swcurran
commented
5 months ago @ianco @dbluhm -- fyi -- this is another (IMHO) urgent fix for 0.12.1 as it is another problem with unqualified DIDs.
We have covered this before, so @ianco -- I wonder if this is just an issue with the "AnonCreds in W3C VCDM Format" code -- perhaps something missed from another change? Or is it also in the main code. I would expect issuance with Alice using a peer:did:2/4 would uncover this issue.
ianco
In the original AnonCreds issue implementation, the holder provided the issuer with a "holder_did" value in the
requestmessage of Issue Credential. In working through that in creating the AnonCreds spec, it was realized that theholder_diddid not have to be a DID, but rather, just a string, a thing to provide entropy to the issuance process. Further, there is no concept of a "holder_did" in the AnonCreds implementation. As such, the JSON attribute name was changed.However, in the ACA-Py implementation, the issuer code is still assuming the value is a DID, and in fact requiring that it be an INDY_DID or unqualified DID. The "holder DID" being used is the holder's peer DID in their relationship with the issuer, and that DID is now a qualified DID -- often a
did:peer:2/4. There is a verification check that errors out on this.This is causing errors such as: https://github.com/hyperledger/aries-cloudagent-python/pull/2861#issuecomment-2083162080 where the holder is using a
peer:did:2/4.The minimum answer is that the issuer Issue Credential code receiving the
requestfrom the Holder MUST NOT check that theentropy(orholder_did) value is adid, and especially not anINDYDID. The validation should be limited to checking that the value is a string.Other references and validations on
holder_did(which is common in the code), should probably also reviewed to make sure that the INDYDID verification is not happening -- since that will break when using qualified Peer DIDs.