msporny
commented
10 months ago Can we reference the vc-data-model spec as well? There's additional points in there that are worth considering in here and it may (if the WG is fine with listing once in data model spec) reduce the number of considerations that need to be redundantly placed across all specs related to the same problems.
This specification (and soon, all of the cryptosuite specifications), ask the reader to consider the Security and Privacy consideration sections in the Data Integrity specification, which then asks the reader to consider the Security and Privacy consideration sections in the Verifiable Credentials specification. While we /could/ repeat the same language that's in the Data Integrity specification (that tells the reader to consider the Security and Privacy Considerations for VCs), we'd be duplicating guidance (with, arguably, not much more of an effect).
So, in the name of reducing the duplication of guidance, I'm suggesting that just pointing back to DI spec, which points back to the VC spec, is enough. If you feel strongly about duplicating the guidance, we can raise another PR that copy-pastes the text from the DI spec into each cryptosuite spec.
This PR attempts to address issue #29, raised by the PING and security review, by pointing back to the Data Integrity Security and Privacy Considerations section.
/cc @kdenhartog
Preview | Diff