[IATP] Credential Validator Registry

[git-masoud]

Feature Request

Purpose of this proposal is introduction of a more generic implementation of Credential Validator rules in identity-trust-service, that would be able to defer this logic to an external service.

Which Areas Would Be Affected?

extensions/common/iam/identity-trust

Why Is the Feature Desired?

Some ecosystems have a dedicated service (or a federation of multiple) that defines whether a issuer is trusted or not. In case of Gaia-X Reference Architecture, this service is called the Gaia-X Registry.
In order to determine if an issuer is trusted or not, the public key of the issuer needs to be sent to Gaia-X Registry for verification.
In the current implementation, all the rules are statically defined and users cannot add any other custom rules.

Solution Proposal

In order to allow for easier future extensions of the VC validation logic, we also propose the following improvement:
In IdentityAndTrustService.java , list of validations applied to Verified Credentials are hard coded and not convenient to manage.

We propose introducing an registry that would manage all CredentialValidationRule subclasses, allowing these to be dynamically registered, based on the requirements of an ecosystem.

identity-trust-service can provide some of the basic ones, for example IsNotExpired and IsNotRevoked, while other, more custom ones, can be defined in separate extensions.

An example of that would be one that uses an external instance of a Gaia-X Registry to determine wheter a public key of an issuer is trusted or not.

[jimmarino]

This will be addressed in a Decision Record that is in process. Please stay tuned.

[jimmarino]

Looking at this further, I don't know if #3734 completely addresses this since it primarily deals with token validation (as opposed to VC validation).

There are plans to have Each EDC runtime maintain a trusted issuer list locally. This may be static or sourced from a trusted registry. In the latter case, the list may be updated periodically at runtime.

Dynamically determining if an issuer is trusted via a third-party registry does not seem like a realistic use case, will likely not scale, and introduces a number of potentially serious security vulnerabilities.

Why not solve this by having an issuer-of-issuers where each issuer must have a VC issued from a root source that can be presented periodically? The VCs can be checked against a status list provided by the root issuer, which will then allow for revocation and rotation. This will avoid single points of failure and preserve privacy more effectively.

[github-actions]

This issue is stale because it has been open for 14 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 7 days since being marked as stale.