Should VCs signed by a verification method that is no longer in a DID Document still verify?

bcgov / trustdidweb

Trust DID Web (did:tdw)

https://bcgov.github.io/trustdidweb/

Apache License 2.0

12 stars 6 forks source link

Should VCs signed by a verification method that is no longer in a DID Document still verify? #16

Closed brianorwhatever closed 3 months ago

brianorwhatever commented 3 months ago

The two mental models we need to determine between:

A verification method that is removed from a DID document invalidates a VC signed with it
A verification method can be resolved from a previous version of a DID Document to verify a VC signed with it

brianorwhatever commented 3 months ago

https://www.w3.org/TR/did-core/#verification-method-revocation

swcurran commented 3 months ago

The answer is up to the verifier and their decision is supported by the DID method we are contemplating.

Because a full history of the DIDDoc is available, the verifier will be able to find the key used to sign the VC in the DIDDoc history. Alternatively, the verifier could decide to only use the keys in the current version of the DIDDoc, and in that case, they could not verify the VC.