decentralized-identity / jwt-vc-presentation-profile

https://identity.foundation/jwt-vc-presentation-profile/
Apache License 2.0
15 stars 15 forks source link

Optionality for Verifier Trust #89

Open Reccetech opened 1 year ago

Reccetech commented 1 year ago

During one of the last meetings I believe we heard from @nklomp that their consortium liked many aspects of the profile but was unsure on the requirement to use Well Known DIDs.. I think we can break the implementation of Well Known DIDs into two buckets. Bucket 1 is that all conformant implementations of JWT VC Presentation Profile (issuers, wallets, verifiers) must support the Well Known DID framework. I think Bucket #1 as written in the spec today makes sense. Bucket 2 is that all verifiers participating in those ecosystems must support a Well Known DID on their domain. However when looking at bucket 2 we can recognize that wallets like MSFT Authenticator are explicitly designed to handle situations where a verifier does not have a well known DID and the user receives visuals prompts or warnings that the verifier is "untrusted". So my change suggestion would be in the section Linked Doman Verification that lines like "To strengthen trust between the Verifier/RP and End-user, a Verifier/RP’s DID MUST be bound to its website." is changed to "To strengthen trust between the Verifier/RP and End-user, a Verifier/RP’s DID MAY be bound to its website."

This would open the door for implementers of the JWT VC Presentation Profile to be required to have support for Well Known DIDs to support interop, but also opens the door for participants to ignore Well Known DID implementations at the verifier level, or to support API or VC based trust architectures like Trust Establishment. These two patterns would not break JWT VC presentation interop for as described above generic wallets should already be designed to handle these situations.

Feedback appreciated.

justAnIdentity commented 1 year ago

I think making Well Known DIDs optional is fine. We could add some language to recommend Well Known DIDs for organizational entities.

nklomp commented 1 year ago

I agree. We left it out in the DDIP (Dutch) profile to keep the profile as small as possible for v1. Just like we left out any trust establishment. DDIP v1 is focused mainly on interoperability. I think it makes sense to go down a similar route here. Suggest to use it for RPs, but do not require it.