[VC Security & Trust Document] Does a presentation require holder binding?

[Macke]

Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/2014

Original Reporter: danielfett

Regarding this open question: “Should a "presentation" always mean/require cryptographic holder binding? Should these use cases where it is not required covered by the protocol?”

Giuseppe De Marco

2023-03-06

it may depends by use cases.

presenting personal identification data, for authentication purpose, or verifiable attestation of attributes, for instance: diploma use cases and any other attestation, like mDL. In these cases the binding of the owner and the proof of it’s willing during the presentation is a mandatory requirement.

there are other cases where the VC is a cinema ticket, a parking ticket, laundry ticket and other cases where the credentials may be shared between different holders. In this cases there would not be the security requirement of the binding and that’s up to the nature of the credentials and service it is required to be used on.

usually, these VC/services, should be like disposable tickets, to be used only once.

Different cases are subscriptions or VCs which, by their very nature, must be resubmitted from time to time.