Add credential deletion section. #491
Conversation
msporny
requested review from
dlongley,
dmitrizagidulin,
TallTed,
wes-smith,
eric-schuh and
PatStLouis
| The <dfn>verifier service</dfn> takes requests to verify Verifiable Credentials | ||
| and Verifiable Presentations and returns the result of checking their proofs and | ||
| status (if present). The service only checks the authenticity and timeliness of | ||
| the VC; leaving the Verifier Coordinator to finish Applying any business rules |
There was a problem hiding this comment.
| the VC; leaving the Verifier Coordinator to finish Applying any business rules | |
| the VC; leaving the Verifier Coordinator to finish applying any business rules |
| it's recommended to refer to external well known specifications, such as the | ||
| [[VC-BITSTRING-STATUS-LIST]]. | ||
| For specific mechanisms by which to manage Verifiable Credential statuses, it's | ||
| recommended to refer to external well known specifications, such as the |
There was a problem hiding this comment.
| recommended to refer to external well known specifications, such as the | |
| recommended to refer to external well-known specifications, such as the |
There was a problem hiding this comment.
The word order I suggest makes it (somewhat) less likely that well-known specifications will be read as a unit, thus not referencing only specifications that relate to the .well-known space.
| recommended to refer to external well known specifications, such as the | |
| recommended to refer to well-known external specifications, such as the |
| <a href="https://en.wikipedia.org/wiki/Right_to_be_forgotten"> | ||
| the right to be forgotten</a>. See Section [[[#deletion]]] for additional | ||
| considerations related to the removal of [=verifiable credentials=] from | ||
| systems. |
There was a problem hiding this comment.
+1 to this. We might want to consider some additional feature which would be more of a "prune" operation than a "delete", whereby the VC isn't deleted entirely, but its credentialId and any status entries information remain (information required for the application of uniqueness constraints and the maintenance of status lists, etc.).
There was a problem hiding this comment.
@PatStLouis noted that deleting the VC would need to delete any "linked" information -- including possibly revoking the credential?
The group discussed some of this on the 2025-06-24 call and came to the following conclusions:
- The difference between DELETE and "prune" is that the latter does not revoke the credential, and the former revokes the credential.
- Deleting any "higher level" linked information is the responsibility of the issuer coordinator and not the issuer service.
- Deleting might not be a good option if there are audit requirements (especially due to regulatory burdens).
There was a problem hiding this comment.
I don't know that an issuer instance would necessarily "know" to "revoke" (or change any other status bit for any other status "purpose") when deletion is performed.
I think an individual implementation could implement some stops/checks that would prevent deletion via a special configuration, but I don't think it would necessarily be easy to have some default behavior based solely on the "revocation" purpose. What about "suspension"? What about other custom purposes? It seems setting an expectation or special case for "revocation" would lead to more confusion with the DELETE function, not less.
I would say, instead, that we should keep the deletion operation at this level separate and simple. We should say that custom configurations can prevent deletion for any reason (including checking arbitrary status values or for other existing "linked" information) and provide an appropriate error that would signal that a client needs to run other operations using the VC API (e.g., flip status bits) in order to enable deletion. This approach would also avoid creating multiple ways / mechanisms for changing status.
| service and its associated key service is believed to be out of scope for | ||
| the VC API, but may be addressed by WebKMS or similar specifications. | ||
| The <dfn>issuer service</dfn> takes requests to issue VCs from authorized Issuer | ||
| Coordinators and returns well-formed, signed Verifiable Credentials. This |
There was a problem hiding this comment.
