search

decentralized-identity / interoperability

The archive and information hub for the cross-community interoperability project. Focus is on education and familiarity for various efforts across multiple groups for interoperable decentralized identity infrastructure.
https://identity.foundation/interop/
Apache License 2.0
92 stars 19 forks source link

Define Verification for VP #22

Closed OR13 closed 3 years ago

OR13 commented 4 years ago

I still think we really need to demonstrate DID Auth, but do we really need DID Auth if we are using verifiable presentations?

Sure I can get a verifiable credential for a given did, but won't the presentation be impossible to create unless I control signing keys linked to the verifiable credential subject/holder?

I think the crux of this issue is that while verifying a JWS or JSON-LD Signature is a clearly defined process. Verifying a VC or VP is defined by:

https://www.w3.org/TR/vc-data-model/#dfn-verify

What does it mean for me to create a VP of a VC membership credential issued to @christianlundkvist to the DIF verification service? Should that service only accept VPs that are signed by the subject of the VC they wrap?

There are 2 signatures here... and they can come from the same or different DIDs...

We need to define what verification means for VPs of the format:

https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzI1NksiLCJ0eXAiOiJKV1QiLCJraWQiOiJkaWQ6ZWxlbTplVVJTRkVFdjZKN3MzVEotamhUX1pTNHVHUnlDRGJ3YzM0N0VXbHFwTmd3I2tleS1IZ0duSFVOVG5JUTdtSWZTbEc0VmhIc0RHTnZwb09DT3JTOWdkZUhFNFVzIn0.eyJqdGkiOiJ1cm46dXVpZDoxZGQ2NGU1OC03OTk0LTRiZjEtOTc0YS03NWNmOTQwMzMzMTEiLCJpc3MiOiJkaWQ6ZWxlbTplVVJTRkVFdjZKN3MzVEotamhUX1pTNHVHUnlDRGJ3YzM0N0VXbHFwTmd3IiwiYXVkIjoiZGlkOmV4YW1wbGU6MTIzIiwiaWF0IjoxNTY3NzkyMzQxLCJuYmYiOjE1Njc3OTIzNDEsImV4cCI6MTkyNzc4ODc0MSwidnAiOnsiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy9leGFtcGxlcy92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVQcmVzZW50YXRpb24iLCJDcmVkZW50aWFsTWFuYWdlclByZXNlbnRhdGlvbiJdLCJ2ZXJpZmlhYmxlQ3JlZGVudGlhbCI6WyJleUpoYkdjaU9pSkZVekkxTmtzaUxDSjBlWEFpT2lKS1YxUWlMQ0pyYVdRaU9pSmthV1E2Wld4bGJUcGxWVkpUUmtWRmRqWktOM016VkVvdGFtaFVYMXBUTkhWSFVubERSR0ozWXpNME4wVlhiSEZ3VG1kM0kydGxlUzFJWjBkdVNGVk9WRzVKVVRkdFNXWlRiRWMwVm1oSWMwUkhUblp3YjA5RFQzSlRPV2RrWlVoRk5GVnpJbjAuZXlKemRXSWlPaUprYVdRNlpYaGhiWEJzWlRveE1qTWlMQ0pxZEdraU9pSjFjbTQ2ZFhWcFpEbzNPRFkxWkRBMFlTMDFabVZsTFRRMFpHUXRZV0U1TlMwME9UZ3dZemd6Wm1JME1qWWlMQ0pwYzNNaU9pSmthV1E2Wld4bGJUcGxWVkpUUmtWRmRqWktOM016VkVvdGFtaFVYMXBUTkhWSFVubERSR0ozWXpNME4wVlhiSEZ3VG1kM0lpd2lhV0YwSWpveE5UWTNOemt5TXpNMExDSnVZbVlpT2pFMU5qYzNPVEl6TXpRc0ltVjRjQ0k2TVRreU56YzRPRGN6TkN3aWRtTWlPbnNpUUdOdmJuUmxlSFFpT2xzaWFIUjBjSE02THk5M2QzY3Vkek11YjNKbkx6SXdNVGd2WTNKbFpHVnVkR2xoYkhNdmRqRWlMQ0pvZEhSd2N6b3ZMM2QzZHk1M015NXZjbWN2TWpBeE9DOWpjbVZrWlc1MGFXRnNjeTlsZUdGdGNHeGxjeTkyTVNKZExDSjBlWEJsSWpwYklsWmxjbWxtYVdGaWJHVkRjbVZrWlc1MGFXRnNJaXdpVlc1cGRtVnljMmwwZVVSbFozSmxaVU55WldSbGJuUnBZV3dpWFN3aVkzSmxaR1Z1ZEdsaGJGTjFZbXBsWTNRaU9uc2laR1ZuY21WbElqcDdJblI1Y0dVaU9pSkNZV05vWld4dmNrUmxaM0psWlNJc0luVnVhWFpsY25OcGRIa2lPaUpOU1ZRaWZYMTlmUS4tV295SGpBNkFGLUZscUpPTXZzMHhoZTBlZ0thMFRjTWllZDJsbEkzVUE1TGhTaWk5RHRiSEdwbkI5ZWNXa3dmYjJUdmdYZVY3dmpMVTl0Mk9OOExKQSJdfX0.asTnrgdyWYOuLxAMYNtKBpEFWjm2Ih0yI7nfxCrM-Sx56-9Xgcge2w-QNzECcijbWbwnPAiycM78W6ODi0lhXg

In particular how are the VC and VP issuer related or not.

OR13 commented 4 years ago

This is essentially a request to define what the hypothetical verifier will do in our issuer, holder, verifier ed tech web demo...

I suggest to starters, the verifier only accept VPs made by the subject described in the VC, and that they just check that the signatures are valid, and the credential type is expected.