`Anoncreds` Revoking one credential of many of the same type fails proof

hyperledger / aries-cloudagent-python

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments.

https://wiki.hyperledger.org/display/aries

Apache License 2.0

404 stars 511 forks source link

`Anoncreds` Revoking one credential of many of the same type fails proof #2934

Closed jamshale closed 4 months ago

jamshale commented 4 months ago

With anoncreds specifically. If faber issues multiple credentials to alice of the same type and then revokes any of the credentials, the next proof request will fail verification.

Steps (using demo):

start faber ./run_demo run faber --wallet-type askar-anoncreds --revocation
start alice ./run_demo run alice --wallet-type askar-anoncreds
connect
issue 3 credentials to alice
revoke credential 2
request proof
result will be verified = false

Screencast from 2024-05-07 09:39:59 AM.webm

swcurran commented 4 months ago

Sounds like this is either a bug in ACA-Py’s selection of a default credential to use when there are multiple — should choose the most recent non-revoked one, or in Alice picking the wrong one to use from a set.

swcurran commented 4 months ago

That said, I don’t know how “default” is defined by ACA-Py. Presumably it is the first in the array of candidate VCs that could be used to satisfy the request.