-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document that in the $HealthWallet API, you can only have one DID per account #21
Comments
@jmandel how does this work with multi-device (multi-app) or lost devices? |
I think the answer is: if you're binding a DID to your account, you'd bind a new one and then call |
Support Multiple Wallets (Multi-Device and Multi-App)I think EHR-Issuers and their Patients will want to support multiple wallets per Patient, just having multiple DIDs linked to an account. To support this, the EHR will need to know which Holder a VC is being issued for, since this will determine what DID document/JWE encryption key is used by the issuer. This is easy enough to support for download of For supporting this with Here's an example payload: {
"resourceType": "Parameters",
"parameter": [{
"name": "credentialType",
"valueUri": "https://healthwallet.cards#covid19"
},
{
"name": "holderDid",
"valueUri": "did:ion:<<identifer for holder>>"
}]
} Note this also covers the niche scenario of a patient having the same wallet installed on multiple devices. Those wallets will have the same client_id, BUT have separate DIDs (unless they're sharing private keys, but that seems out-of-scope). Without this parameter, EHRs wouldn't be able to recognize the difference between these two wallets issuing a |
Lost Devices / Wallet Key Rotation@daliboz for your question on lost devices, I think there are two useful tools/operations:
|
The goal is to make sure the specification is usable even without dids ever being anchored to a blockchain. So I would rather leave things like lost devices out of scope and only provide the "nuclear" option for v1 (i.e., the user can link a new did if they need to). There are definitely paths that we can pursue to do better over time, but I don't want to get distracted by them at this stage. Is there something critical that won't work if we just leave this out of scope initially @daliboz ? |
@jmandel I worry how we would inform the user that by connecting a new app (or new device/same app) that they're about to invalidate/remove previous associations - and how that would affect any issued vc as well (obviously no new VCs would go out for the old app). Is the assumption that we can prompt the user during the connect phase? Losing or getting a new device is a pretty common occurrence. |
"Connecting a new did" to an issuer shouldn't affect (shouldn't invalidate!) any existing VCs already issued
I'm not sure this has important user-facing consequences. If a user has >1 device each with a different mobile wallet, then each wallet can do " In other words: if we were going to "tackle" this problem, it'd be by saying:
My take is we can always migrate to this model in the future based on actual need. But we can do fine without it in v1. |
@jmandel @daliboz I don't think the expectation is that calling a I think its relevant to better define what a wallet is. See details here. With that in mind, here's how I'd see a revocation/lost device workflow playing out. Revocation WorkflowThe above definition of a "Wallet" implies that a given wallet should only have to call
|
I mean, we're defining "the expectation" in the spec -- or we should be. I'm not hearing a value proposition that leads me to think we need complex semantics here. (Obviously we could introduce these semantics and capabilities, but doing so has an implementation cost; my aim at this stage is to keep the surface area as small as it can reasonably be.) |
That's a good point. I think the value proposition here is to not limit if/how issuers support multiple wallets per user. I think the change we should make is to have the This leaves it up to the issuer to handle the multiple wallets question, and we would not explicitly define any other expectation of the In this, I'm mostly trying to have parity between the different workflows in this spec, and I think adding a |
Thanks again for the precision here. I'm open to this addition of
( |
This is a tricky topic. I think an important consideration is that the user should never have to manually manage her DIDs, this topic is way too confusing for most users. I believe we have 2 sensible approaches: Only ever keep one DID associated with a user accountThis means calling
Servers maintain a list of associated DIDsThis means an account can be associated with as many DIDs as the user will upload. Each device will need to specify which DID should be used for VC delivery on The downside to this approach I believe is that DIDs will accumulate when users change/lose phones and few users will ever care or even know that they can disassociate DIDs with their account. So I agree with Josh, at least for v1 it seems preferable that the expectation is that |
@p2-apple thanks for this. Would like to get your thoughts on allowing the behavior where issuers maintain multiple links, but not specifying that they must. (Basically, @madaster97's proposal to add a |
This comes down to whether or not a client has to specify What I like about this is that it makes the flow more deterministic, i.e. a device does not receive VCs bound to whichever DID was uploaded last. One can imagine a race condition where two devices with different DIDs attempt to download VCs at the same time, so this suggestion would prevent such a scenario. I like that! The question then becomes what do servers do that do NOT support 2+ bound DIDs. We will need a new OO to let the client know that it first has to issue I'm leaning towards making this change because it enables issuers to choose how many bound DIDs they want to support with a more robust API story. |
Yeah, I think we basically reaplace the "No DID Bound" OperationOutcome to a "That DID isn't bound" error, and everything works pretty deterministically from there. Good! |
Wallet binding is no longer part of the spec since #64 . |
If you call $HealthWallet.connect a 2nd time, this replaces the originally-bound DID with a new one.
The text was updated successfully, but these errors were encountered: