Status list credential issuer validation

[clehner]

Is a StatusList2021Credential expected to be issued by the issuer of the verifiable credentials whose revocation status it encodes?

[mprorock]

yes

[longpd]

Who else has the knowledge to do that but the issuer?

[Sakurann]

if issuer is part of a trust framework or a federation, there might be one list for multiple issuers? (though maintaining that might be a nightmare)

[Sakurann]

One sentence that it might or might not match might be helpful/all we can do.

something like what we added in openid4vci spec when we had a similar question: "Depending on the Credential format, the issuer identifier in the issued Credential is not always a URL using the https scheme. Some other forms that it can take are a DID included in the issuer property in a [@VC_DATA] format, or the Subject value of the document signer certificate included in the x5chain element in a [@ISO.18013-5] format."

and it is up to the verifer/holder/issuer trust model to decide whether to check if it is the same or not.

[mprorock]

yes

to elaborate: a lot is possible, but the intention is that typically the issuer would be the one issuing the status list, even if that is a delegated responsibility

[iherman]

The issue was discussed in a meeting on 2023-01-31

• no resolutions were taken

View the transcript

#### 2.3. Status list credential issuer validation (issue vc-status-list-2021#7) _See github issue [vc-status-list-2021#7](https://github.com/w3c/vc-status-list-2021/issues/7)._ **Brent Zundel:** is status list 2021 expected to be issued by the same issuer as the credential. > *Michael Prorock:* 3rd party stuff could get interesting. **Orie Steele:** as far as I know, the answer is "yes", but there are "hierarchy" concerns -- is the global company the same as the sub-company? Does it have to be with the same keys? I don't know the specific guidance on this, but errors would be thrown if the issuer is not matching. Looking for clear guidance on issuer, keys, etc. being the same vs. different.. > *Kristina Yasuda:* also filed: [https://github.com/w3c/vc-status-list-2021/issues/49](https://github.com/w3c/vc-status-list-2021/issues/49). **Brent Zundel:** the setup is that the issuer has issued a vc and the issuer has indicated where a verifier can retrieve the credential.... does it matter?... can an issuer delegate revocation authority?. > *Michael Prorock:* question is "expected to be" not, what are all the crazy things we can do. **Manu Sporny:** +1 to yes... the answer is yes in general. > *Kristina Yasuda:* One sentence that it might or might not match might be helpful. > *Kristina Yasuda:* we had the same question in openid4vci spec: "Depending on the Credential format, the issuer identifier in the issued Credential is not always a URL using the `https` scheme. Some other forms that it can take are a DID included in the `issuer` property in a [VC_DATA] format, or the `Subject` value of the document signer certificate included in the `x5chain` element in a [ISO.18013-5] format.". **Manu Sporny:** its true, there are questions about hierarchy and global company vs local companies..... … and it may be bad for us to be overly strict in this regard. … I think what brent said is most telling, the issuer intended to point to where they sent you... you should probably trust the original issuer first.. … the original issuer, should be able to delegate. … it would be straight forward for us to say the issuer should be the same for both. … its probably better to just require both to be verified, and leave the choice to the issuer. **Phil ASU:** in the k12 space, highschool vs districts use case seems relevant.... … we have seen issues where there can be governance issues here. > *Michael Prorock:* +1 Phil we are looking more at business rules and not closing those things off. **Kristina Yasuda:** can we say the issuer may or may not match. … we did something similar in another spec. > *Manu Sporny:* +1 kristina. > *Michael Prorock:* +1. > *Orie Steele:* +1 kristina.

[msporny]

PR #103 has been raised to address this issue. This issue will be closed once PR #103 has been merged.

[msporny]

PR #103 has been merged, closing.