Verification of an open badge requires phone home to the issuer #599
Description
There has been much criticism of phonehome lately, with the prominent target of criticism being mDL 18013-5 specification. The accusation is that it represents a way to do latent surveilance - https://kimdhamilton.com/latent_surveillance/ and this has garnered a movement advocating against phone home https://nophonehome.com
Now open badge specification actually requires phone home and I think this should be changed. See step 3 of https://www.imsglobal.org/spec/ob/v3p0/#verification
3. Refresh the OpenBadgeCredential:
If the refreshService property is present, and the type of the RefreshService object is "1EdTechCredentialRefresh", refresh the OpenBadgeCredential as shown in 1EdTech Credential Refresh Service and then repeat steps 1 and 2. If the refresh is not successful, continue the verification process using the original OpenBadgeCredential.
As a reminder a refreshService entry in the credential looks like this:
"refreshService": [{
"id": "https://example.edu/refresh/3732,
"type": "1EdTechCredentialRefresh"
}],
As you can see the credential is id'd and will be able to be traced by the issuer.
On Velocity Network, we will not implement this part of the spec and instead will require issuers to revoke and put the responsibility of refreshing on the wallets. I think putting something similar into the spec will be a hugely important upgrade to the privacy surrounding open badges