[Openid-specs-ab] Verifiable presentation question
david at alkaline-solutions.com
Thu May 13 02:48:19 UTC 2021
> On May 12, 2021, at 5:11 PM, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> I have got a few generic questions regarding the verifiable presentation.
> If any of you can help, it is much appreciated.
> How do the claims in the VC can be bound to an ephemeral identifier and keys in a trustworthy manner when presented to the RP. (What is being written in the current Claims Aggregation draft is a way of achieving it in the context of regular OIDC response but it cannot be done independently of the verified claims issuance.)
Typically you are doing a signature-based proof of possession (based on a stable or ephemeral key pair) or doing a zero knowledge proof of knowledge of a secret or private key. The confirmation by the holder is what differentiates a credential from a presentation.
Many use cases aim to isolate the issuer of a credential from knowing when and to whom it is used, hence the inability to do audience constraints for bearer confirmation.
When you are aggregating credentials from multiple sources into presentation(s), you can no longer count on a single authoritative subject identifier. So you need to provide proper confirmation(s), or else the credentials are (comparatively weaker) evidence.
If the subject identifier is resolvable (such as a DID with verification methods registered, or a HTTPS URL with appropriate .well-known metadata), the confirmation method may be externally resolved and mutable. There are correlation risks for using a subject identifier here, so this winds up being most useful for public credentials.
A single proof mechanism may not be applicable to all of the credentials when multiple are being returned, hence the ability for a VP to contain multiple VCs, and for multiple VPs to also be returned.
> I do not know ZKP almost at all but I was assuming that there would be several exchanges between the verifier and the holder. However, the current OIDC4VCO draft seems to be just talking about a simple request/response protocol: It just looks to me to be defining adding a member parallel to id_token in the request. Defining another format for the response. Am I missing something?
I believe these are typically 1-round or non-interactive proofs, hence letting them fit into a request/response model.
> Where can I find the authoritative copy of W3C Verifiable Presentation spec?
The only recommendation is the Verifiable Credentials Data Model at https://www.w3.org/TR/vc-data-model/ . There is a WG note with use cases at https://www.w3.org/TR/vc-use-cases/ . LD-Proofs are at draft charter stage, with a maze of draft specifications by the W3C CCG.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab