Closed WadeBarnes closed 1 year ago
... to create a cred-def with a subset of a referenced schema's attributes
@swcurran does the new anoncreds spec take this into account?
While it may be possible, I don't believe the indy-sdk referenced feature is intended to be used to do what is described in the issue description. Technically, you can do it -- change the schema_json
item after retrieving the schema and before creating the CredDef. However, it is not expected by anyone in the ecosystem and it is not clear how later interactions would work.
We have talked about this in some Aries Working Group and AnonCreds Specification calls in another similar context. Notably, if we were to switch to using BBS+ Signatures in AnonCreds (replacing CL-Signatures), there is no technical need for either a Schema or a CredDef as there is only one key involved -- a simple DID would suffice. The issuer could just sign some number of claims, perhaps even different on every credential. The problem with that (and to lesser extent with what is proposed in this issue) is that by making the credentials more dynamic, it is harder to write code to handle all possible scenarios and it is harder to drive "standards" for credentials. We have had general agreement on those calls that keeping both the Schema and the CredDef is a good idea. An example of this added complexity is the following. If this feature were implemented, and a proof request came in asking for 4 claims from the Schema, but the holder has been issued a credential rooted on a CredDef that has only 3 of those claims, would the wallet be able to find the credential to construct the proof? Is the proof satisfied if the holder supplies only the 3 values, and (presumably) sends an "unrevealed" for the 4th item?
If we do want to support this, it must be done across all Aries Frameworks -- not just ACA-Py. An Aries Framework created to assume (as I think most do) that a Schema and CredDef will have the same claims may blow up if an ACA-Py issuer issues a credential with a different CredDef/Schema.
While this may be a good approach, IMHO we need to think carefully about the ramifications.
2 questions for Aca-py then:
Is there a controller Admin API endpoint for creating a CredDef that allows the user to alter the Schema JSON?
This is also the first I've heard of this capability, and I don't know if anyone has ever tried to do this or what the implications would be. There's no aca-py support for this, we only allow a cred def that fully implements a schema.
I think the new anoncreds spec should either embrace this capability or explicitly forbid it. Otherwise some other clever individual will figure out that it's possible and then run with it ... If the anoncreds spec includes this capability then we need to ensure that all the aries frameworks support it.
I will raise it at the AnonCreds Specification call and see what the response is. My guess the group will be against this, but we'll see.
Per the discussion within the AnonCreds Specification Working Group, this is a loop hole and we strongly recommend not using it, as it will greatly complicate the challenges faced by Holders and Verifiers in creating and verifying presentations.
See this comment for a timestamp in the recording of the discussion held by AnonCreds Spec Working Group meeting.
It is possible, with the indy-sdk at least, to create a cred-def with a subset of a referenced schema's attributes, example below. This makes the use of shared schemas cleaner for use cases when a schema contains additional attributes that are of no interest to one jurisdiction but are of interest to another. It also allows for additional use cases where different use case specific cred-defs can be generated from a single schema.
This (indy-sdk) api makes it possible:
aca-py
, currently, makes the assumption the attributes of a cred-def must be the same as the referenced schema both during cred-def generation and credential issuance:Example cred-def containing a sub-set of a schema's attributes. Note
parent_1_full_name
andparent_2_full_name
are not included in the cred-def.