w3c · msporny · Mar 6, 2023 · Feb 10, 2023 · Feb 11, 2023 · Feb 11, 2023
@@ -705,6 +705,25 @@ <h3>Content Distribution Networks</h3>
       </p>
     </section>
 
+<section class="informative">
+<h3>Malicious Issuers and Verifiers</h3>
+<p>
+In general, the herd privacy protections offered by this specification can be circumvented by malicious <a>issuers</a> and <a>verifiers</a>. Its privacy benefits can only be realized when issuers and verifiers intend to avoid tracking or sharing the presentation of particular credentials.
+</p>
+<p>
+A malicious <a>issuer</a> might intentionally attack herd privacy by creating a
+unique status list per credential issued in order to establish a 1-1 mapping to track
+when a <a>verifier</a> processes a specific credential. Similarly, they could establish
+another a 1-1 mapping by using a different cryptographic key for every credential
+issued that is tracked in a status list.
+</p>
+<p>
+A malicious <a>verifier</a> might intentionally attack herd privacy by sharing
+information from presented credentials with a malicious <a>issuer</a>.
+</p>
+<p class="issue" data-number="6"></p>
+</section>
+
   </section>
 
   <section class="informative">