Closed filip26 closed 6 months ago
Truth is the wrong word.
Validity is about the time interval for which the issuer wants verifiers to understand it's claims as applying to the subject.
we do have a definition for validation https://w3c.github.io/vc-data-model/#dfn-credential-validation
There is no clear indication between the relationship between validation and validity period.
Specifically, the latter section says:
This specification defines the validFrom property to help an issuer to express the date and time when a credential becomes valid
Perhaps we should explicitly state what "becomes valid" means in relation to the validation process as defined in the terminology. My proposal would be something along the lines of: "When validFrom
is present, any validation process MUST include a check with respect to the current time, and evaluates the verifiable credential as not valid."
Perhaps we should explicitly state what "becomes valid" means in relation to the validation process as defined in the terminology. My proposal would be something along the lines of: "When
validFrom
is present, any validation process MUST include a check with respect to the current time, and evaluates the verifiable credential as not valid."
I think the argument here is that an issuer
can indicate when they intend a credential will become valid using validFrom
, but a verifier is free to ignore that.
There are at least two possible ways to define semantics of the validity period.
The validity period says nothing about the claims and the subject as it applies to the VC as whole. validUntil
is then simply revocation of the credential. An example is @OR13 's definition and v1.1 interpretation. This approach is well adopted by SSL certificates.
The validity period specifies limits/duration in which claims attributed to a subject are truthful/verified. validUntil
does not represent a credential revocation but just states a fact that after the date the claims are not truthful/verified by the issuer, that in fact can have the same effect as revocation but semantically it adds a value because it says something about the claims.
Generally, In order to issue a credential an issuer must "verify" that claims are truthful, somehow. e.g. by checking physical evidence, or an internal registry, etc. So there is some truth being said about the claims by an issuer. (not saying truth[ful] is the right word).
I prefer the second option, make the validity period a statement about claims and subject instead of the credential as whole. Silently expecting we can revoke a credential (btw. what is the reason to revoke a credential - except compromised issuer's private key - when validity period is related to claims?) with status lists.
Perhaps we should explicitly state what "becomes valid" means in relation to the validation process as defined in the terminology. My proposal would be something along the lines of: "When
validFrom
is present, any validation process MUST include a check with respect to the current time, and evaluates the verifiable credential as not valid."I think the argument here is that an
issuer
can indicate when they intend a credential will become valid usingvalidFrom
, but a verifier is free to ignore that.
It wasn't clear to me that was the intention of the spec. Should that be clarified? Or is it implicit?
My take is that the validFrom is necessarily a framing of when this particular Verifiable Credential is valid. It is a way to bound the intention of the issuer to a particular transitory period.
The verifier, of course, can ignore that for appropriate use cases--because they get to decide the rules of validity--but they do so on their own authority. For example, does an expired driver's license constitute legitimate proof of age or height? Maybe. Depends on your business rules.
Whether or not any of the claims within the VC should be treated as transitory is a different matter. A VC issued by CADMV may assert claims including that "Joe is 5'8" and 210lbs" among other things. That same VC has a validFrom date, which describes when this particular VC should be considered valid. However, that validFrom is NOT about the claims in that VC, it's about the VC. That is, the individual claim that Joe is 210lbs is not bound by that validFrom boundary. Nobody is saying that claim is invalid until that date. What the issuer is saying is that the VC, take as a whole, has an expected boundary of validity.
That said, we do still need better language on verification and validity. The difference is far too much nuance for most to grasp as currently presented.
I agree that we need better language. Personally, I think the problem is that we're using the language "a credential is valid", and at the same time we're saying "the validation process depends on business logic". How can you make an assertion about the outcome of a process, if you aren't standardizing the process itself?
I have a possible rephrasing, without knowing what the original intention of the term validFrom
was. So it might change the semantics of the property a bit. Proposal below.
Let's change validFrom
in favor of verifiableFrom
. Since the VC spec does describe what the verification does, I believe that it becomes clear that the verification process has to fail when the date is before the verifiableFrom
date.
The definition would have an impact on
Thank you all for the proposals and comments proving the need.
Can we focus this issue on changes to https://w3c.github.io/vc-data-model/#validity-period
Or should I mark as discussion?
The issue was discussed in a meeting on 2023-07-19
Thinking about it more, there is a possible privacy risk connected to validFrom
, when used naively. Perhaps, validFrom
should be dropped to avoid misuse and privacy issues.
validFrom
can easily reveal private information that is not part of the VC or is under selective disclosure.
An example could be overAge
VC, but it can be generalized to any VC whose validity depends on date related to a subject. In the case of overAge
presence of validFrom
can reveal:
validFrom
is presentBut since validFrom
is optional, there is no inherent privacy risk in the data model. This property does not need to be present in an overAge
VC. All the verifier needs to know is that the VC is currently valid, which is provided by the validity period of the proof property (and not from the validity period of the credential, which can be absent).
From today's call:
JoeAndrieu: I think this is still tied up in the ambiguity around what should be in verification vs. validation. I don't know what to do with this issue ... that lingering delineation, I don't remember where the conversation is in github around this but there was some movement and I think I was convinced that other things that should be in verification weren't.
manu: I think Dave Longley had a good proposal somewhere on the Internet. Things can happen during verification that an extract information that can be used in a validation phase.
manu: There are things that are clearly in verification like checking the proofs.
manu: Then there are other things that can happen like checking the signature on a status list -- but the information in that list -- is up to the validation phase to use.
manu: We can still talk about these things ... getting the authentic information during verification and then handing it off for validation seems like it...
Also, from TallTed: as I recall, the key bit relevant to 1176 is that Verification is crypto/technological which we can specify, while Validation is business logic which we cannot specify.
The issue was discussed in a meeting on 2024-01-24
The issue was discussed in a meeting on 2024-02-28
The issue was discussed in a meeting on 2024-03-06
When I raised the issue I hoped that there would be easy to get consensus on a few recommendations on how the validity should/must not be interpreted. Given the state of the issue, I'm closing it. Thank you all for your contribution.
In my understanding a credential validity determines time range in which claims attributed to a subject are truthful. If validity is not specified then the statements are truthful with no regard on time.
Please note
validFrom
property is optional as well asvalidUntil
.Clear definition could prevent confusion and help with proper use. See issue #965