- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Mon, 26 Jun 2017 12:26:33 -0400
- To: David Chadwick <D.W.Chadwick@kent.ac.uk>, public-credentials@w3.org
On 06/25/2017 05:37 AM, David Chadwick wrote: > > > On 24/06/2017 20:30, Joe Andrieu wrote: >> David, >> >> I can see where it reads that way, but I'm not making that >> assumption at all. >> >> Relating the subject to any particular entity is dealt with outside >> the claim. There may be enough information in the claim itself to >> do the correlation or it may need to be done externally either in >> context or based on other data. This is a problem of >> authentication, not verification. > > To be more precise, verification comprises authentication and > identification. In order to verify a claim I think that the > following procedure is needed: > > 1. The inspector needs to first identify the issuer and the subject. > 2. The inspector then needs to authenticate that the VC was issued by > the identified issuer and has not been revoked since issuance. > 3. The inspector then needs to verify that the issuer is trusted to issue > the contents of the claim. > 4. If the subject is 'any/bearer' the > verification procedure now ends. > 5. Otherwise the inspector needs to > authenticate the presenter. If the presenter is the subject the > verification procedure ends. > 6. If the presenter is not the subject > then the inspector needs to verify that the presenter is authorised > to present the claim. This can be done in a variety of ways e.g. a > pre-established trust relationship between the inspector and > presenter; a VC delegating authority from the subject to the > presenter; a recognised procedure for certain classes of subject and > presenter; etc. > > You seem to think that the VC verification model should stop at step > 3. I would argue that these steps are necessary but not sufficient > for verifying VCs. The VC verification process should comprise all > steps necessary for the inspector to determine whether to keep the VC > or discard it as untrustworthy. I agree that this list is important, fully in scope for the CG, and that the VCWG may make certain recommendations around this process and any data modeling related to it. But if it heads too far in the protocol direction then it would be out of scope for the VCWG. -- Dave Longley CTO Digital Bazaar, Inc. http://digitalbazaar.com
Received on Monday, 26 June 2017 16:27:01 UTC