Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PROPOSAL: delete verifyCredential operation #123

Closed
OR13 opened this issue Feb 21, 2021 · 4 comments
Closed

PROPOSAL: delete verifyCredential operation #123

OR13 opened this issue Feb 21, 2021 · 4 comments
Assignees
@mkhraisha
Labels
pending close

Comments

@OR13
Copy link
Contributor

OR13 commented Feb 21, 2021
edited
Loading

Its redundant to verify multiple credentials which is now supported by verify presentation.

this would also help avoid the confusion of "when do i verify a vc vs a vp"... short answer is... always use a vp.

Also aligns with CHAPI which uses VPs as a transport data structure.
@peacekeeper
Copy link
Member

Hmm I don't really feel strongly about this, but I think both operations are justified, because

  1. the VC data model spec also distinguishes between "verifiable credential" and "verifiable presentation", and to me it feels intuitive that the VC HTTP API supports both separately.
  2. I think there may be use cases where you want to verify a VC, not a VP. E.g. VCs may be publicly hosted at some well-known URL, and you just want to download and verify them. Of course you can wrap a VC in a (proofless) VP just before calling the API, but that feels like an inconvenient and unnecessary extra step.

@OR13
Copy link
Contributor Author

OR13 commented Mar 1, 2021

both options are legal... but thats not what matters... we are trying to build an HTTP API for VCs and encouraging folks to not use VPs to move credentials around creates harmful optionality.... and a complicated API with redundant paths.

I suppose we can keep adding optional redundant endpoints to the spec, for anything that is legal according to the vc data model... but I think thats not actually helpful to developers / businesses.

We need a minimal set of endpoints, that encourage best practices.

I think its an anti-pattern to expose a verification endpoint for credentials that does not hint at client authentication (with VPs).

@mprorock
Copy link
Contributor

verifyCredential seems an implicit operation even if not always or often used

@msporny
Copy link
Contributor

msporny commented Mar 29, 2022

The group discussed this on 2022-03-29. @mkhraisha summarized the issue and suggested it was fine to leave verify credential route. @dlongley noted that having a separation here might be of value for -- if we're going to use an endpoint where we can turn off checking signature on presentation (verifyPresentation) vs. having an endpoint for just checking a VC might be useful. @TallTed noted that it should be allowed to just verify bare VCs w/o embedding them in a VP. @mkhraisha noted that we could make this an optional endpoint. @mprorock noted that if we have an endpoint for creating VCs, it would be strange to not have an endpoint for verifying VCs.

The group came to consensus that: The endpoint is useful and should be kept and is a mandatory endpoint.

This issue will be closed in 7 days if there are no objections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mkhraisha mkhraisha

Labels
pending close
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@msporny @peacekeeper @mprorock @OR13 @mkhraisha