jandrieu
commented
8 months ago @RieksJ This request option presents potential problems with regard to spam and DDOS. We can consistently expected VC flows to be initiated by the holder, so that the holder remains in control about which VCs are issued or shared. A requirement to receive requests could be construed to imply that requests can be from arbitrary verifiers and queued for a response from the holder. However, we almost certainly do not want wallets to expose an arbitrary public interface that any self-proclaimed verifier could use to submit spurious or malicious requests.
Perhaps:
Holders must be able to initiate a flow of interactions that enables verifiers to request specific types of credentials.
Importantly, this is not a requirement for a passive "inbox" but rather a way for a holder-initiated action to trigger a request that they can then respond to.
Requirement: It MUST be possible for a holder to receive requests for one or more claims (from particular kinds of credentials), and subsequently process such requests and create responses thereto.
Motivation: Since verifiers are expected to need different claims from different credentials from different issuers, and construct a request for that (#139), holders must be enabled to either retrieve claims that the verifier requests, but perhaps also to send a request to designated issuers to obtain claims/credentials if they are not yet available from the holder's credential repository.