bind John to “mileage:15,000”, neither stand-alone nor within a selectively discloseable credential. Let us consider in detail another typical example, i.e. a person having two passports:

(“AT” and “FR” represent the entities signing the credentials). If both were literally issued as atomic credentials we would end up with something like

Where the first set of credentials would be vouched for by the Austrian gov, the second set by the French gov. A creative user could compose a presentation out of these credentials like

But this is certainly not the way we expect atomic credentials to be issued. Most likely, they would resemble something like

As far as the origin of each claim can be traced back to the proper issuer, the combination of the above set of atomic claims would generate no issues. We could easily conceive a presentation like

This presentation would make perfect sense to a verifier, which even today is used to manage conflicting information about the same entity. The verifier will decide which of the conflicting “FamilyName” to accept, or even accept both. The verifier will probably accept both “Nationality” claims, since this is a many-valued attribute. Non-conflicting information from diverse sources, on the other side, (like “DateOfBirth”) could reinforce the trustworthiness of the claims.

I would tentatively conclude that atomic credentials, when properly formulated, do not harm. There may however be situations in which issuers, for many technical, organizational and business reasons, prefer to issue compound credentials, in which case selective disclosure techniques maintain their full value.