Open cre8 opened 9 months ago
paulbastian
commented
9 months ago Related to #91 and #93 Revoking is up to the issuer and not mentioned anywhere in OpenID4VCI. I guess the simplest and safest solution for credential_instances/copies is to throw away the old ones and only used the new ones.
Sakurann
commented
9 months ago it is probably worthwhile adding a sentence that "when wallet receives a new batch of the same credential datasets, the wallet SHOULD delete previous credentials" as it seems like that's what most wallets/issuers are doing.
jogu
commented
1 month ago I reviewed this issue given we've removed the batch endpoint now, and I believe the suggestion Kristina made in her last comment is still relevant to the credential endpoint when it returns a batch for unlinkability so we should still make that clarification.
In section 12.6 the refresh method is described as an update mechanism "when some values have changed". What is not described is what will happen with the already issued credentials. Will they be revoked? Can the wallet send a value if the old ones should be revoked or not? Will the issuer give information about the handling when issuing the first credential?
Background of the question was the situation when I requested a batch of credentials because I want to use a dedicated JWT for each relying party to avoid linkability during the presentation. But during the issuance process I don't know how many copies I will need in the future so there could be the situation where the wallet asks the issuer for more copies of the credentials. For user experience I don't want the holder to manually start the process, both approaches are already covered by the specification.
So when my wallet is down to 5 credentials and it wants to fill up to 10 credentials again, does it have to query 5 credentials to fill it up or does it have to ask for 10 because all the old ones will be revoked (in case the issuer is supporting some kind of status management). Of course my wallet could check after the reissuance if the old ones are still valid and then start the issuer process again but now with 10 copies. But this seems to be a dirty solution to handle the problem.