Status list credential issuer validation

[clehner]

Is a StatusList2021Credential expected to be issued by the issuer of the verifiable credentials whose revocation status it encodes?

[mprorock]

yes

[longpd]

Who else has the knowledge to do that but the issuer?

[Sakurann]

if issuer is part of a trust framework or a federation, there might be one list for multiple issuers? (though maintaining that might be a nightmare)

[Sakurann]

One sentence that it might or might not match might be helpful/all we can do.

something like what we added in openid4vci spec when we had a similar question: "Depending on the Credential format, the issuer identifier in the issued Credential is not always a URL using the https scheme. Some other forms that it can take are a DID included in the issuer property in a [@VC_DATA] format, or the Subject value of the document signer certificate included in the x5chain element in a [@ISO.18013-5] format."

and it is up to the verifer/holder/issuer trust model to decide whether to check if it is the same or not.

[mprorock]

yes

to elaborate: a lot is possible, but the intention is that typically the issuer would be the one issuing the status list, even if that is a delegated responsibility

[iherman]

The issue was discussed in a meeting on 2023-01-31

• no resolutions were taken

View the transcript

2.3. Status list credential issuer validation (issue vc-status-list-2021#7)

See github issue vc-status-list-2021#7.

Brent Zundel: is status list 2021 expected to be issued by the same issuer as the credential.

Michael Prorock: 3rd party stuff could get interesting.

Orie Steele: as far as I know, the answer is "yes", but there are "hierarchy" concerns -- is the global company the same as the sub-company? Does it have to be with the same keys? I don't know the specific guidance on this, but errors would be thrown if the issuer is not matching. Looking for clear guidance on issuer, keys, etc. being the same vs. different..

Kristina Yasuda: also filed: #49.

Brent Zundel: the setup is that the issuer has issued a vc and the issuer has indicated where a verifier can retrieve the credential.... does it matter?... can an issuer delegate revocation authority?.

Michael Prorock: question is "expected to be" not, what are all the crazy things we can do.

Manu Sporny: +1 to yes... the answer is yes in general.

Kristina Yasuda: One sentence that it might or might not match might be helpful.

Kristina Yasuda: we had the same question in openid4vci spec: "Depending on the Credential format, the issuer identifier in the issued Credential is not always a URL using the https scheme. Some other forms that it can take are a DID included in the issuer property in a [VC_DATA] format, or the Subject value of the document signer certificate included in the x5chain element in a [ISO.18013-5] format.".

Manu Sporny: its true, there are questions about hierarchy and global company vs local companies.....
… and it may be bad for us to be overly strict in this regard.
… I think what brent said is most telling, the issuer intended to point to where they sent you... you should probably trust the original issuer first..
… the original issuer, should be able to delegate.
… it would be straight forward for us to say the issuer should be the same for both.
… its probably better to just require both to be verified, and leave the choice to the issuer.

Phil ASU: in the k12 space, highschool vs districts use case seems relevant....
… we have seen issues where there can be governance issues here.

Michael Prorock: +1 Phil we are looking more at business rules and not closing those things off.

Kristina Yasuda: can we say the issuer may or may not match.
… we did something similar in another spec.

Manu Sporny: +1 kristina.

Michael Prorock: +1.

Orie Steele: +1 kristina.

[msporny]

PR #103 has been raised to address this issue. This issue will be closed once PR #103 has been merged.

[msporny]

PR #103 has been merged, closing.