Remove phone home capability from data model #1616
Description
The current specifications (VCDM and BitstringStatueList) invite issuers to provide a URL that is expected to be retrieved by verifiers during validation.
In particular, the as illustrated in [Example 12] (https://w3c.github.io/vc-data-model/#example-use-of-the-status-property), the credentialStatus property for type BitstringStatusListEntry defines a "statusListCredential" value , which in the Bitstring spec https://www.w3.org/TR/vc-bitstring-status-list/ is expected to be a URL that is dereferenced by the verifier to download that status list as a VC.
This is a form of latent phone home, as described in the https://nophonehome.com statement that has catalyzed a movement to reduce unnecessary surveillance in our identity systems.
We have an alternative practice that completely avoids the phone home problem, by requiring the Holder to retrieve the URL instead of the Verifier. This is already achievable in practice (there is nothing in the standard that requires the verifier to do the retrieval as the result is a signed credential whose provenance is verifiable).
We do have a normative requirement on credential status specifications to NOT enable tracking of individuals. However, that is not currently the case with, for example, Bitstring Status List, which enables Issuers to specify a statusListCredential URL that does, in fact, have unique data usable to track requests for that particular credential. While issuers are supposed to NOT use that URL that way, the specification enables it.
This might need changes to the VCDM and/or Bitstring Status List, both of which are likely Class 4 changes to normative requirements.
I'd like to ensure that the next charter allows us to explore solutions to this problem.