Open reinkrul opened 7 months ago
Considerations:
Options:
Or combine automation with a hack to only remove these types of credentials.
The same also goes for AuthCreds that have been revoked, although record keeping might be more important there?
Maybe let it be configurable, based on type? I don't foresee you want to select credentials to prune on other criteria..
Say;
vcr:
issuer:
prune_expired:
match_type: EmployeeIDCredential
after: 1d
Important remark is that never-expiring credentials are never pruned, so another reason to let credentials expire at some point.
We made it ourselves harder by introducing a second store for non did:nuts
-related VCs. We have several options:
did:web
-related VCs, stored in SQL, we might not support/advice using short-lived EmployeeID-like credentials (or NutsAuthorizationCredential), but we don't know yet.1 or 2 maybe
This is not an issue for the ServiceToService Access Token flow with employee credentials; the EmployeeCredential isn't actually issued and signed, and only protected by the VP proof (issuer-is-holder credential).
When a VC gets issued, it is always stored in the VCR issuer store. This is to keep track of what is issued and to be able to revoke credentials. This was probably designed with low credential count in mind, so no pruning was needed at time when this got designed. Maybe even with the
NutsAuthorizationCredential
s the number were low enough not to consider pruning.However, every data access request (or once per user session), an EmployeeID credential is issued and stored. To avoid an ever-growing store (with data that became irrelevant), we might need to consider pruning issued credentials.