Open jchartrand opened 1 day ago
And now I can't reproduce it - now it shows an error when I tamper with the credential. But, the error it shows is generic and it no longer says it has been tampered with, and doesn't show any of the other checks:
This is so bizarre. Using the credential above, if I change the top level 'name' property in the VC ("name": "James Chartrand - Test 2 of “Three Steps for an Entrepreneurial Mindset” Workshop") - changing the 'C' in Chartrand to an 'S' then it incorrectly shows as verified, i.e, it doesn't detect the tampering. If, though, using the same credential, I instead change the credentialSubject.name, again changing the 'C' in Chartrand to an 'S' then it does show an error.
Same thing happens in the LCW, as you can see here where I've changed my last name in the credential title (changed the C to an S):
Update:
The problem seems to have something to do with the non-url id at the top level of the VC. The following two VCs are identical except that the second has 'urn:uuid' prefixing the top level id. It is only the first VC - without the 'urn:uuid' - that incorrectly shows the VC as verified when the top level name property is tampered with.
Passes verification even after tampering (no urn:uuid prefixing the top level 'id'):
{
"type": [
"VerifiableCredential",
"OpenBadgeCredential"
],
"name": "James Chartrand - Test 2 of “Three Steps for an Entrepreneurial Mindset” Workshop",
"issuer": {
"url": "https://www.jwel.mit.edu/",
"type": "Profile",
"name": "MIT Jameel World Education Lab",
"image": {
"id": "https://raw.githubusercontent.com/camilamassa/UCVtest/e59b713594cd79cf8fd2bcc96d034ab388d005a8/LongBannerLogoNoMIT.png",
"type": "Image"
},
"id": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q"
},
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://purl.imsglobal.org/spec/ob/v3p0/context-3.0.1.json",
{
"renderMethod": "urn:uuid:b2ab3546-228a-47a8-b97a-9a5646007c53",
"css3MediaQuery": "urn:uuid:c4c53282-e8e2-4914-83d8-566e25d2f899",
"digestMultibase": "urn:uuid:caef1a4e-67b8-4dfc-9881-2b51da7edc1b"
},
"https://w3id.org/vc/status-list/2021/v1",
"https://w3id.org/security/suites/ed25519-2020/v1"
],
"renderMethod": [
{
"id": "https://raw.githubusercontent.com/camilamassa/UCVtest/main/test%202.html",
"type": "SvgRenderingTemplate2023",
"name": "PDF Display",
"css3MediaQuery": "@media (orientation: portrait)"
}
],
"credentialSubject": {
"type": [
"AchievementSubject"
],
"name": "James Chartrand",
"achievement": {
"id": "urn:uuid:951b475e-b795-43bc-ba8f-a2d01efd2eb1",
"type": [
"Achievement"
],
"name": "Certificate of Completion of “Three Steps for an Entrepreneurial Mindset” Workshop",
"criteria": {
"type": "Criteria",
"narrative": "This certifies the completion of the “Three Steps for an Entrepreneurial Mindset” Workshop at Universidad César Vallejo. This program comprised 25 hours of activities from March 20 - 22, 2024."
