This pull request proposes to add a requiredverifierDID value to the VP verification request body in the Digital Wallet Conformance Criteria.
Reasoning
As I see it as of today, OCI is aiming to define architecture-agnostic specifications that gives developers freedom regarding their specific implementations as long as they adhere to the defined specifications. This approach seems to be broken regarding the VP verification API in the Digital Wallet Conformance Criteria.
This is very much apparent if the implementation supports holding multiple DIDs over maybe multiple different tenants within a solution. With the current specification, it is not possible to define which entity/ DID requested a VP verification, which may lead to further problematic limitations. Those may include, e.g., not being able to save the result of a VP verification process to the verifying parties tenant/ agent, which may be needed for regulatory purposes (see audit trail).
Interestingly, this approach of adding a DID to the request body is already embraced looking at the VP generation API which allows the correct addressing of which DID (holderDID), and therefore maybe which tenant, should generate a VP of the specified credential type. (see Digital Wallet Conformance VP generation API request body)
Impact
Because the proposed addition of the verifierDID being required, all existing implementations would need to consider the new value in the request body. If not needed, it can be ignored. Not implementing the specified verifierDID will result in other parties not being able to, e.g., maintain their audit trail for VP verification events.
This PR is connected to another [PR on the API specification](https://github.com/Open-Credentialing-Initiative/api-specifications/pulls)
General
This pull request proposes to add a required
verifierDID
value to the VP verification request body in the Digital Wallet Conformance Criteria.Reasoning
As I see it as of today, OCI is aiming to define architecture-agnostic specifications that gives developers freedom regarding their specific implementations as long as they adhere to the defined specifications. This approach seems to be broken regarding the VP verification API in the Digital Wallet Conformance Criteria.
This is very much apparent if the implementation supports holding multiple DIDs over maybe multiple different tenants within a solution. With the current specification, it is not possible to define which entity/ DID requested a VP verification, which may lead to further problematic limitations. Those may include, e.g., not being able to save the result of a VP verification process to the verifying parties tenant/ agent, which may be needed for regulatory purposes (see audit trail).
Interestingly, this approach of adding a DID to the request body is already embraced looking at the VP generation API which allows the correct addressing of which DID (
holderDID
), and therefore maybe which tenant, should generate a VP of the specified credential type. (see Digital Wallet Conformance VP generation API request body)Impact
Because the proposed addition of the
verifierDID
being required, all existing implementations would need to consider the new value in the request body. If not needed, it can be ignored. Not implementing the specifiedverifierDID
will result in other parties not being able to, e.g., maintain their audit trail for VP verification events.