You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -342,7 +342,7 @@ A malicious Issuer could bypass the privacy benefits of the herd privacy by gene
## Verifier tracking {#privacy-verifier}
Once the Verifier gets the Referenced Token, this enables him to request the Status List to validate the status of the Token through the provided "uri" property and look up the corresponding "index". However, the Verifier may persistently store the "uri" and "index" of the Referenced Token to request the Status List again at a later time. By doing so regularly, the Verifier may create a profile of the Referenced Token's validity status. This behaviour may be inteded as a feature, e.g. for a KYC process that requires regular validity checks, but might also be abused in cases where this is not intended and unknown to the Holder, e.g. profiling the suspension of a driving license or checking the employment status of an employee credential. This behaviour could be constrained by adding authorization rules to the Status List, see [](#security-authorization).
Once the Verifier gets the Referenced Token, this enables him to request the Status List to validate the status of the Token through the provided "uri" property and look up the corresponding "index". However, the Verifier may persistently store the "uri" and "index" of the Referenced Token to request the Status List again at a later time. By doing so regularly, the Verifier may create a profile of the Referenced Token's validity status. This behaviour may be inteded as a feature, e.g. for a KYC process that requires regular validity checks or irrelevant, e.g. for organisations or machines. However, it might also be abused in cases where this is not intended and unknown to the Holder, e.g. profiling the suspension of a driving license or checking the employment status of an employee credential. This behaviour could be constrained by adding authorization rules to the Status List, see [](#security-authorization) or contained through a regular reissuance of the Referenced Token and the corresponding Status List by the Issuer.
