why are there multiple options for limit_disclosure?
Opened this issue · 3 comments
As a basic practice of data minimization, it would seem that when a requester requests particular fields, the provider should only provide those fields. Having different levels of required, preferred, or no limits at all make this privacy property less certain, and it's not clear what additional use cases they support.
I would suggest deprecating this property, and adding a requirement that if fields are listed, then no more than those fields are returned.
Looping in @brentzundel here, because this section is attributed to him. Will also discuss in the upcoming PE meeting.
PE authors understand the concern and generally are in agreement to overhaul the limit_disclosure property in a version 3.0.
The optionality was introduced because in the transition of a full-disclosure to a limited disclosure ecosystem the spec wanted to allow implementers to use PE and not fully fulfill the limit_disclosure option in a transition period.
I think a valid use case for limit_disclosure of preffered is when you optionally have a credential that supports selective disclosure.
E.g. we're not working on adding both an EdDSA and AnonCreds CL signature to a w3c credential. A verifier could support both, but a holder may have only the EdDSA one, or maybe both. The preferred option allows the holder to disclosure the least possible. While required would make the EdDSA credential not applicable.