It seems odd to have this Verifiable Credentials where the rest of the paragraph uses the VC abbreviation. I'm suggesting to abbreviate this one, to make the paragraph internally consistent, believing that there's a Verifiable Credentials (VCs) or similar earlier in the document. The whole document should optimally be made consistent, likely with <dfn> tags applied to the appropriate (usually first) instance and <a> tags applied to the rest, and using VC in most instances.
| Coordinators and returns well-formed, signed Verifiable Credentials. This | |
| Coordinators and returns well-formed, signed VCs. This |
| service MUST have access to private keys (or key services which utilize private | ||
| keys) in order to create the proofs for those VCs. The API between the Issuer | ||
| service and its associated key service is believed to be out of scope for the VC | ||
| API, but may be addressed by WebKMS or similar specifications. |
There was a problem hiding this comment.
Is there an appropriate link for WebKMS, to serve with <a > or [[? ]], as appropriate?
| the VC; leaving the Verifier Coordinator to finish Applying any business rules | ||
| needed. |
There was a problem hiding this comment.
As used here, the semicolon should separate two complete sentences. The leaving... section could be reworded to start with something like the Verifier Coordinator is left to finish support this use, but going with the comma (as I've suggested below) is the smaller change to make the sentence correct.
| the VC; leaving the Verifier Coordinator to finish Applying any business rules | |
| needed. | |
| the VC, leaving the Verifier Coordinator to finish applying any necessary | |
| business rules. |
| demonstrate control over DIDs prior to issuance and with Verifiers to present | ||
| specific VCs. |
There was a problem hiding this comment.
| demonstrate control over DIDs prior to issuance and with Verifiers to present | |
| specific VCs. | |
| demonstrate control over DIDs prior to VC issuance and with Verifiers to | |
| present specific VCs. |
| Issuer. Implementers of verifier services are encouraged to understand the | ||
| privacy implications of checking status by referring to the respective | ||
| status specification used by the verifiable credential. | ||
| The <dfn>status service</dfn> provides a privacy-preserving means for publishing |
There was a problem hiding this comment.
| The <dfn>status service</dfn> provides a privacy-preserving means for publishing | |
| The <dfn>status service</dfn> provides a privacy-preserving means of publishing |
| <strong>Storage Service (Issuer) •Storage Service | ||
| (Verifier) • Storage Service (Holder) | ||
| </strong> | ||
| <strong>Storage Service (Issuer) •Storage Service (Verifier) • Storage |
There was a problem hiding this comment.
| <strong>Storage Service (Issuer) •Storage Service (Verifier) • Storage | |
| <strong>Storage Service (Issuer) • Storage Service (Verifier) • Storage |
| access to those exchanges to any party. | ||
| The <dfn>workflow service</dfn> provides a way for coordinators to automate | ||
| specific interactions for specific users. Each role (Holder, Issuer, and | ||
| Verifier) can run their own Workflow Service to create and manage exchanges that |
There was a problem hiding this comment.
| Verifier) can run their own Workflow Service to create and manage exchanges that | |
| Verifier) can run their own workflow service to create and manage exchanges that |
| create exchanges at their Workflow Service and give authorized access to those | ||
| exchanges to any party. |
There was a problem hiding this comment.
| create exchanges at their Workflow Service and give authorized access to those | |
| exchanges to any party. | |
| create exchanges at their workflow service and give access to those exchanges | |
| to any authorized party. |
| it can be useful to delete such a [=verifiable credential=]. An [=issuer=] | ||
| might need to do so because of regulatory requirements such as | ||
| <a href="https://en.wikipedia.org/wiki/Right_to_be_forgotten"> |
There was a problem hiding this comment.
| it can be useful to delete such a [=verifiable credential=]. An [=issuer=] | |
| might need to do so because of regulatory requirements such as | |
| <a href="https://en.wikipedia.org/wiki/Right_to_be_forgotten"> | |
| it can be useful to delete such a [=verifiable credential=]; for instance, | |
| an [=issuer=] might need to do so because of regulatory requirements such | |
| as <a href="https://en.wikipedia.org/wiki/Right_to_be_forgotten"> |
This PR is an attempt to address issue #407 by adding a credential deletion section.
Preview | Diff