search

openwallet-foundation / credo-ts

Typescript framework for building decentralized identity and verifiable credential solutions
https://credo.js.org
Apache License 2.0
260 stars 197 forks source link

AFJ should favour non-revoked credentials for proof requests #1223

Closed jleach closed 1 year ago

jleach commented 1 year ago

I'm proposing that, when doing a proof, if there are both revoked and non-revoked credentials AFJ should favour the non-revoked credential over those that are revoked. To resolve this AFJ could:

a) If the schema is the same only return non-revoked matches; or b) If all results must be returned, sort the revoked credentials to be first so they are preferred.

Proposed API:

const credentials = await agent.proofs.getRequestedCredentialsForProofRequest({
   proofRecordId: proof.id,
   config: {
      filterByNonRevocationRequirements: false,
      orderByRevocationState: true, // puts non-revoked credentials first.
    },
})

This is the data from credentials.proofFormats.indy?.requestedAttributes:

{
  "0_name_uuid": [
    {
      "credentialId": "02a8dab3-8aa1-4359-bce3-ad55df671d81",
      "timestamp": 1674164220,
      "revealed": true,
      "credentialInfo": {
        "referent": "02a8dab3-8aa1-4359-bce3-ad55df671d81",
        "attrs": {
          "date": "2018-05-28",
          "timestamp": "1674163727",
          "degree": "Maths",
          "name": "Alice Smith",
          "birthdate_dateint": "19990119"
        },
        "schema_id": "79qrgFraLp5HTghZrhgiwk:2:degree schema:6.19.76",
        "cred_def_id": "79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema",
        "rev_reg_id": "79qrgFraLp5HTghZrhgiwk:4:79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema:CL_ACCUM:f57dd359-9b7d-4084-b2ce-c6a16ff7e03c",
        "cred_rev_id": "1"
      },
      "revoked": true
    },
    {
      "credentialId": "5530234b-d491-43fb-8484-903ebc9e4e8f",
      "timestamp": 1674164220,
      "revealed": true,
      "credentialInfo": {
        "referent": "5530234b-d491-43fb-8484-903ebc9e4e8f",
        "attrs": {
          "birthdate_dateint": "19990119",
          "timestamp": "1674163933",
          "degree": "Maths",
          "name": "Alice Smith",
          "date": "2018-05-28"
        },
        "schema_id": "79qrgFraLp5HTghZrhgiwk:2:degree schema:6.19.76",
        "cred_def_id": "79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema",
        "rev_reg_id": "79qrgFraLp5HTghZrhgiwk:4:79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema:CL_ACCUM:f57dd359-9b7d-4084-b2ce-c6a16ff7e03c",
        "cred_rev_id": "2"
      },
      "revoked": false
    }
  ],
  "0_date_uuid": [
    {
      "credentialId": "02a8dab3-8aa1-4359-bce3-ad55df671d81",
      "timestamp": 1674164220,
      "revealed": true,
      "credentialInfo": {
        "referent": "02a8dab3-8aa1-4359-bce3-ad55df671d81",
        "attrs": {
          "date": "2018-05-28",
          "birthdate_dateint": "19990119",
          "name": "Alice Smith",
          "timestamp": "1674163727",
          "degree": "Maths"
        },
        "schema_id": "79qrgFraLp5HTghZrhgiwk:2:degree schema:6.19.76",
        "cred_def_id": "79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema",
        "rev_reg_id": "79qrgFraLp5HTghZrhgiwk:4:79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema:CL_ACCUM:f57dd359-9b7d-4084-b2ce-c6a16ff7e03c",
        "cred_rev_id": "1"
      },
      "revoked": true
    },
    {
      "credentialId": "5530234b-d491-43fb-8484-903ebc9e4e8f",
      "timestamp": 1674164220,
      "revealed": true,
      "credentialInfo": {
        "referent": "5530234b-d491-43fb-8484-903ebc9e4e8f",
        "attrs": {
          "degree": "Maths",
          "date": "2018-05-28",
          "name": "Alice Smith",
          "birthdate_dateint": "19990119",
          "timestamp": "1674163933"
        },
        "schema_id": "79qrgFraLp5HTghZrhgiwk:2:degree schema:6.19.76",
        "cred_def_id": "79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema",
        "rev_reg_id": "79qrgFraLp5HTghZrhgiwk:4:79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema:CL_ACCUM:f57dd359-9b7d-4084-b2ce-c6a16ff7e03c",
        "cred_rev_id": "2"
      },
      "revoked": false
    }
  ],
  "0_degree_uuid": [
    {
      "credentialId": "02a8dab3-8aa1-4359-bce3-ad55df671d81",
      "timestamp": 1674164220,
      "revealed": true,
      "credentialInfo": {
        "referent": "02a8dab3-8aa1-4359-bce3-ad55df671d81",
        "attrs": {
          "birthdate_dateint": "19990119",
          "date": "2018-05-28",
          "timestamp": "1674163727",
          "degree": "Maths",
          "name": "Alice Smith"
        },
        "schema_id": "79qrgFraLp5HTghZrhgiwk:2:degree schema:6.19.76",
        "cred_def_id": "79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema",
        "rev_reg_id": "79qrgFraLp5HTghZrhgiwk:4:79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema:CL_ACCUM:f57dd359-9b7d-4084-b2ce-c6a16ff7e03c",
        "cred_rev_id": "1"
      },
      "revoked": true
    },
    {
      "credentialId": "5530234b-d491-43fb-8484-903ebc9e4e8f",
      "timestamp": 1674164220,
      "revealed": true,
      "credentialInfo": {
        "referent": "5530234b-d491-43fb-8484-903ebc9e4e8f",
        "attrs": {
          "name": "Alice Smith",
          "date": "2018-05-28",
          "degree": "Maths",
          "timestamp": "1674163933",
          "birthdate_dateint": "19990119"
        },
        "schema_id": "79qrgFraLp5HTghZrhgiwk:2:degree schema:6.19.76",
        "cred_def_id": "79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema",
        "rev_reg_id": "79qrgFraLp5HTghZrhgiwk:4:79qrgFraLp5HTghZrhgiwk:3:CL:660901:faber.agent.degree_schema:CL_ACCUM:f57dd359-9b7d-4084-b2ce-c6a16ff7e03c",
        "cred_rev_id": "2"
      },
      "revoked": false
    }
  ]
}

This is what the Bifold UI looks like:

Actual Behaviour

Here are the 3 credentials displayed in the Aries Bifold wallet in the order of them being received:

IMG_E6212754F52C-1

This is what a proof match looks like for said credential. The proof does not specify any requirement on revocation status:

IMG_66F7ECDA12F4-1

Expected Behaviour

If all credentials are equal, the non-revoked credential should be favoured above those that are revoked.

TimoGlastra commented 1 year ago

Yep makes sense! However, in this case the revoked credentials are just as usable as the non-revoked credentials.

Maybe the UI should nit show Revoked in red in the overview if it doesn't matter? Sometimes it's okay it is revoked (e.g prove you are or ever were a member of our gym).

jleach commented 1 year ago

We ask AFJ for revoked credentials even if they don't work because we want to show the user why the proof failed. Showing them they don't have a cred to make a proof work doesn't help them fix the problem.