search

nuts-foundation / nuts-node

The reference implementation of the Nuts specification. A decentralized identity network based on the w3c ssi concepts with practical functionality for the healthcare domain.
https://nuts-foundation.gitbook.io
GNU General Public License v3.0
23 stars 15 forks source link

VCR: Enable searching for credential types #2076

Open reinkrul opened 1 year ago

reinkrul commented 1 year ago

When searching for credentials (SearchVCs()) the type field is used for determining which fields are to be included in the search, but they're not filtered on. This might make sense from JSON-LD point of view, since the query could be;

Give me credentials issued to `<DID>` with `organization.name=<name>` and `organization.city=<city>`

But the functionality is not used as such; it is used to find credentials of specific types, e.g. NutsOrganizationCredential for your own customer administration, addressbook functionality or NutsAuthorizationCredential for finding which credential(s) can be used to get access to remote data. It's also a potential vulnerability, since other credential types could unknowingly be seen as another credential.

Thus, we should also filter on credential types.

Note: that would disable a use case like "give me any credential with X=Y", but I'm not sure it's used that way atm, workaround would be multiple queries.

woutslakhorst commented 1 year ago

Then move from JSON-LD to non-JSON-LD. We either do it contextually or not, but not a hybrid.

reinkrul commented 1 year ago

Why would filtering on type make it a hybrid?

woutslakhorst commented 1 year ago

Why would filtering on type make it a hybrid?

Because it disables the feature that multiple credential types can have the same meaning. That's the main feature that is added by JSON-LD. If we do not want it then we might as well not use JSON-LD.