Re: About credential transfer mechanisms from Markus Sabadello on 2024-05-13 (public-credentials@w3.org from May 2024)

From: Markus Sabadello <markus@danubetech.com>
Date: Mon, 13 May 2024 21:07:05 +0200
To: public-credentials@w3.org
Message-ID: <5d23718a-1be9-4c65-b188-3fbe5ac58120@danubetech.com>

Another idea:

Don't use credentials at all, just create a DID that identifies the 
product, and whoever holds the DID's private key is considered the owner.

You can "transfer" the product by updating the DID's controller keys to 
keys belonging to the new owner.

You can still have additional properties (like a GTIN) inside the DID 
document, or you could even have credentials about the product.

The DID doesn't change if the owner changes, i.e. the product's 
identifier is persistent.

You can reference earlier versions of the DID document using versionId 
and versionTime parameters.

Of course you'd need a DID method other than did:web (since that isn't 
controlled by keys) and other than did:key or did:jwk (since those can't 
be updated).

Markus

On 4/24/24 10:11, Ismael Illán García wrote:
> # Greetings CCG,
>#
>
> I would like to get your opinion on the transfer/cession of 
> credentials. Assuming, for example, that a credential issued by a 
> store represents product ownership similar to a purchase receipt. The 
> credential would contain information to identify the product (e.g., 
> GTIN) and the owner's DID. In the event of a resale, what mechanisms 
> could be established? In my group, we have raised the following options:
>
>#
>
> 1. Utilizing the extensibility property of credentials: The current 
> holder could issue a new transfer credential with their signature, 
> which would reference the first credential. The new owner could then 
> present the chain of credentials from them to the store that sold the 
> product. The main problem with this approach is that previous owners 
> could continue to present their ownership credentials as if they were 
> still the owners.
>
>#
>
> 2. The other option would require the participation of the store: Once 
> the first sale of the product has been made (store -> customer). The 
> current owner could request the store to issue the credential again, 
> but for the new owner's DID. To ensure that the current owner does not 
> keep their credential and continue to use it, the store could have a 
> published list of credential statuses, allowing them to revoke it.
>
>#
>
>
>#
> Thanks
>#
> Ismael.
>#
>
>#
>
>
>#
>
>
>
>#
>
>
>
>
>#
>
>
>
>
>
>#
>
>
>
>
>
>
>#
>

Received on Monday, 13 May 2024 19:07:11 UTC