Add support for proof chains to VC API POST credential/issue endpoint #422
Comments
aljones15
changed the title
|
+1 to most of this proposal.
This is the only part that give me heartburn, since the issuer endpoint may be attaching more than one proof or there may be more than one previous proof, and these options might be insufficient / mismatched with the requirements. It might be better for Other considerations that we would want to highlight would be how status interacts and whether there generally should be no new status fields added when there are existing proofs / status fields for these proof chain endpoints. |
|
question: should the issuer verify exiting proofs before adding a proof set/chain? It's not in the spec but this would make an issuer instance output invalid credentials... |
No, I don't think it should do this -- and I think it's on the client if it sends something to an issuer endpoint that will produce something invalid. There are many ways "invalid" (in some sense) output could be generated due to configuration issues and other problems and, IMO, we can't and shouldn't try to patch them all by pushing all the various responsibilities to every component/endpoint. |
I think this will likely depend on the deployment. Some will want to require it, others won't find it important. More business logic. |
msporny
changed the title
msporny
changed the title
|
The group discussed this on the 2025-01-14 telecon: One approach is to add proofs synchronously (different groups), instance configured to add all proofs (client authorizes all signatures to be put on there), how it acts can be externalized in another system -- not compositional -- maybe we want a different endpoint for this -- open question for how this should fit into VC API. @jandrieu noted that use cases were going to be written for proof chains and proof sets -- if we have use cases, what are real world thing here, that might help us navigate technical choices. @dlongley agreed with that, and we have implementations w/ sets w/o chains -- chains are a subset of proof sets... configs are empowered w/ different types of keys to generate proof sets -- config has capability to contact key signing service to use different keys to generate full proof set when VC is issued. We have that piece (for sets), for chains (we don't quite have the capability). If setup is such that you have keys that are part of chain, can do signing one after the other. @jandrieu noted we don't have those use cases written up -- proof sets are about having multiple signatures by same issuer for cryptographic flexibility. The group identified the following use cases (to start):
A PR should be raised that notes that an issuance instance can be configured to clear existing proofs and always generate a new single proof, generate more than one proof in parallel (proof sets), generate more than one proof in series (proof chain), or any variation thereof (hierarchical proofs) based on use case needs. |
A credential issuance endpoint can be posted to multiple times with initially an unsigned credential and then later a signed credential which will have a new proof added to the VC which could use the
proofIdandpreviousProofoptions.https://w3c-ccg.github.io/vc-api/#issue-credential
The schema for POST
credentials/issueshould have an optionalproofpropertythe options object should now have optional options
previousProofString or Array orproofIdfor specifying a proofId for a proof.The text was updated successfully, but these errors were encountered: