-
Notifications
You must be signed in to change notification settings - Fork 49
credentialId in updateCredentialStatus may not fit all use cases #126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
We discussed this on the 2022-03-29 call. @mkhraisha summarized the item. @mprorock noted that now that we have GET/PUT, seems like we added those things so we have clean/normal restful way to deal with this issue. @dlongley noted that it would be good to have a use case where a credential doesn't have an id that needs to be updated in this way. @mkhraisha asked if there would be a way to get credentials with no id. @dlongley said you could issue them, but might not be able to get them by id. @mprorock mentioned that we added GET so that you can always access a credential even if it doesn't have an ID via the /credentials/{id} pattern. The discussion continues... |
The group discussed this on 2022-11-01. @jandrieu asked which component this API call goes on, the group didn't know. @dlongley noted that it is associated with the Issuer Coordinator, because status is being updated by issuer (call from Issuer Coordinator to Issuer Service -- endpoint is on Issuer Service, called by Issuer Coordinator). He then wondered if you didn't have an ID, then you couldn't implement this endpoint. Maybe internally, there is another ID that could be stored/used in the issuing system. When you specify credentialID field, that could map into some internal space that the issuer has and can look up the credential. @dlongley didn't see how we could get rid of this field, but asked if the field has to necessarily map to Need to raise a PR that specifies how |
I would suggest giving this new value a more distinctive name such as
(Irrespective of whether or not we end up going down the same path over on w3c-ccg/traceability-interop#468). |
Can you clarify where the returned |
At present, it was suggested that it would be a sibling, but that sounds like a bad idea, doesn't it? :) @nissimsan's point also resonates with me. We might want to put it in a container at the top level, much like the way DID Resolution returns its results: https://w3c-ccg.github.io/did-resolution/#example-example-did-resolution-result It uses the fields |
I made some comments over here where I noted potential problems with having the issuing service auto-generate identifiers for referencing issued credentials. I think the better model is for the client to create and manage such identifiers, otherwise there doesn't seem to be a sensible way to resolve error cases. Copy and pasted here:
|
@dlongley I am a fan of the idea that a "conflict" error can help identify whether or not VCs were issued in the case of a network (or similar) error. What are your thoughts on how to handle scenarios where issuers are not storing VCs (and therefore unable to identify conflicts). |
In my view, there are two cases where issuers don't store full VCs:
In the first case, I'd expect the ID to be part of that meta data and the same "conflict" error can be used. In the second case, I think you're dealing with bearer VCs where, if a call is made that fails -- no one ends up bearing the VC anyway -- there's nothing to be concerned about. The VC that was created goes into the ether ... and you can just generate it again with the same ID without any problems. Perhaps a better way to put it is that the problems come from two or more systems tracking something different for the same ID. If you remove the issuer instance as one of those systems, that eliminates the problem. Of course, if the issuer system needs to track (for credential status, etc.), then you want the client to specify / manage IDs so conflicts can be resolved between the two systems. So, generally, it seems to me that all cases are covered if the client specified / manages the identifier and relies on the issuer instance to track duplicates (or not -- because it's a bearer VC so it doesn't matter anyway and network failures don't create problems). |
The group discussed this on the 2024-01-16 call and determined that the PR that is raised should do the following things:
@wes-smith volunteered to attempt a PR. |
#110 added the
updateCredentialStatus
operation which requires a caller to pass in acredentialId
for updating a credential's status. This is a good start and I don't see an urgent problem with that, but wanted to point out that:It's not quite clear if this field is meant to be the same as the
id
property of the VC, or if it can also be some internal reference that is not actually included in the VC itself.id
in a VC is optional, and that the API would therefore not support VCs that have acredentialStatus
property but not anid
property.Also, perhaps in the future we will see more advanced credential status mechanisms (ZKP based?) where some piece of information other than a credential ID might be needed for changing the status.
Potential alternatives: 1. Pass the entire VC to the API for changing the status, 2. Pass the
credentialStatus
block of the VC to the API, 3. Pass some additionaloptions
to the API.Like I said, not urgent, just wanted to capture these thoughts.
The text was updated successfully, but these errors were encountered: