-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
get cred events from an issuer's TEL? #672
Comments
First post on Discord, from Rubel:
|
After a few suggestions, another comment from Rubel:
|
To which @rodolfomiranda replied:
|
|
|
|
|
|
|
@dhh1128 :
|
We discussed this briefly on the community call today. We got to the place described in the first post on this issue -- not sure whether we're trying to pursue a dead end. Phil's comment seems to suggest that it should be possible, but our testing did not produce useful results... |
Yes, that is what I was asking, which is a part of, though not everything, that Rubel was asking. |
All of the current code for querying for TELs assumes you have a credential so you can use the registry SAID and the credential SAID to query for the TEL events related to that credential. We do not have a use case for querying for all TEL events from an issuer or from a registry. If you have such a use case, please propose an API change to the |
After listening and reading all the discussions in the past two weeks, my summary on this is that we need an option for issuers to publish their TELs to their witnesses so that the TELs are publicly discoverable, making them public TELs. This should not be the default option as there are privacy implications for publishing the TELs of which ACDCs are issued to natural persons. A good example use case is in the vLEI ecosystem where Qualified vLEI Issuers (QVI) issue ACDCs to legal entities. These ACDCs only contain public information of legal entities so they can be made public. This capability would allow anyone to monitor QVIs’ activities, without relying on GLEIF’s centralized API services. |
Great summary @nkongsuwan , I agree with this assessment |
If we pursue this design goal, then a relevant question in my mind is: How does an AID's controller signal the intention that a TEL should be public? Is this a choice that must be made when the AID is first created? Or can it be made and unmade multiple times, over the lifecycle of an AID? |
If it's made when the AID is first created, does the publicness of the TEL get declared in an inception event? Or should an AID be able to make different publicness decisions about different credential registries, and have those decisions bind to the event that announces the credential registry? |
Additionally, if the creds and tels are public, will it require a new API to be implemented to query an AID's credentials? |
I don’t think this choice should be made when the AID is first created as an AID may issue a variety of ACDCs, some public and some private. For example, a QVI may issue an ECR credential (via ECR AUTH from LE) which is private. Perhaps, this may be declared in key events that anchor registry creation. In the example of vLEI, a QVI may use different registries for different types of credentials. |
By design the only thing that a KEL publicizes is key state. Key state includes current signing keys, current signing key threshold, next key threshold next key digest list and backer threshold and backer identifiers. Seals that are anchored in a KEL are by design hidden. they are just hashes and maybe a reference to someother key. This means that the AID itself has no mechanism for publishing anything about any TELs and any data that is anchored to its key state via a seal. As it should not. The publicity state of what is being sealed is sealed item dependent. Lets call these the Seal target. I.e. the seal target’s publicity is target dependent. This means any mix of public or private target’s is possible. So given that the KEL itself cannot publicize a Seal Target how does it get published? The primary mechanism is by an API or service endpoint. Service endpoints are can have routes attached to them via a route path string like “/public/tels”. and in some cases a return route path string like “/process/tels” This enables two things.
These endpoints are discoverable dynamically via OOBIs. The endpoint can then be self-discoverable by publishing the routes is responds to, such as OpenAPI if its rest or the equivalent of a directory of routes (say at route “/“) of routes it responds to. The querymessages in KERI support parametrized queries to a given endpoints route so they are perfectly generalizable. The matching reply messages can return arbitrary field map documents so they are perfectly generalizable. Likewise for the prod and bare messages except that these two are meant only for seal targets. That does not preclude query/reply from being associated with seal targets. But the former may employ different semantics. So far we don’t have any of the former supported but because a seal target is more secure than Bada/Run it makes sense to bifurcate based on its enhanced security posture. So maybe down the road. Now given OOBIs for endpoints and routes for what get served up by those endpoints, a given AID controller now has perfect flexibility in what and when it wants to publicise. If it decides to make something public it attaches it to a route. If later it decides ot not publicize it. then it unattaches it. Nothing changes in the KEL. If what it wants to publicise is a TEL then all it needs to do is create a route that corresponds to one of the following:
Authentication and AuthorizationBasically unlike federated identity, KERI and ACDCs have simplified this proble, while also removing the security problems that make it such difficult problem. Authorization starts with a white lists of trusted AIDs as trust anchors or root-of-trust Now authentication happens upon presentations of a delegation and then authorization against the white list of trust-anchors and whatever delegable authority is allowed. Primary authentication is by verifying signatures against the current key state of the AID controller making the presentation and against ACDCs delegating authority from white listed trust anchors. Nobearer tokens, no ephemeral tokens, no trusted third party identity providers. Each AID controller is its own identity provider. Trust anchors are not identity providers. They are not involved in the authentication process. They issue credentials which can be verified without necessarily contacting the issuer. Dynamically revocable credentials just need to have their TELs publicized to a watcher network that a verifier can access. One can confuse a trust anchor with an identity provide, please don’t. The security role they play is materially different. They provide reputational trust not attributional trust. An identity provider provides attributional trust as a proxy for the user. In KERI the user always provides their own attributional trust. They sometimes need a reference (letter of reference) so that they can inherit or borrow enough reputation from a trust anchor to enable access. Its a completely different trust model than federated identity. |
Just a sanity check, the following sentence comes from section 6.7.1 of the vLEI OOR EGF:
|
I remember that. I don't remember why GLEIF wanted it that way.
… On Feb 21, 2024, at 10:44, Daniel Hardman ***@***.***> wrote:
Just a sanity check, the following sentence comes from section 6.7.1 of the vLEI OOR EGF:
GLEIF MUST monitor the QVI Transaction Event Logs (TELs) to detect the issuance
of OOR vLEI Credentials which were not reported using the vLEI Reporting API.
—
Reply to this email directly, view it on GitHub <#672 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAETEPLA3VLFKHRCXYSYKU3YUYXALAVCNFSM6AAAAABC77YXRKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJXGQ4DCMZTGI>.
You are receiving this because you commented.
|
I believe the solution here, that Sam is referring to is a bespoke service from witnesses that represent a discovery service for published credentials. This cleanly separates what should be a simple publication of issued public credentials from Witnesses. I think Sam described above how that service can be designed and accessed via end roles and OOBIs. |
This issue tracks a question from @rubelhassan, @Arsh-Sandhu , and me. We are looking for an efficient way to discover that a particular issuer has issued or revoked credentials, and what the SAIDs and approximate issuance/revocation times of those credentials is. Our assumption was that we could contact the witness that services the issuer's AID, and get a series of events from the TEL that each contain the SAID of a given credential, or similar. What we have discovered is that this doesn't work. We seem to have a way to ask the question, but the answer to the question always seems to be "this TEL has no events" -- and we are wondering if this is by design, or if we are doing something wrong.
I will append a series of messages from Discord, reproducing some conversation that has occurred in that channel.
The text was updated successfully, but these errors were encountered: