- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Mon, 21 Dec 2020 15:44:34 -0500
- To: public-credentials@w3.org
On 12/19/20 5:01 PM, Daniel Hardman wrote: > What I'm saying is that "Verifiable" Requests are not and need not be > a thing, because usually the burden of proof on the request doesn't > justify the "verifiable" label. As I read through this thread, I find myself nodding in agreement on a variety of the things that Daniel has said. The point above highlights why the Verifiable Credentials spec is the way it is (Gabe asked why the asymmetry, and Daniel hits the nail on the head above). For those in the discussion that are new, I'm the lead Editor for the W3C Verifiable Credentials specification -- and remember why we decided to NOT specify a Verifiable Request in the specification. It wasn't an oversight, it was very much by design. Once you start talking about request/response, you're talking about a protocol... and we wanted to stay very far away from specifying a protocol in the VC work because that would have taken us out of the data model aspects of VCs and put us squarely into protocol, which is a layer up from the data model. The VC specification does not, and should not specify protocol... ever. If it does so, it's an architectural layering violation. That is not to say that the VC layer can't have some things that are useful to protocols (like proofs, nonces, domains, etc... but protocol is out of scope for that specification). ... and it's for a simple reason: There may be many different protocols for requesting a VC. Some of the protocols are very simple, like the Query By Example mechanism that many companies used to achieve multi-way interop last spring via CHAPI. Others are more complex, like the DIF Presentation Request specification. The right answer depends on your use case. Yes, we don't want lots of choices for request protocols, but we are probably not going to have just one for at least the next 5 or so years. For this reason, the Credential Handler API was designed to run a variety of request/response protocols over the "dumb pipe" it sets up. Just like you can run Web Sockets, WebRTC, XMPP, or HTTP/3 over TCP/IP -- it's important to realize that there will likely not be one protocol for requesting VCs/VPs, but many. Some of those protocols will require the request to be digitally signed and contain human-readable explanations of the information being requested... other protocols won't require any of that. I urge folks to internalize that before rushing ahead and thinking that there is one answer to the "How do we request Verifiable Credentials/Presentations?" question. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. blog: Veres One Decentralized Identifier Blockchain Launches https://tinyurl.com/veres-one-launches
Received on Monday, 21 December 2020 20:44:51 UTC