Model all assertions exchanged within the APIs as Verifiable Credentials

[timcappalli]

If we are transferring verifiable assertions from one party to another, we should do so via existing standardized signed assertion formats.

The most fitting format being the Verifiable Credentials data model: Verifiable Credentials Data Model 1.0 (w3.org)

[samuelgoto]

I haven't yet formed any opinion on verifiable credentials, but agreed that it seems relevant.

My mental model is to reuse as much as possible and to optimize for deployment backwards compatibility, so have been looking primarily at JWTs as a signed assertion of identification.

I don't have any opinions on VCs right now either way, but just wanted to acknowledge them but also be transparent that we believe we have bigger fish to fry at the moment (product market fit, sequencing strategies and technical devices) so we haven't gotten to "what formats to use" quite yet.

[samuelgoto]

We settled on the result from the IdP to be entirely opaque to the browser as a token String, so that the IdP can choose whatever encoding/format that it desires without asking for the browser to be changed.

For example, if IdPs choose to model all assertions as Verifiable Credentials, they can do so without asking for the browser for permission.

I think we can mark this as resolved with that, but feel free to reopen if you believe there is anything else that's actionable here.