-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue Credential: initiate with issue message #774
Comments
cc @chumbert |
According to what I see in the text of the RFC, offer is an optional step — https://github.com/hyperledger/aries-rfcs/tree/main/features/0453-issue-credential-v2#messages
I certainly remember when we defined this protocol that Offer was not supposed to be required for all credential formats, so I believe that is the expectation. I’m good with this being a clarification. |
100% agree. Also, the revised language should no longer refer to "Hyperledger Indy" as if that defined a specific credential format, right? If I understand correctly, Hyperledger Indy is evolving into a digital wallet and credential framework that can support multiple credential formats. So the language should say something like, "...required for Hyperledger AnonCreds and other interactive credential issuance formats". |
Yes — we need to convert all the language in the RFCs to replace Indy with AnonCreds where it references the AnonCreds credential format. That gets a tad tricky where the refrerences are in data models. In that case, we change the text, but include a note to indicate why the data items reference “indy”. |
@swcurran based on current wording, I think the statement that the offer is optional implies that the exchange can start with a request but no alternatives where the issuer initiates are given. As a result of this language, as a concrete example, ACA-Py expects (requires) that a credential request must always be sent/received no matter the credential type or who initiated it. I think we could probably still get away with having this just be a clarification and not a version bump but if implementations were strictly adhering to this language like ACA-Py does, we might see some compatibility issues. |
In the last comment — did you mean to say "expects (requires) that a credential The challenge happens with credential types that don’t specify what is needed to issue a credential. AnonCreds defines both data models and the interactions needed to issue a credential. That level of opinion makes it easier to know what to do. With a JSON-LD W3C credential using LD-Signatures), where only a data model is defined, there is no guidance on any steps in the issuance. An issuer doesn’t even need a credential request. If the issuer wanted some sort of SubjectID to put into the credential, they might require a credential request from the holder. They might even explicitly ask for that from the holder via a credential offer (which is what happens in AnonCreds — including the use of a nonce to prevent a replay attack by the holder). I think the approach that is needed is that the base protocol issue-credential should define the options, and it is up to the RFCs that defines the usage for a specific credential type. I agree that if there is a credential type that supports starting with a credential request, it should be possible in the concrete implementations. I’d be interested in knowing what assumptions are built into ACA-Py’s support for JSON-LD W3C credentials with LD-Signatures and BBS+ signatures. |
I do actually mean credential request. The Issue Credential protocol already permits starting from a request message making the list of potential entry points for the protocol:
What's missing is a flow that permits the Issuer to initiate at the ACA-Py's JSON-LD W3C Credential implementation strictly expects these protocol entry points and, as the recipient of a credential, will reject an |
Sorry — I thought you were saying you wanted to start at the I would be open to a PR that clarifies the starting point as being flexible, and then once we see the wording (and perhaps how you want to use it) we can see if that is a clarification of the existing protocol, or would require a version change. I’m betting on clarification, but we’ll see :-). |
Starting at issue credential makes sense to me. Also because the jsonld format doesn't provide a way to do proof of possesion of the subject did, so that would need to be handled separately. That's how an offer/request flow would be most useful |
If it happens to be the same DID as the DIDComm connection, then proof of possession is automatic. If not, we'd need to include a separate proof of possession as @TimoGlastra describes. |
Issue Credential as a protocol was formulated with support for credential formats like AnonCreds that require exchange of key cryptographic primitives prior to issuance. This resulted in the offer-request-issue-ack and proposal-offer-request-issue-ack flows we have today. However, not all credential formats have these requirements. LDP-VC credentials can skip straight to the issuing a credential in many circumstances. The protocol as specified right now requires that all issuer-initiated flows start from the
offer
message, despite the differing requirements between credential formats.This has been discussed on the Aries WG call and the resolution was that it's fine for credential formats that don't require prior steps to begin with the issue message.
We should update the protocol to reflect this resolution.
Implications to discuss: how does this affect the version of the protocol?
cc @TelegramSam
The text was updated successfully, but these errors were encountered: