-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does the spec need normative statements for the Verifiable Presentation Request? #5
Comments
An Issuer App is not guaranteed to know who is making a call to it, so it cannot always know what ID to ask for. Some, but not all VCs have a unique ID, IIRC, so we can't make that a normative statement. We might be able to do something to this effect:
There are cases where you might never need to send anything to do a credential refresh as the refresh URL is unique to your account? So, the MUST might need to change to a SHOULD? What we probably need to do is at least provide a DIDAuth flow and more clearly outline the query by example specs. |
Another possibility would be the holder remembers which Vc it's making the refresh request for. My biggest concern here is that VP Query from the server might be vague enough to result in a refresh of Vcs that weren't intended to be refreshed. An example would be I have 3 Vcs representing memberships at different climbing gyms all issued by the same issuer and using an identical refreshService. I only want to refresh one of those memberships and let the other 2 expire. So if the holder remembers which one then they can supply that Vc provided it meets the query's specifications. Alternatively, the refreshService url could contain the vc id when issued making the refreshService request specific for a single Vc. |
https://w3c-ccg.github.io/vc-refresh-2021/#unmediatedrefresh2021-protocol
In
UnmediatedRefresh2021 Protocol
Section 3.2 Step 6:presenting
section of the linked spec contains multiple different types of presentationscredentialQuery
credentialQuery
in turn should query for the Vc being refreshed, but how is not specifieddidAuth
and thenbyExample
So I think we need a normative statement here:
This removes ambiguity, but retains the open design of the specification.
The text was updated successfully, but these errors were encountered: