Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

query language requirements discussion: claim based binding? #161

Open
Sakurann opened this issue Apr 25, 2024 · 7 comments
Open

query language requirements discussion: claim based binding? #161

Sakurann opened this issue Apr 25, 2024 · 7 comments
Labels
query language

Comments

@Sakurann
Copy link
Collaborator

Should verifier be able to express claim based binding? (some comments on google doc, not sure of a direction)
@Sakurann Sakurann mentioned this issue Apr 25, 2024
Closed
@selfissued
Copy link
Member

We need to better define what we mean "Claim based binding" to be able to discuss this question. Is this related to the "Claims-based binding" at https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-13.html#name-claims-based-binding-of-the , for instance?

What kinds of things would need to be expressed in a query language to achieve this and what would the holder need to do? Some examples could help.

@awoie
Copy link
Contributor

awoie commented May 2, 2024

IMO, a verifier should know what credentials to ask for and which claims should be included to perform claims-based binding themselves. I don't think we need this feature explicitly.

For example, give me a PID with given_name, family_name and dob, and give me a EEA with firstname, lastname, birthdate.

@jogu
Copy link
Collaborator

jogu commented May 2, 2024

IMO, a verifier should know what credentials to ask for and which claims should be included to perform claims-based binding themselves. I don't think we need this feature explicitly.

For example, give me a PID with given_name, family_name and dob, and give me a EEA with firstname, lastname, birthdate.

I think there's two main points here:

  1. If the user has multiple PIDs and multiple EEAs that belong to different people (ie. mothers with children, power of attorney, etc), expressing that the verifier needs the two returned credentials to match together means that the process of selecting the credentials to return is less error prone and easier for the user, and less likely for the user to end up at a dead end where credentials are returned to the verifier that don't actually satisfy the verifier's need.

  2. I'm not sure the verifier can express up front what claims need to match as this will likely vary depending on the jurisdiction that issued the credential, e.g. some countries will likely do claim binding using a national id number, but some won't.

@awoie
Copy link
Contributor

awoie commented May 3, 2024

IMO, a verifier should know what credentials to ask for and which claims should be included to perform claims-based binding themselves. I don't think we need this feature explicitly.
For example, give me a PID with given_name, family_name and dob, and give me a EEA with firstname, lastname, birthdate.

I think there's two main points here:

  1. If the user has multiple PIDs and multiple EEAs that belong to different people (ie. mothers with children, power of attorney, etc), expressing that the verifier needs the two returned credentials to match together means that the process of selecting the credentials to return is less error prone and easier for the user, and less likely for the user to end up at a dead end where credentials are returned to the verifier that don't actually satisfy the verifier's need.

That is a good point. This can be done by either presenting a purpose on the RP website, or via the query language, or the query language has to have some feature to express that two claims from two credentials have to match.

  1. I'm not sure the verifier can express up front what claims need to match as this will likely vary depending on the jurisdiction that issued the credential, e.g. some countries will likely do claim binding using a national id number, but some won't.

I believe the verifier would rather know that than the wallet. Essentially, this is a verifier policy. For example, in some jurisdictions it might be fine to use firstname, lastname, dob for user identification, in other jurisdictions, they will need firstname, lastname, dob and place of birth. If verifier does not know how to link based on claims, the wallet can present anything, even stupid things like "this is my gym membership card number which links to this DL number", and so on. The verifier will have to validate the binding themselves and will also know how to validate. Especially, because the wallet provider might operate outside of the verifier's jurisdiction.

@jogu
Copy link
Collaborator

jogu commented May 3, 2024

That is a good point. This can be done by either presenting a purpose on the RP website, or via the query language, or the query language has to have some feature to express that two claims from two credentials have to match.

I think the only way to optimise the user experience is via the query language.

I believe the verifier would rather know that than the wallet. Essentially, this is a verifier policy. For example, in some jurisdictions it might be fine to use firstname, lastname, dob for user identification, in other jurisdictions, they will need firstname, lastname, dob and place of birth

I'm not sure if this is universally true. Though I agree we can't expect the wallet itself to know which claims to use to bind credentials together.

I think the issuer of an EEA knows what claims they are (and are not) asserting, and could encode that in the credential (and I think that was Paul's latest suggestion, having a 'cnf' claim in the credential that the non-asserted claims sit inside). For example even in jurisdictions that (say) normally bind a university degree to a national id number, the issuer would have to bind to something else if the graduate was a foreigner that didn't have a national id number, and the verifier can't really be expected to know that when formulating the request.

There would still need to be some kind of agreement that the claims in the 'cnf' can be automatically mapped to the claims in the PID for the wallet to be able to do the matching, which probably gets tricky in the case where the PID is an mDL.

@bc-pi
Copy link
Member

bc-pi commented May 3, 2024

This is a somewhat tangential friendly reminder that the cnf claim specified in Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) is strictly about representing a proof-of-possession key and is therefore entirely inappropriate as a means of conveying 'claims based binding'.

@bc-pi bc-pi mentioned this issue May 3, 2024
Open
@Sakurann
Copy link
Collaborator Author

Sakurann commented May 3, 2024

WG discussion: "might not have enough implementation experience. hypothesis that there will be non-cryptographically bound credentials and this feature itself will be useful. the best way forward might be not to have this as an explicit requirement, but as a note/reminder to ensure the updated query language does not preclude claim based binding"

@Sakurann Sakurann mentioned this issue May 14, 2024
Open
@danielfett danielfett mentioned this issue May 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
query language
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jogu @selfissued @awoie @Sakurann @bc-pi