Re: Reusing VCs in a safe and meaningful way from Alen Horvat on 2023-09-08 (public-credentials@w3.org from September 2023)

From: Alen Horvat <horvat.alen@yahoo.com>
Date: Fri, 8 Sep 2023 08:04:48 +0200
To: ステファニー　タン（SBIホールディングス） <tstefan@sbigroup.co.jp>
Cc: W3C Credentials CG <public-credentials@w3.org>
Message-Id: <FB31F3E1-5BAD-4FCB-8D7A-029277024AAF@yahoo.com>

Hi.

This essentially falls either under an accreditation model or delegated authorisation.
Here are 2 sample data models:
- Accreditation https://code.europa.eu/ebsi/json-schema/-/blob/main/schemas/ebsi-accreditation/2023-04/schema.json 
- delegated authorisation: https://code.europa.eu/ebsi/json-schema/-/blob/feat/ebsiint-7198/schemas/ebsi-authorisation/2023-09/schema.json

In the case of authorisation, we are embedding the VC, that is a basis for the delegation, in the Evidence property.

We’re using the following pattern:
- if VC-A is about the issuer/signer -> put it in the signature as signed or unsigned element
- if VC-A is about the content, we put it in the Evidence (can be embedded or referenced, depending on the use case needs)
 
Related question: https://github.com/w3c/vc-data-model/issues/870#issuecomment-1705205519

BR, Alen

> On 8 Sep 2023, at 04:44, ステファニー タン（SBIホールディングス） <tstefan@sbigroup.co.jp> wrote:
> 
> Dear all,
> 
> This is Stefannie again. First off, I would like to thank everyone who sent in their opinions, suggestions and follow-up questions with our previous question regarding DID method-specific-id. I passed it on to our engineering team and we are currently doing further investigation.
> 
> I have another question from our engineering side, this time regarding how VCs can be reused in a safe and meaningful way. 
> 
> Please see below our Business design, Business Flow and Technical Solutions that we are considering. 
> 
> [Business Design]
> Companies should get a VC from a trust-worthy organization before they can transact with each other.
> 
> [Business Flow]
> Here is the Business flow for the case when Company A needs to sell Product B to Company B,  and Product C to Company C.
> Company A gets a VC (VC-A) from the trust-worthy organization.
> Company A, in its internal system, makes TraceID-B for selling Production B to Company B.
> In the same way, Company A, in its internal system, makes TraceID-C for selling Production C to Company C.
> Company A needs to share Production B info(i.e. production name),  TraceID-B and the VC-A with Company B.
> In the same way, Company A needs to share Production C info(i.e. production name),  TraceID-C and the VC-A with Company C.
> [Technical Solution]
> To achieve the above, while keeping in line with DID VC protocol, we discussed two solutions.
> Company A builds a new self-signed VC-B with Production B info and TraceID-B.  Then, Company A makes VP-B by signing against VC-A and VC-B. Finally, Company A passes VP-B to Company B for verification purposes.
>  Company A makes VP-B by signing against VC-A. Then,  Company A builds a new self-signed VC-B with Production B info and TraceID-B and VP-B.  Finally, Company A passes VC-B to Company B for verification purposes.
> 
> We are wondering which one of the two solutions fits more into the DIDVC protocol.  At the same time, we would like to know whether there are potentially other solutions.
> 
> Best regards,
> Stefannie
> SBI Holdings, Inc.

Received on Friday, 8 September 2023 06:05:12 UTC