},
"description": "MIT Jameel World Education Lab Certificate of Completion",
"fieldOfStudy": "Three Steps for an Entrepreneurial Mindset” Workshop",
"achievementType": "Certificate of Completion"
},
"id": "did:key:z6Mkf3PfuXaHjNzUbqYpTomBC4EgdLd5dTkA6czW29NoMveC"
},
"id": "669674646789dd1f426d9f80",
"credentialStatus": {
"id": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7#117",
"type": "StatusList2021Entry",
"statusPurpose": "revocation",
"statusListIndex": "117",
"statusListCredential": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7"
},
"issuanceDate": "2024-07-16T13:32:17Z",
"proof": {
"type": "Ed25519Signature2020",
"created": "2024-09-20T18:07:12Z",
"verificationMethod": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q#z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q",
"proofPurpose": "assertionMethod",
"proofValue": "z46wvcKbu8pcW9VtfiVeUEd23J2sAkj1Ld7Jbs15n9Q9vpVzE9y8pwrcRXq3rwdW7abwCdH3tbYnx5etNVzeWnJZd"
}
}
Fails verification after tampering (urn:uuid prefixes the top level 'id'):
{
"type": [
"VerifiableCredential",
"OpenBadgeCredential"
],
"name": "James Chartrand - Test 2 of “Three Steps for an Entrepreneurial Mindset” Workshop",
"issuer": {
"url": "https://www.jwel.mit.edu/",
"type": "Profile",
"name": "MIT Jameel World Education Lab",
"image": {
"id": "https://raw.githubusercontent.com/camilamassa/UCVtest/e59b713594cd79cf8fd2bcc96d034ab388d005a8/LongBannerLogoNoMIT.png",
"type": "Image"
},
"id": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q"
},
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://purl.imsglobal.org/spec/ob/v3p0/context-3.0.1.json",
{
"renderMethod": "urn:uuid:b2ab3546-228a-47a8-b97a-9a5646007c53",
"css3MediaQuery": "urn:uuid:c4c53282-e8e2-4914-83d8-566e25d2f899",
"digestMultibase": "urn:uuid:caef1a4e-67b8-4dfc-9881-2b51da7edc1b"
},
"https://w3id.org/vc/status-list/2021/v1",
"https://w3id.org/security/suites/ed25519-2020/v1"
],
"renderMethod": [
{
"id": "https://raw.githubusercontent.com/camilamassa/UCVtest/main/test%202.html",
"type": "SvgRenderingTemplate2023",
"name": "PDF Display",
"css3MediaQuery": "@media (orientation: portrait)"
}
],
"credentialSubject": {
"type": [
"AchievementSubject"
],
"name": "James Chartrand",
"achievement": {
"id": "urn:uuid:951b475e-b795-43bc-ba8f-a2d01efd2eb1",
"type": [
"Achievement"
],
"name": "Certificate of Completion of “Three Steps for an Entrepreneurial Mindset” Workshop",
"criteria": {
"type": "Criteria",
"narrative": "This certifies the completion of the “Three Steps for an Entrepreneurial Mindset” Workshop at Universidad César Vallejo. This program comprised 25 hours of activities from March 20 - 22, 2024."
},
"description": "MIT Jameel World Education Lab Certificate of Completion",
"fieldOfStudy": "Three Steps for an Entrepreneurial Mindset” Workshop",
"achievementType": "Certificate of Completion"
},
"id": "did:key:z6Mkf3PfuXaHjNzUbqYpTomBC4EgdLd5dTkA6czW29NoMveC"
},
"id": "urn:uuid:669674646789dd1f426d9f80",
"credentialStatus": {
"id": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7#117",
"type": "StatusList2021Entry",
"statusPurpose": "revocation",
"statusListIndex": "117",
"statusListCredential": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7"
},
"issuanceDate": "2024-07-16T13:32:17Z",
"proof": {
"type": "Ed25519Signature2020",
"created": "2024-09-20T18:19:11Z",
"verificationMethod": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q#z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q",
"proofPurpose": "assertionMethod",
"proofValue": "z5tWC8PJw4GPGKWztaZ7fhJJrgFPgUUJHAAZ4vzWorxLjk96iP3C2z5DVYo1NVSG64HJCFoSHNLQCmcCpxXg6iTnQ"
}
}
This is only a problem with pre-VC2 libraries. The latest VC libs (which support VC2 and BitstringStatusList) don't allow a non-uri id at all, so the verification will always fail.
If I remove characters from the json of a valid verifiable credential and then try to verify in V+ it still shows as valid.
Here is a valid VC that correctly validates. But, remove any character, say from the top level 'name', and paste the json into V+ and it will still show as valid: