- From: David Chadwick <D.W.Chadwick@kent.ac.uk>
- Date: Wed, 17 Jan 2018 16:23:53 +0000
- To: W3C Credentials Community Group <public-credentials@w3.org>
Here are my comments on the latest version (31 Dec 17) of the data model document https://w3c.github.io/vc-data-model/ 1.3 Use Cases and Requirements The current text states Holders SHOULD be able to easily control and own their own identifiers. This applies equally to subjects, perhaps even more so than holders, since VCs apply to subjects. Suggest either replace Holders with Subjects are repeat requirement for subjects. NEW requirement from Lifecycle document Subjects should be able to delegate the use of VCs to a third party 3.3 Profiles The current text states A verifiable profile is a collection of one or more verifiable credentials typically about the same subject The word typically is misleading and redundant. Suggest delete it. Since a VC is about a single subject, then the profile must be about the same subject. When would it make sense to take the VCs of different subjects and merge them together in a profile. To my mind this would be an attack (trying to pass off someone else's VC as mine). Example 6 Should be Usage of termsOfUse property by a Holder 6.3 Issuer The current text says The issuer id must match expectations. Likely, that means it is the id of a known and trusted verifiable profile. The use of 'verifiable profile' does not seem to be correct. 6.4 Subject Currently the data model only supports a single subject. But the single subject can be a group. So a sentence should be added to this effect e.g. Note. The data model only supports a single subject. However the subject identifier can identify a set of subjects, such as a role. 6.8 Fitness for Purpose Since the Subject may specify termsOfUse add the following sentence If the subject has placed any policy information about the use of the credential, e.g. intended verifiers, allowed delegates, etc., that this policy is adhered to. Missing Sections i) There is no section on the Trust Model. I suggest one should be added. Text can be copied and suitably modified from the Lifecycle document. Specifically the current data model does not specify The issuer, the holder and the verifier trust the identifier registry to be un-corruptible and to be a correct record of which identifiers belong to which entities. The subject trusts the issuer to issue true (i.e. not false) claims, and to revoke the credentials quickly when requested to do so. ii) There is no section about Delegation of Authority i) by the issuer ii) by the holder/subject. There is no mention of recursion, where the claim is an embedded credential, or Power of Attorney VCs iii) There is no mention of Dispute Resolution What happens if the subject/holder asserts that the contents of a VC are wrong but the issuer refutes this and won't revoke the VC? Regards David
Received on Wednesday, 17 January 2018 16:24:34 UTC