w3c / vc-use-cases

Verifiable Credentials Use Cases
https://w3c.github.io/vc-use-cases/
Other
50 stars 22 forks source link

New user/holder task - Receive and process claim request #140

Open RieksJ opened 1 year ago

RieksJ commented 1 year ago

Requirement: It MUST be possible for a holder to receive requests for one or more claims (from particular kinds of credentials), and subsequently process such requests and create responses thereto.

Motivation: Since verifiers are expected to need different claims from different credentials from different issuers, and construct a request for that (#139), holders must be enabled to either retrieve claims that the verifier requests, but perhaps also to send a request to designated issuers to obtain claims/credentials if they are not yet available from the holder's credential repository.

jandrieu commented 8 months ago

@RieksJ This request option presents potential problems with regard to spam and DDOS. We can consistently expected VC flows to be initiated by the holder, so that the holder remains in control about which VCs are issued or shared. A requirement to receive requests could be construed to imply that requests can be from arbitrary verifiers and queued for a response from the holder. However, we almost certainly do not want wallets to expose an arbitrary public interface that any self-proclaimed verifier could use to submit spurious or malicious requests.

Perhaps:

Holders must be able to initiate a flow of interactions that enables verifiers to request specific types of credentials.

Importantly, this is not a requirement for a passive "inbox" but rather a way for a holder-initiated action to trigger a request that they can then respond to.