msporny
commented
8 months ago I'll mark ttl as at risk for now given the logical inconsistency w/ ttl and validUntil described above.
Closed dlongley closed 8 months ago
msporny
commented
8 months ago I'll mark ttl as at risk for now given the logical inconsistency w/ ttl and validUntil described above.
dlongley
commented
8 months ago +1 to marking at risk -- and I'd say the at risk marker isn't about whether there are two or more implementations (which would be required of course), but because we might decide it's danger / problematic and remove it for that reason. In other words, this particular issue isn't just about implementation support, it could be a bad idea to specify it.
msporny
commented
8 months ago PR #128 has been raised to address this issue. This issue will be closed once PR #128 has been merged.
iherman
commented
8 months ago The issue was discussed in a meeting on 2024-01-16
msporny
commented
8 months ago PR #128 has been merged, closing.
The
ttlproperty seems to be ineffective, could lead to confusion (false expectations), and might be a layering violation. I suggest we remove it and note that other mechanisms could be used to achieve TTL-related use cases such as HTTP caching headers.See: https://github.com/w3c/vc-bitstring-status-list/issues/73#issuecomment-1607874866 :
My understanding is that the goal of
ttlis to enable issuers to avoid having to reissue status list VCs more frequently. If I understand the aim here, I don't think it actually works in practice.If you sign a VC with a
validUntilof sometime "next year" and a TTL of 5 minutes, you are indicating that some verifier somewhere may accept whatever was in that VC (with your signature on it) anytime between when that VC was first accessible and "next year". The TTL doesn't change that; it isn't helpful in this regard and there is no reason why the verifier couldn't just ignore it.Additionally, consider one of the use cases for
StatusList2021, where a holder fetches a status list VC and presents it along with whatever other VC is in the list it describes (in order to avoid having the verifier even contact the issuer at all). That holder can completely ignore the TTL and the verifier will be receiving it "within the TTL" when the holder presents it. There's no signature over when the holder requested it that could be checked, etc. Even if there were -- this would upend the goal ofttlby requiring more frequent signatures again.In this scenario, an issuer might be thinking that if they always set a
ttlof 5 minutes in their status list VCs then they will only have to wait 5 minutes after they publish a new status list VC to ensure it's the one all the verifiers use. They would be mistaken. This is based on an erroneous understanding of the meaning of the data and how the data and the various decentralized systems interacting with it are partitioned.So, right now, I don't think
ttlachieves its goal and therefore ends up adding both unnecessary complexity and a potential violation of expectations.An issuer should instead decide on a validity period they are willing to commit to (maybe it's 5 minutes, maybe 15 -- maybe 24 hours -- maybe more, their call) and reissue the status list VC with an updated
validUntileither on demand or on schedule. Then a verifier just checksvalidUntilper usual and can safely cache the status list VC as long as it's valid.So, as an issuer, if you want to allow your status list VCs to expire every 5 minutes, issue a new one if any VC status changes (understanding that the status won't be consistent until after the old status list VC expires) and auto-reissue when a status list VC is requested if it has expired, bumping
validUntil5 minutes into the future each time.