Is proof of strong holder binding required for issuance?

Issue #1452 resolved
Jeremie Miller created an issue

This question arose as part of PR #133, copying in some of the comments from there:

Jeremie:

What is the use-case for having a did only claim without a proof? If the Client is always capable of generating a proof shouldn’t they be required to?

Kristina:

If I recall correctly, the reason why there is an option to send only a did is because “Some DID Methods do not require the End-User identified by a DID to also be a controller of a private key associated to a public key in a DID Document tied to that DID“. (as stated in the security considerations OpenID Connect for Verifiable Credential Issuance )

However, an argument can be made that those DID methods should not be used..? in which case, mandating a proof property makes sense.

Comments (5)

  1. Kristina Yasuda

    Documenting a related question raised by Tobias in PR #136: “If I supply a DID am I relying on the proof to describe which key from the did doc was used to sign the PoP?“ If did + proof are supplied, kid would identify a particular key used to sign proof. If did only is supplied, DID URL might be used, but I don’t know if a particular key needs to be identified.

  2. Kristina Yasuda

    The more I think about it, the more I think we should not allow supplying only key material without PoP. It leaves binding somewhere in-between cryptographic binding and user-claim based binding. Meaning, if the Holder does not control private key of a did, cryptographic binding will not work at presentation, and user-claim based binding should be used, which make it more complicated for the verifier.

    Suggest to remove this option until we hear strong use-case for it.

  3. Log in to comment