Add DO_NOT_CORRELATE flag to Verifiable Claims about vc-data-model HOT 15 CLOSED

In addition to the linked "terms of use" field (URL, etc.), it would be good to be able to either embed the signed terms under which the data is shared, or at a minimum a hash of the terms at the time of disclosure.

In general, the resource residing at a URL cannot be treated as static. Even if the recipient were to immediately retrieve the resource and store it as a form of purpose binding, there would be no way to prove, in an audit or in court, that the recipient's terms were those actually provided by the discloser.

The issue here, is, in part, to enable tracking of the terms of use for shared data to facilitate purpose binding and prevent non-permissioned, potentially toxic data from being used inappropriately. What the recipient needs is a non-repudiable statement linking a specific verifiable claim to a specific terms of use, signed by the discloser of the data. A simple URL would not provide that.

from vc-data-model.

/cc @riannella - Would it be possible for POE to attend the VCWG meeting at W3C TPAC and give us an overview of ODRL and how we may be able to use it for Verifiable Claims and limiting their use?

from vc-data-model.

We have a Terms of Use field now: https://w3c.github.io/vc-data-model/#terms-of-use

Unless someone steps up to detail how DO_NOT_CORRELATE is done for VC 1.0, the group will have to proceed to REC w/o a stable example. Can someone please volunteer to write a DO_NOT_CORRELATE example and place it in the examples repo? Or maybe the test suite?

from vc-data-model.

Note: ODRL is now a formal W3C REC:
ODRL Information Model V2.2
w3.org/TR/odrl-model/
ODRL Vocabulary & Expression V2.2
w3.org/TR/odrl-vocab/

from vc-data-model.

@msporny (apologies) but what do you mean by "do not correlate" ?

from vc-data-model.

In example 5, could you add "issuer" and "verifier" to the ODRL Policy?
(They would be sub-properties of assigner and assignee, defined in the Profile)

Similar for example 6, holder is a sub-prop of assigner

from vc-data-model.

@msporny (apologies) but what do you mean by "do not correlate" ?

We mean "Do not use the information that I am giving you, the relying party website / verifier, to correlate me between the websites I'm visiting. Basically, do not sell my browsing behavior to anyone.

Do you mean this example 6? https://www.w3.org/TR/odrl-model/#asset-partof

from vc-data-model.

@msporny I mean examples 5 and 6 here: https://w3c.github.io/vc-data-model/#terms-of-use

from vc-data-model.

Example 6 is not correct (in the case shown, the correlate action is prohibited on the target asset).

I think you need to use an Obligation: https://www.w3.org/TR/odrl-model/#duty-policy

from vc-data-model.

I think that having the terms of use field is sufficient for the v1 data model document.
We could start a completely new document, entitled Terms of Use, which documents and standardises specific terms of use which are of general use and applicability. In this was we do not unduly delay the data model document, whilst we do not forget about useful terms of use.

from vc-data-model.

That's sounds reasonable. We (the ODRL Community Group now) can help out in defining the terms as an ODRL Profile.

from vc-data-model.

@riannella in order to close this issue out, we need to fix the examples and I'm having a hard time understanding what is and isn't possible via ODRL. Please help us fix the examples w/ something concrete that we can put in the spec. We're trying to finish up the spec and if we don't have valid examples that demonstrate how to use ODRL, we'll have to just remove all ODRL examples and use a simpler schema.org example.

Which mailing list should I request help on? Is it this one? https://lists.w3.org/Archives/Public/public-odrl/

from vc-data-model.

Yes, that is the list of the ODRL Community Group which you can post questions.

I can provide some input here too...

I think you can state that given an appropriate ODRL Profile for credentials (in this case, we define issuer as a sub-property of assigner, and verifier as a sub-property of assignee) then we can update Example 6 to be:

  "termsOfUse": [{
    "type": "Policy",
    "uid": "http://example.com/policy:8473",
    "profile": "http://example.com/odrl:credential:profile",
    "prohibition": [{
       "issuer": "https://dmv.example.gov/01",
       "verifier": "https://autoclub.example.com/02"
      "target": "did:example:ebfeb1f712ebc6f1c276e12ec21",
      "action": ["archive"]
    }]

from vc-data-model.

In example 7, with the Profile also including holder as a sub-property of Assigner, and correlate as an instance of odrl:Action. I assume the target will then be the credential itself, as this is the target of the non-correlation. (Ie don't use this credential data with any other data).

  "termsOfUse": [{
    "type": "Policy",
    "uid": "http://example.com/policy:4928",
    "profile": "http://example.com/odrl:credential:profile",",
    "prohibition": [{
      "holder": "https://me.example.com/02"
      "verifier": "https://wineonline.example.com/02"
      "target": "http://me.example.gov/credentials/3732",
      "action": ["correlate"]
    }]
  }

Perhaps apply these updates and post a query to the ODRL Community Group for other feedback.

from vc-data-model.

@riannella wonderful, thank you, that gives me something solid to create a PR for.

Next step, create a PR based on @riannella's suggestions above.

from vc-data-model.