Is proof of strong holder binding required for issuance?
Issue #1452
resolved
This question arose as part of PR #133, copying in some of the comments from there:
Jeremie:
What is the use-case for having a
didonly claim without aproof? If the Client is always capable of generating aproofshouldn’t they be required to?
Kristina:
If I recall correctly, the reason why there is an option to send only a
didis because “Some DID Methods do not require the End-User identified by a DID to also be a controller of a private key associated to a public key in a DID Document tied to that DID“. (as stated in the security considerations OpenID Connect for Verifiable Credential Issuance )However, an argument can be made that those DID methods should not be used..? in which case, mandating a
proofproperty makes sense.
Comments (5)
-
-
Another question I had when writing PR #136 is whether supplying only
sub_jwkmakes sense. -
The more I think about it, the more I think we should not allow supplying only key material without PoP. It leaves binding somewhere in-between cryptographic binding and user-claim based binding. Meaning, if the Holder does not control private key of a
did, cryptographic binding will not work at presentation, and user-claim based binding should be used, which make it more complicated for the verifier.Suggest to remove this option until we hear strong use-case for it.
-
PR #136 updated to remove an option of allowing only kye material without PoP. Please review
-
- changed status to resolved
PR #136 merged
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- Credential Issuance
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
Documenting a related question raised by Tobias in PR #136: “If I supply a DID am I relying on the proof to describe which key from the did doc was used to sign the PoP?“ If
did+proofare supplied,kidwould identify a particular key used to signproof. Ifdidonly is supplied, DID URL might be used, but I don’t know if a particular key needs to be identified.