Claim certificate depending on parameter


#1

Hello,
I’m trying to to implement an agent that can issue a claim certificate that would be based on a parameter supplied by the requester. So I started from the ACME example, and something must happen somewhere in the Acme code between those two commands:
Alice> send claim Job-Application to Acme [Alice can pass some parameter to Acme]
Alice> request claim Job Certificat [Acme responds with a certificate]

As an example of claim depending on a parameter, suppose for instance the following example:

  1. Alice send a claim to use 3 days vacations
  2. Acme must check the balance and vacations days left, and only then can send an “approve” certificat.

Where would be the best place 1) to verify the parameter supplied by Alice (enough vacations days left) and 2) create the claim that depends on the parameter (approved days off).

Somehow, it seems that this would be in
@abstractmethod def _addAtrribute(self, schemaKey, proverId, link) -> Dict[str, Any]:
but this function is not passed the parameter supplied by Alice.

Any tip?

Thanks!


#2

One way of accomplishing it is that

  1. Acme provides an invitation file with a proof request asking for days of leave along with leave balance.
  2. Alice accepts invitation.
  3. Acme responds with available claim Leave-Balance.
  4. Alice request a claim Leave-Balance from Acme.
  5. Alice sets an attribute using set <attr-name> <attr-value> command. This is the step where user is setting extra data to send. This attribute name should be same which is asked by verifier (Acme) in proof request which was inside invitation file.
  6. Alice generates a proof with already available leave balance claim and self attested attribute with set command and send proof to Acme. Generation of claim and sending to Acme can be done via send proof Leave-Application to Acme.

You may choose to ignore step #3 and #4 and Alice can simply set self attested attribute and generate a proof and send it. In that case you need to generate proof request in invitation file without leave balance attribute.

Note: We have changed send claim command to send proof. When we receive something, attesting to our information, from someone we call it a Claim, when we generate a verifiable value out of Claim, we call it a proof which we can send.

For details in code, you can follow _setAttr, _sendProof methods in cli.py.
To add claims, check faber.py. To add proof request in invitation file check acme-job-application.sovrin along with how it is mapped on agent side in acme.py.

Please let me know if you need more details regarding code.


#3

Thanks @khagesh. What you describe is what I have already done in fact. The Faber and Acme examples were very helpful. Apologies for not being clear enough in my initial request.

Where I’m stuck is what comes after. Acme receives a Leave-Application from Alice. At that point, Acme needs to check that the number of days requested by Alice is less than the balance (which Acme can maintain in its database). Then only, can Acme send a response (signed by Acme) back with Approve or Decline for Alice with another party if needed. But where should that check be implemented in the Acme agent code?


#4

I’m starting to wonder if it’s possible at all to do what I want. I’ve been going through the code that corresponds to send proof. As I understand this is where Alice would send information to Acme. To build Alice’s message to Acme, a call to sendProofAsync is made. In this function only proofRequest.verifiableAttributes so it seems that self-asserted attributes are not sent. Did I miss something?


#5

Hi Fabien - I’ll ping Khagesh to get an answer for you. Andy


#6

Hi @khagesh. Any thoughts?


#7

@fabienpe Really sorry for late reply. In this case acme can send another claim (Approved Leave) back to Alice, once it verifies the Proof for Leave - Balance. An example of this behaviour is in sovrin_client/test/agent/acme.py method postClaimVerif. I will be available in sovrin slack channel. Hit me up for live chat if you need more detail.


#8

@khagesh I’ve noticed an update in the code which, I assume, aims to address the above mentioned issue (Send self attested attributes in proof (#104)).

But I think there is still a problem. Indeed if you do, for instance:

  1. show proof request Job-Application
  2. set first_name to Alice
  3. show proof request Job-Application
  4. send proof Job-Application to Acme Corp

Then, in sendProofAsync, the variable revealAttrs, after the update, does include the first_name which you can then pick-up in verifyProof on the agent side. That’s OK.

However, if you skip step 3., then this self-asserted attribute is not sent.


#9

Here is another issue I believe. This is in sovrin_client.cli.cli.SovrinCli._fulfillProofRequestByContext. If filteredMatchingClaims is empty then the assignment below for self attested attributes (attributesWithValue[k] = c.selfAttestedAttrs.get(k, defaultValue)) is never executed. This can happen if the proof request does not need any verifiableAttributes but just self attested value.


#10

Hi Fabien - I’ll give the guys a reminder to look at this for you.