Address "Credential" vs "VerifiableCredential" #1126
Comments
|
See #1057 |
|
This means, we should remove "Credential" entirely from the VCDM? IMO, it is confusing to have both in the VCDM, especially since the securing mechanisms are no longer part of the VCDM. |
|
@OR13 I fully agree we should fix that. |
|
There is clearly a difference between an object with a proof, meaning that it is verifiable, and an object without a proof, meaning that it is not verifiable. Since we have both of these objects in our specifications then we should be clear which term we apply to each of these objects. We cannot use the same term to apply to two objects because this introduces ambiguity. |
|
You can subclass in Linked Data, so it's possible to have Credential as a parent class, and VerifiableCredential as a subclass, and by inference also a Credential. |
|
An object may be "verifiable" without actually having a proof; it is the container (internal or external to the object) for the proof that matters. Verification requires that there be a proof in that container. Successful verification requires that the proof be proven. Failed verification is still an application of verifiability! |
|
I agree with ted. I think we are making a mistake in the current spec, referring to credential and verifiable credentials separately... Both can have proof and neither might verify, they are not useful terms for distinguishing attributes of the data model, since they support the exact same properties. We should avoid "credential" and focus on "claims" and "verifiable credential", or we should drop the word "verifiable" from everything but the spec title, and just have claims and credentials... I was rereading WebAuthN yesterday, and I think we have missed a huge opportunity to align better with it, due to our terminology coming from RDF instead of security vocabulary. The minimal VerifiablePresentation is just a proof from an authenticator (signature from a credential). The difference is web authn credentials are bound to a single RP (2 party model) and VCDM is not like that, and has more serious privacy issues because of this. Our concept of "holder binding / confidence method" is their concept of allowedCredentials but scoped again to only authentication. If WebAuthN didn't need the word verifiable to be successful, maybe we don't either. |
What are the implications of dropping it from the spec title as well? If the working group has agreed that anything can be verifiable, then there isn't much value in using that as a qualifier. |
|
For those less familiar with the history, we started with "Identity Credentials" back in ~2015, with the best representation of that spec I can find here via this capture from Another revision with some other details: Including as an extension to the Credential Management API (with a goal of close alignment): This naming was originally considered the most natural fit -- but the term "Identity Credentials" or using "Credential" alone came to be seen as problematic by some people from various communities for a variety of reasons. I'm sure someone could hunt down discussions from history on that as well. There was also some work in there for integrating with OpenId and Google's Macaroons at various points. Some people in the Open ID and browser communities did not want "Identity Credentials" to be used with things like the credential management API, but the landscape there has shifted. The way we resolved all of those issues was to change the terminology to "Verifiable Credentials". Here we are today -- full circle. I'm loathe to go through that long process again :). |
|
@OR13 said |
|
@David-Chadwick we voted on this already... It is the RDF data model that makes the word credential meaningless and indistinguishable from "VerifiableCredential". I didn't agree with the decision, or the data modeling design choices, but I don't think it should be reopened. The section of the spec that defines proof is wrong, and needs to be updated. There is no meaningful difference between credential and verifiable credential... It will continue to confuse people. I suggest @msporny or @dlongley open the PR to fix this, since they seem to understand the data model and both objected to the working group defining credential in RDF in way that would distinguish it from VerifiableCredential. |
|
I look forward to the proof text being updated and then the confusion/mis-understanding between the (non)difference between the two terms will be removed |
|
I also look forward to seeing this addressed |
|
Is this a duplicate of #1009? |
|
The issue was discussed in a meeting on 2023-07-12
View the transcript5.5. Address "Credential" vs "VerifiableCredential" (issue vc-data-model#1126)See github issue vc-data-model#1126. Brent Zundel: address credential vs verifiable credential. Manu Sporny: this is before CR. Brent Zundel: thanks, I will try to help. |
|
PR #1211 has been merged, closing. |
https://w3c.github.io/vc-data-model/#types
Table indicates these are separate
types, but the working group has since resolved not to define them separately, and every property that is valid forcredentialis also valid forverifiable credential.The text was updated successfully, but these errors were encountered: