Does the spec need normative statements for the Verifiable Presentation Request? #5
Comments
An Issuer App is not guaranteed to know who is making a call to it, so it cannot always know what ID to ask for. Some, but not all VCs have a unique ID, IIRC, so we can't make that a normative statement. We might be able to do something to this effect:
There are cases where you might never need to send anything to do a credential refresh as the refresh URL is unique to your account? So, the MUST might need to change to a SHOULD? What we probably need to do is at least provide a DIDAuth flow and more clearly outline the query by example specs. |
|
Another possibility would be the holder remembers which Vc it's making the refresh request for. My biggest concern here is that VP Query from the server might be vague enough to result in a refresh of Vcs that weren't intended to be refreshed. An example would be I have 3 Vcs representing memberships at different climbing gyms all issued by the same issuer and using an identical refreshService. I only want to refresh one of those memberships and let the other 2 expire. So if the holder remembers which one then they can supply that Vc provided it meets the query's specifications. Alternatively, the refreshService url could contain the vc id when issued making the refreshService request specific for a single Vc. |
https://w3c-ccg.github.io/vc-refresh-2021/#unmediatedrefresh2021-protocol
In
UnmediatedRefresh2021 ProtocolSection 3.2 Step 6:presentingsection of the linked spec contains multiple different types of presentationscredentialQuerycredentialQueryin turn should query for the Vc being refreshed, but how is not specifieddidAuthand thenbyExampleSo I think we need a normative statement here:
This removes ambiguity, but retains the open design of the specification.
The text was updated successfully, but these errors were encountered: