Holder Binding definition dilemma

[OIDF-automation]

Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1914

Original Reporter: peppelinux

Dear friends and authors, I read in the OpenID4VCI specs the definition of Holder Binding as follows

”Holder Binding: Ability of the Holder to prove legitimate possession of a Verifiable Credential.”

I assume that the statement above refers to the Proof of Possession, carried out by the Holder during the presentation stage, as an ability of the Holder of doing that.

Differently, thinking about Holder Binding, the following definition comes to mind

"characteristic or attribute of a credential, inseparable from it and resistant to tampering, which uniquely links a Verifiable Credential to the entity who requested it and of which it is the legitimate Holder"

[OIDF-automation]

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

I am starting to think that biometrics-based holder binding is separate from cryptographic and claim-based holder binding. With biometrics-based, there is an element of authentication, and “binding” to a physical huma being that is actually using the wallet SW. while in the latter two, verifier can only know that there is only binding to something stored suing wallet SW…

I think I am also saying that when biometrics-based holder binding is used authentication event (ie ID Token) should be returned

[Sakurann]

I would suggest changing a term Holder binding to key binding, like SD-JWT did here and define it as the following:

Ability of the Holder to prove legitimate possession of a Credential by proving control over the same private key during the issuance and presentation. A Credential with Key Binding contains a public key, or a reference to a public key, that matches to the private key controlled by the Holder.