-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with how the BC Wallet responds with non-revocable credential attributes to a presentation request containing a non-revocation interval predicate #762
Comments
This is actually a long standing bug seen in most wallets. We have actually had to implement and deploy workarounds for these scenarios. We have two instances of vc-authn to deal with this issue. One for revocable credentials and one for non-revocable credentials. In this case the issue was discovered because of the use of a mix of revokable and non-revokable credentials. |
@WadeBarnes I may be conflating two different issues here but I think the wallet / AFJ works correctly. The BCLS is not providing the correct interval. We patch the wallet to work with BCLS in #697.
As noted here
The expected interval is:
@amanji Thoughts? |
@jleach, The issue being reported is related to the use of the non-revokable Open Verified Person credential to respond to the presentation request which contains a non-revocation interval predicate. The LSBC Member certificate is not an issue in this scenario, it's just along for the ride. |
@esune, Any comments? |
@WadeBarnes I think your explanation is pretty clear. |
To determine where the bug is, we have to look at the response back from the wallet. I'm not sure the bug is not in vc-authn-oidc in evaluating the presentation. The wallet should treat any proof request that includes a non-revocation range as not having that range if responding with a non-revocable credential. That is all the wallet can do -- there is no revocation information to include. The question is what vc-authn-oidc does when receiving the credential, and the information above is sufficient to know that. |
Related issue with additional info; openwallet-foundation/acapy#1651 |
Noted by Stephen in his Jun 3 comment "Any fixes needed to happen at the AnonCreds level -- below ACA-Py. Ideally". Moving to blocked and monitoring related issues. |
The fix is probably at AFJ level, but for now we will create a test scenario to cover this use case and monitor |
@swcurran , do you have any comment on this issue? We might need to update RFC for some clarity |
My understanding is that this can be worked around in the Presentation Request (so in this case vc-authn-oidc and the A2A level). An overall fix that avoids the workaround is needed at the AnonCreds implementation level. A summary:
So, the workaround needs to be done at the A2A deployment of vc-authn-oidc by either:
The latter should work before and after the fix to AnonCreds implementations, and regardless of whether the Issuer changes to using revocation. The other guidance about PRs outlined in RFC 0441 Present Proof Best Practices should also be followed — notably, not to use |
|
@swcurran , is there a better place we could move this issue? or would should we keep in bc-wallet? |
As long as the BC Wallet allows for responding to Proof Requests that have a revocation interval with satisfying credentials that are not revocable, and vice versa, this issue can be closed. If that is not the case — e.g. the wallet prevents sending a presentation in those scenarios, I would recommend opening another issue to address that. Either way, close this one. Does that make sense? |
@swcurran, @WadeBarnes , we don't have a use case for non-revocation credentials. If this is still impact, please open an issue with AFJ |
The A2A (ACM) team ran into an issue authenticating with ACM using the new accredited-lawyer-bcpc-dev presentation request.
The issue has to do with how the BC Wallet responds to presentation requests that contain a non-revocation interval predicate using attributes from a non-revocable credential; the wallet is not providing an appropriate and expected non-revocation interval for the non-revocable credential. This steams from, to quote Emiliano, "the fact that wallets (traditionally) do not cope well when validating non-revocable credentials with a non-revocation interval in the proof". Below are steps to reproduce for both the failure and success scenarios.
Summary
A user should be able to respond to a presentation request containing a non-revocation interval predicate using a non-revocable credential, provided that credential also satisfies the request.
Steps to reproduce - failure scenario:
A2A - Trust Over IP
invite link. When filling out the form, make sure you use the same First Name and Last Name on this and the Open Verified Person credential you'll get later.Access to Court Materials
dev
site. URL can be provided on request.Proceed to website
Observed behavior:
Unsuccessful Proof
message from ACM.vc-authn
agent reports the following error due to how the wallet has responded to that portion of the presentation request, it has not provided the expected non-revocation interval for the non-revocable credential.Expected behavior:
Steps to reproduce - success scenario:
Access to Court Materials
dev
site. URL can be provided on request.Proceed to website
Observed behavior:
The text was updated successfully, but these errors were encountered: