Open edchapman88 opened 1 year ago
A look at the existing ssi
credential proof/verification code:
Credential
s include Proof
s
Proof
must have the field type_:String
populatedproof_value
field is of type Option<String>
Credential
's are verified with the .verify()
method - though this is marked with a TODO to be factored out of the Credential
api
.verify()
on the Proof
(s) in the credentialProof.verify()
calls LinkedDataProofs::verify()
which uses a function to parse the type_
field on the proof.This function is a problem because it prevents us from adding a new proof type.
&dyn ProofSuite
which could potentially be implemented for an RSS proof.LinkedDataProofs::verify()
function uses the verify method on ProofSuite
(which would work if ProofSuite
was implemented for RSS).Suggestion:
ProofSuite
for RSSTrustchainAPI::verify_credential
function to factor out 'to-be-removed' Credential.verify()
, the new implementation should:
type_
field of the proofs on the credential:RSS.verify(proof)
(where RSS implements ProofSuite
).verify()
on the proof which will use the existing proof suite selection fucntion and support all of the existing proofs.TrustchainAPI::verify_presentation()
function already calls TrustchainAPI::verify_credential()
on each of the credentials which will work with RSS proofs without amendment.Additional notes:
.verify()
method on Presentation
that is not used in our TrustchainAPI::verify_presentation()
implementation. It is marked as 'to be factored out of VC and VP' along with the Credential.verify()
as mentioned above.Update:
Credential
struct for redactable VC's because it contains unordered HashMap
s.BTreeMap
s in place of the HashMap
s) is the previously developed CanonicalFlatten
macro can be derived on any new "crate-local" typesFlatten
trait to manually implement the behaviour and api of CanonicalFlatten
without encountering the orphan rule.Additional requirements:
trustchain-http
to issue RSS specific credentials
56-http-verifier-rss
with route "vc_rss/issuer/:id"
, which uses the same dummy RSS key pair to sign all credentialsTrustchainRSSPublicKeys
service.Presentation.generate_proof()
errors due to linked data checks on both the fields in credential_subject
and the proof.type_ field
.degree
>type
field is not redacted to "null", which fails the linked data check; and if the proof.type
is hacked to be "EcdsaSecp256k1Signature2019" instead of "RSSSignature".TrustchainAPI::verifyPresentation
to skip the check on the (non-existent) holder's proof in the RSS case.
type
field on the credential embedded within the presentation.type
could perhaps be set to [ 'VerifiableCredential', 'RSSCredential' ]
when the credential is created (and crucially before the issuer signs the credential).proof.type
field is used by the verifier to branch on the RSS case, because this field is not signed by the issuers proof).A frozen version of the end of hack week demo of this feature-limited RSS integration is documented here.
Development of a new version, building with a fork of ssi, has started on 115-selective-disclosure-ssi-update
.
115-selective-disclosure
branch remains open, with unsuccessful attempts at using JWS signatures to authenticate RSS presentations (the solution is not reliable, because the ssi implementation for jws-encoding presentations is non-deterministic due to the use of unordered HashMap
s).