This issue was raised by the European Commission conformance team.
OID4VP says:
claims: OPTIONAL. A non-empty array of objects as defined in Section 6.3 that specifies claims in the requested Credential. Verifiers MUST NOT point to the same claim more than once in a single query. Wallets SHOULD ignore such duplicate claim queries.
- It is unclear what exactly is meant by "point to the same claim more than once".
- It is also unclear what it means in practice that duplicate claim queries "SHOULD be ignored".
OID4VP further says:
Each entry in claims MUST be an object with the following properties:
id: REQUIRED if claim_sets is present in the Credential Query; OPTIONAL otherwise. A string identifying the particular claim. The value MUST be a non-empty string consisting of alphanumeric, underscore (_), or hyphen (-) characters. Within the particular claims array, the same id MUST NOT be present more than once.
path: REQUIRED The value MUST be a non-empty array representing a claims path pointer that specifies the path to a claim within the Credential, as defined in Section 7.
values: OPTIONAL A non-empty array of strings, integers or boolean values that specifies the expected values of the claim. If the values property is present, the Wallet SHOULD return the claim only if the type and value of the claim both match exactly for at least one of the elements in the array. Details of the processing rules are defined in Section 6.4.1.
My interpretation is that "point to the same claim" refers to claims with the same path value, since path is the actual pointer to the claim. Would you agree? I think OID4VP 1.1, and potentially errata as well, should clarify what exactly "point to" means in this context.
Following that interpretation, I would assume that the following two entries are duplicates, even though their id and values are different:
claims = [
{ id = 1, path = [ name ], values = [ oliver ] },
{ id = 2, path = [ name ], values = [ colette ] },
{ id = 3, path = [ foo ] },
{ id = 4, path = [ bar ] }
],
claim_sets = [ [ 1, 3 ], [ 2, 4 ] ]
If that is correct, should both duplicate entries be ignored, or only every occurrence after the first one?
More generally, the specification should clarify whether:
- all duplicate claims are to be ignored, or
- only subsequent occurrences after the first are to be ignored.
I am also not sure why this is specified as a SHOULD rather than a MUST. In which situations would it be acceptable, or even necessary, to process duplicate claim queries instead of ignoring them?
@danielfett @c2bo @paulbastian @mickrau @jogu (cc @brentzundel, potentially for 1.1?)
This issue was raised by the European Commission conformance team.
OID4VP says:
OID4VP further says:
My interpretation is that "point to the same claim" refers to claims with the same path value, since path is the actual pointer to the claim. Would you agree? I think OID4VP 1.1, and potentially errata as well, should clarify what exactly "point to" means in this context.
Following that interpretation, I would assume that the following two entries are duplicates, even though their
idandvaluesare different:If that is correct, should both duplicate entries be ignored, or only every occurrence after the first one?
More generally, the specification should clarify whether:
I am also not sure why this is specified as a SHOULD rather than a MUST. In which situations would it be acceptable, or even necessary, to process duplicate claim queries instead of ignoring them?
@danielfett @c2bo @paulbastian @mickrau @jogu (cc @brentzundel, potentially for 1.1?)