Sakurann
commented
2 years ago Holder: An entity that received SD-JWTs from the Issuer and has control over them.
Just like the Issuer is not an admin using Issuance infrastructure, and Verifier is not a police officer but a SW app it uses, Holder is meant not as a human being, but a SW application used.
Comment:
In this document, issuer, holder, and verifier are entities and not processes. Obviously, a holder, typically a human being, cannot receive the electronic communication directly, so there needs to be a process that runs on a computing device to receive the communication. This distinction is important when discussing privacy as the process may be run by a processor under the control of the holder instead of the holder running it themselves. So, at least, something like holder-agent needs to be introduced. This will be used in my other comments to define security and privacy properties.
Proposal:
Define holder-agent as “process that is used by the holder to obtain, store and present the claim sets”