- From: Kyle Den Hartog <kyle.denhartog@mattr.global>
- Date: Wed, 5 May 2021 12:37:28 +1200
- To: Dominic Wörner <dom.woe@gmail.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CAPHCqSxiyd83Hf86eHxgW8=BiHLz8B8v=nVDGRDA84qtegT9mw@mail.gmail.com>
- > Is the proof purpose "authentication" appropriate for this use case? - To align with the Well Known DID Configuration specification, I think it may be more useful to use assertionMethod here. The decision to use "assertionMethod" here I don't believe was heavily debated at the time though. In both cases, they are publicly available credential (although well-known did configuration is a VC instead of a VP) to assert a binding about a subject. However, I will note that within our team we've had people fall on both sides of this design choice and there's likely a broader discussion to be had about when a particular verification method should be used. > Should we just use a self-selected challenge like the current timestamp? - A nothing up my sleeve self generated challenge is a good way to go about this if you want to self select a challenge. One of the good ones that Mike Lodder often suggests is the latest hash of a well known blockchain such as bitcoin or ethereum. You could also use the latest state proof from an indy chain since based on the examples you've already got access to an indy network. - -Kyle On Tue, May 4, 2021 at 6:20 PM Dominic Wörner <dom.woe@gmail.com> wrote: > Hi, > > We've been using a Verifiable Presentation to represent a public profile > <https://hackmd.io/qFuh5MvEQBmvH8xSKud-BA> of an organization. This VP is > basically prepared once and can be fetched by various verifiers. We used > the proof purpose "Authentication", because it is used for subject > authentication. However, it's not really used "for the purposes of an > authentication protocol" [1] I'd say, since you can get the VP from any > party and this is by design, because we think this profile could be on a > CDN for example. > > In our use case the challenge/nonce in the proof does not make much sense, > but libraries do expect the challenge for this proof purpose which makes > sense in an authentication protocol. > > So, my questions are: > > - Is the proof purpose "authentication" appropriate for this use case? > - Should we just use a self-selected challenge like the current > timestamp? > > Thanks! > > Best, > Dominic > > [1] https://w3c-ccg.github.io/ld-proofs/#proof-purpose > -- This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
Received on Wednesday, 5 May 2021 00:37:53 UTC