Clarification on the Definition of "Holder"

[peppelinux]

The current definition of "Holder" in the OpenID4VP specifications states:

Holder: An entity that receives Verifiable Credentials and has control over them to present them to the Verifiers as Verifiable Presentations.

This definition, while succinct, lacks clarity on the technical aspects of who or what constitutes a "Holder" in practical scenarios, especially when considering the interaction between the user and their digital wallet.

Points for Clarification:

User vs. User+Wallet as Holder

• The definition suggests that the "Holder" is an entity with control over Verifiable Credentials. However, in practical terms, a user by themselves cannot act as a Holder without the aid of a digital wallet. It is the combination of the user and their wallet that enables the control and presentation of Verifiable Credentials.
• Analogously, just as a person becomes a driver only when they are in control of a car, a user becomes a Holder when they utilize a wallet to manage their Verifiable Credentials.

Role of the Wallet

• The wallet plays a crucial technical role in holding and managing digital credentials. While the user administratively owns the credentials, the wallet is the tool through which these credentials are technically managed and presented.
• This distinction needs to be clearly reflected in the definition to avoid confusion about the capabilities and limitations of the user and the wallet in the role of a Holder.

Combined Entity as Holder

• To accurately reflect the operational dynamics of Verifiable Credentials, the definition of Holder should encompass both the user and the wallet as a combined entity. This combined entity is what effectively interacts with Verifiers to present Verifiable Credentials.

Suggested Revision

To address these points, I propose revising the definition of "Holder" to better articulate the relationship and roles of the user and the wallet. The revised definition could read:

Holder: A combined entity, typically consisting of a user and their digital wallet, that receives Verifiable Credentials and has control over them. This entity is responsible for managing and presenting the credentials to Verifiers as Verifiable Presentations. While the user is the administrative owner of the credentials, the wallet provides the necessary technical support to store, manage, and present the credentials effectively.

All this issue description can be summarized with the question <<Really, who is the Holder?>>

[TallTed]

Note that a VC may be carried as printed material (e.g., a barcode). In other words, a VC does not need to be digital, nor does holding it require the use of a digital wallet.

[TomCJones]

a qr code is digital no matter the medium here are the terms in other specs. -- i would not try to change word definitions to match some protocol, but how it really works in the real world. Guardian = a human or role that has statutory capability to control access to the subject’s credentials and other data. (See below) Holder = the person who has control of the phone and of access to the wallet and credentials on the wallet. Subject = the identified person (or persona) that the credential is issued to, maybe the Holder or another User as well. User = In this report the user can be any of the Holder, Verifier agent, Subject or other person in authorized possession of the Phone to complete the consent process. Verifier = the entity that receives and determines if the subject attribute data is sufficient Wallet = code running on the phone that will protect PII or authentication secrets and can collect consent and register accesses.

[patatoid]

I agree with @peppelinux for the clarification about the entity. Note that the change may be reflected in oid4vci which has the same definition in the terminology section https://github.com/openid/OpenID4VCI/blob/main/openid-4-verifiable-credential-issuance-1_0.md#terminology