search

w3c / vc-bitstring-status-list

A privacy-preserving mechanism to publish status information for Verifiable Credentials.
https://w3c.github.io/vc-bitstring-status-list/
Other
22 stars 19 forks source link

Add examples for multiple status lists and multiple entries in a single status list #122

Closed msporny closed 8 months ago

msporny commented 9 months ago

This PR is an attempt at addressing some comments in issue #73 by adding examples for multiple status lists and multiple entries in a single status list.

Note: This PR contains a normative change to support the last example with multiple status types stored in a single list. It also has an at-risk marker for the feature as the more I wrote about the feature, the less of a benefit there seemed to be. The strongest benefit seems to be a privacy argument (if you mix in multiple statuses in a single list, and the bits for each status don't sit beside one another, it's hard to tell which type of status bit is being flipped to an outside observer -- which improves the privacy characteristics of the list).

Preview | Diff

msporny commented 9 months ago

@KDean-GS1 wrote:

I see no reason for having multiple status lists; I'm hard-pressed to imagine a scenario where a verifier would be interested in "this" status but not "that" status. I'm sure such a scenario exists, but it's probably in a very small minority.

Here's a fairly significant set of use cases that care about revocation, but probably don't care about suspension: using any government issued identification card to verify:

IOW, just because the document is suspended (but not revoked) probably doesn't affect the claims above. This can be true for a variety of other document types as well.

I'm offering this as a counter-point, not arguing for any particular direction on this PR.

KDean-GS1 commented 8 months ago

@KDean-GS1 wrote:

I see no reason for having multiple status lists; I'm hard-pressed to imagine a scenario where a verifier would be interested in "this" status but not "that" status. I'm sure such a scenario exists, but it's probably in a very small minority.

Here's a fairly significant set of use cases that care about revocation, but probably don't care about suspension: using any government issued identification card to verify:

  • name
  • birthday
  • gender
  • country of domicile
  • current address
  • height
  • weight
  • biometric photo
  • sight restrictions

IOW, just because the document is suspended (but not revoked) probably doesn't affect the claims above. This can be true for a variety of other document types as well.

I'm offering this as a counter-point, not arguing for any particular direction on this PR.

I'm not sold on that. If the government has suspended an identification credential, it could be because they are investigating the holder for some fraudulent declaration. For example, Toronto, Ontario has a law requiring that short-term renters (e.g., via Airbnb) reside at the address they're renting out, and proving it via a driver's license. This has led to families with multiple properties having individuals within the family each declare a property as their primary residence and reflecting it on their driver's license. If the government believes that the address declarations are fraudulent, they could suspend the credentials pending proper proof of residency.

Basically, unless specific use case rules say otherwise, any credential that with a status other than "active" should be treated at least as suspect. I think the process should be as follows: check the status, and once the status is known, whatever it might be, then and only then apply the validation rules.

TallTed commented 8 months ago

I think the process should be as follows: check the status, and once the status is known, whatever it might be, then and only then apply the validation rules.

That would be dictating business logic, which is beyond our purview.

I think we can legitimately say that Verifiers SHOULD check the status, but we cannot say that they MUST nor SHOULD do anything based on the result.

KDean-GS1 commented 8 months ago

That would be dictating business logic, which is beyond our purview.

Agreed. This is more about a generic approach; I can't imagine building a library that would selectively ignore any status instead of "get everything and pass it to the caller to figure out".

I think we can legitimately say that Verifiers SHOULD check the status, but we cannot say that they MUST nor SHOULD do anything based on the result.

Definitely.

msporny commented 8 months ago

Editorial, multiple reviews, changes requested and made, no objections, merging.