Change processing rules to allow same credential fulfilling different queries

[Sakurann]

resolves #397

• adds a processing rule that When the same Credential fulfills more than one Credential Query in a request, that Credential MUST contain the combination of claims requested by those Credential Queries. However, that Credential MUST NOT contain claims not requested by either of the Credential Queries.
  • I added it in a place that in my opinion made it most clear that this transcends claims and credential selection, but it can also be moved to after line 966

editorial changes

• consolidated security considerations section in one place (already using client identifier prefix term)
• some whitespace nits

[charsleysa]

shouldn't commit this file

[TimoGlastra]

Besides the comment from @charsleysa, this looks good to me, and feels like a simple approach.

[paulbastian]

Doesn't this disallow the simple option to make two distinct presentations for the same credential?

[GarethCOliver]

I guess the question would be 'what defines a credential'? Would it be more accurate to talk about this in terms of presentations, rather than credentials:

I.e.

'When the same Credential Presentation fulfills more than one Credential Query in a request, that Credential Presentation MUST contain the combination of claims requested by those Credential Queries. However, that Credential Presentation MUST NOT contain claims not requested by any of the Credential Queries that it fulfills."

That would allow the wallet to make two distinct or a single one.

[Sakurann]

good catch, Paul. I was not sure if we wanted to allow "the simple option to make two distinct presentations for the same credential". if we do, Verifier would need to support both cases, which might be harder?

[paulbastian]

Yes, but I don't see why we should make wallet implementations harder either. Most verifier implementations may not even check if more data than necessary was delivered

[GarethCOliver]

I don't think it's actually more work for the verifier:

AIUI it is always valid in these cases to answer the different credential queries with different credentials (I don't believe we even have a way to express that two different credential queries must be the same credential, there are arguably use-cases but they are pretty thin).

As a consequence, verifiers must be able to support different credentials presented for the different credential queries (at least to be correct). If they support that, then they will naturally support @paulbastian's desired mechanism (as it is likely indistinguishable from a verifiers perspective). So being permissive for wallets lowers their burden at no interop cost, so seems like win.

(Verifier processing logic is really just: for each queryId verify credential, extract relevant claims from credential to internal format. All this text changes is to prevent Verifiers being overly strict (ones who want to be now have to do some extra work to de-dupe credentials before running their check for unexpected claims, but for those who don't it is no more work.))

[Sakurann]

As a consequence, verifiers must be able to support different credentials presented for the different credential queries (at least to be correct). If they support that, then they will naturally support @paulbastian's desired mechanism

that is a fair point.

I'll commit my suggestion below that I believe fulfills @paulbastian's original point?

[charsleysa]

This file should be removed from the PR

[danielfett]

This should go below "selecting claims".

[danielfett]

This changes a lot of unrelated things, so should probably be rebased and checked again.

[Sakurann]

WG discussion.
@Sakurann and @danielfett to take this offline to bikeshed the text. wg agrees on what we are trying to say

[charsleysa]

as long as the .DS_Store file is removed