Missing validation steps for verifiers

[awoie]

It is not clear what happens if the verifier encounters a credential with a status attestation method in the status field but does not receive a status attestation.

Three questions:

• Should the verifier reject a credential presentation if the wallet did not provide a status attestation?
• How does the holder know whether the verifier requires a status attestation?
• Why would a holder ever present a credential along with a revoked status attestation?

[awoie]

• Should the verifier reject a credential presentation if the wallet did not provide a status attestation?

This is especially important if the holder is not able to request a valid status attestation anymore and the credential became invalid.

[peppelinux]

A credential might have more than a single status validation mechanism. The scope of the status attestation method in the status object is the evidence that this credential - and its issuer - supports the status attestation. This enables the coesistence of status lsit and status attestation in the same credential and the use of status attestation for offline flows

If a verifier gets the status.status_attestation within a presented credential without obtaining within the vp_token a status attestation token, according to its policies, decides if the revocation check is required or not and if other revocation check mechanism are available.

Should the verifier reject a credential presentation if the wallet did not provide a status attestation?

It depends on the RP's policies.

• This is especially important if the holder is not able to request a valid status attestation anymore and the credential became invalid.

  that would be a proof that the holder unsatisfies the requirement of providing the proof that the credential is still valid. The RP behaviour depends on its policies.

How does the holder know whether the verifier requires a status attestation?

It doesn't. When the credential is issued and contains a status.status_attestation, the holder should provide in the vp_token the status attestation related to each credential supporting this. We can expand this use case as well with community contributions.

Why would a holder ever present a credential along with a revoked status attestation?

it might depend by the use cases. At the current stage the status attestation is intended for unrevoked credentials. We can expand this use case as well with community contributions.