Re: Verifiable Requests? from David Chadwick on 2020-12-19 (public-credentials@w3.org from December 2020)

From: David Chadwick <D.W.Chadwick@kent.ac.uk>
Date: Sat, 19 Dec 2020 17:13:55 +0000
To: public-credentials@w3.org
Message-ID: <c01f001f-b7a7-6341-9606-cdaeddfe2f2a@kent.ac.uk>

Hi Daniel

I would revise your requirements somewhat as follow

On 19/12/2020 04:06, Daniel Hardman wrote:
> FWIW, here are the things that I think we need to standardize:
>
> 1. A credential and a presentation (the VC spec)
> 2. How a credential is requested (what the new DIF spec calls a 
> "presentation definition", which is quite powerful and generally 
> useful, IMO)

Rather I would say: How a set of credentials, or alternative sets of 
credentials, are requested.

This request needs to be fully flexible to cater for (as near as 
possible) any conceivable requirements of the SP. In our implementation 
we use DNF and CNF as these can present any set of requirements.

> 3. How a response to a request explains the way that the response maps 
> to the request ("You asked me for either a driver's license or a 
> passport, plus proof of my current address. I chose to give you the 
> passport, and to prove my current address by showing you a utility 
> bill.")\

I actually don't think this is needed. The returned VP is the holder's 
answer to the request. It contains the requested VCs embedded in it. So 
it is self-explanatory. (The Holder does not need to say its a utility 
bill because the VC itself will say what type it is). It is the 
responsibility of the verifier to see if the VP does contain the set of 
VCs that meets the SP's requirements. There is little point in the 
holder giving an explanation because:

a) the explanation could be acceptable but the actual VC may not be (I 
am showing you a utility bill, but the utility bill issuer is unknown to 
the verifier)

b) the explanation might not be acceptable, but the VC might be (I am 
sending you my employment card (instead of passport), but this contains 
the holder's current address)

c) the explanation could be false and the VC could be something entirely 
different to the explanation, so what does the verifier believe, the 
explanation or the actual VC? (I am giving you my passport but the VC is 
an employment certificate.)

So I see no useful purpose for the explanation. I don't believe it is 
needed, but worse, I think it complicates the processing by the verifier.

Kind regards

David

Received on Saturday, 19 December 2020 17:14:12 UTC