Open jchartrand opened 1 day ago
jchartrand
commented
9 hours ago And now I can't reproduce it - now it shows an error when I tamper with the credential. But, the error it shows is generic and it no longer says it has been tampered with, and doesn't show any of the other checks:
jchartrand
commented
8 hours ago This is so bizarre. Using the credential above, if I change the top level 'name' property in the VC ("name": "James Chartrand - Test 2 of “Three Steps for an Entrepreneurial Mindset” Workshop") - changing the 'C' in Chartrand to an 'S' then it incorrectly shows as verified, i.e, it doesn't detect the tampering. If, though, using the same credential, I instead change the credentialSubject.name, again changing the 'C' in Chartrand to an 'S' then it does show an error.
jchartrand
commented
7 hours ago Same thing happens in the LCW, as you can see here where I've changed my last name in the credential title (changed the C to an S):
jchartrand
commented
3 hours ago Update:
The problem seems to have something to do with the non-url id at the top level of the VC. The following two VCs are identical except that the second has 'urn:uuid' prefixing the top level id. It is only the first VC - without the 'urn:uuid' - that incorrectly shows the VC as verified when the top level name property is tampered with.
Passes verification even after tampering (no urn:uuid prefixing the top level 'id'):
{
"type": [
"VerifiableCredential",
"OpenBadgeCredential"
],
"name": "James Chartrand - Test 2 of “Three Steps for an Entrepreneurial Mindset” Workshop",
"issuer": {
"url": "https://www.jwel.mit.edu/",
"type": "Profile",
"name": "MIT Jameel World Education Lab",
"image": {
"id": "https://raw.githubusercontent.com/camilamassa/UCVtest/e59b713594cd79cf8fd2bcc96d034ab388d005a8/LongBannerLogoNoMIT.png",
"type": "Image"
},
"id": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q"
},
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://purl.imsglobal.org/spec/ob/v3p0/context-3.0.1.json",
{
"renderMethod": "urn:uuid:b2ab3546-228a-47a8-b97a-9a5646007c53",
"css3MediaQuery": "urn:uuid:c4c53282-e8e2-4914-83d8-566e25d2f899",
"digestMultibase": "urn:uuid:caef1a4e-67b8-4dfc-9881-2b51da7edc1b"
},
"https://w3id.org/vc/status-list/2021/v1",
"https://w3id.org/security/suites/ed25519-2020/v1"
],
"renderMethod": [
{
"id": "https://raw.githubusercontent.com/camilamassa/UCVtest/main/test%202.html",
"type": "SvgRenderingTemplate2023",
"name": "PDF Display",
"css3MediaQuery": "@media (orientation: portrait)"
}
],
"credentialSubject": {
"type": [
"AchievementSubject"
],
"name": "James Chartrand",
"achievement": {
"id": "urn:uuid:951b475e-b795-43bc-ba8f-a2d01efd2eb1",
"type": [
"Achievement"
],
"name": "Certificate of Completion of “Three Steps for an Entrepreneurial Mindset” Workshop",
"criteria": {
"type": "Criteria",
"narrative": "This certifies the completion of the “Three Steps for an Entrepreneurial Mindset” Workshop at Universidad César Vallejo. This program comprised 25 hours of activities from March 20 - 22, 2024."
},
"description": "MIT Jameel World Education Lab Certificate of Completion",
"fieldOfStudy": "Three Steps for an Entrepreneurial Mindset” Workshop",
"achievementType": "Certificate of Completion"
},
"id": "did:key:z6Mkf3PfuXaHjNzUbqYpTomBC4EgdLd5dTkA6czW29NoMveC"
},
"id": "669674646789dd1f426d9f80",
"credentialStatus": {
"id": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7#117",
"type": "StatusList2021Entry",
"statusPurpose": "revocation",
"statusListIndex": "117",
"statusListCredential": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7"
},
"issuanceDate": "2024-07-16T13:32:17Z",
"proof": {
"type": "Ed25519Signature2020",
"created": "2024-09-20T18:07:12Z",
"verificationMethod": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q#z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q",
"proofPurpose": "assertionMethod",
"proofValue": "z46wvcKbu8pcW9VtfiVeUEd23J2sAkj1Ld7Jbs15n9Q9vpVzE9y8pwrcRXq3rwdW7abwCdH3tbYnx5etNVzeWnJZd"
}
}Fails verification after tampering (urn:uuid prefixes the top level 'id'):
{
"type": [
"VerifiableCredential",
"OpenBadgeCredential"
],
"name": "James Chartrand - Test 2 of “Three Steps for an Entrepreneurial Mindset” Workshop",
"issuer": {
"url": "https://www.jwel.mit.edu/",
"type": "Profile",
"name": "MIT Jameel World Education Lab",
"image": {
"id": "https://raw.githubusercontent.com/camilamassa/UCVtest/e59b713594cd79cf8fd2bcc96d034ab388d005a8/LongBannerLogoNoMIT.png",
"type": "Image"
},
"id": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q"
},
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://purl.imsglobal.org/spec/ob/v3p0/context-3.0.1.json",
{
"renderMethod": "urn:uuid:b2ab3546-228a-47a8-b97a-9a5646007c53",
"css3MediaQuery": "urn:uuid:c4c53282-e8e2-4914-83d8-566e25d2f899",
"digestMultibase": "urn:uuid:caef1a4e-67b8-4dfc-9881-2b51da7edc1b"
},
"https://w3id.org/vc/status-list/2021/v1",
"https://w3id.org/security/suites/ed25519-2020/v1"
],
"renderMethod": [
{
"id": "https://raw.githubusercontent.com/camilamassa/UCVtest/main/test%202.html",
"type": "SvgRenderingTemplate2023",
"name": "PDF Display",
"css3MediaQuery": "@media (orientation: portrait)"
}
],
"credentialSubject": {
"type": [
"AchievementSubject"
],
"name": "James Chartrand",
"achievement": {
"id": "urn:uuid:951b475e-b795-43bc-ba8f-a2d01efd2eb1",
"type": [
"Achievement"
],
"name": "Certificate of Completion of “Three Steps for an Entrepreneurial Mindset” Workshop",
"criteria": {
"type": "Criteria",
"narrative": "This certifies the completion of the “Three Steps for an Entrepreneurial Mindset” Workshop at Universidad César Vallejo. This program comprised 25 hours of activities from March 20 - 22, 2024."
},
"description": "MIT Jameel World Education Lab Certificate of Completion",
"fieldOfStudy": "Three Steps for an Entrepreneurial Mindset” Workshop",
"achievementType": "Certificate of Completion"
},
"id": "did:key:z6Mkf3PfuXaHjNzUbqYpTomBC4EgdLd5dTkA6czW29NoMveC"
},
"id": "urn:uuid:669674646789dd1f426d9f80",
"credentialStatus": {
"id": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7#117",
"type": "StatusList2021Entry",
"statusPurpose": "revocation",
"statusListIndex": "117",
"statusListCredential": "https://digitalcredentials.github.io/lef-dashboard-cred-status/Y4DF9YY3Z7"
},
"issuanceDate": "2024-07-16T13:32:17Z",
"proof": {
"type": "Ed25519Signature2020",
"created": "2024-09-20T18:19:11Z",
"verificationMethod": "did:key:z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q#z6MknNQD1WHLGGraFi6zcbGevuAgkVfdyCdtZnQTGWVVvR5Q",
"proofPurpose": "assertionMethod",
"proofValue": "z5tWC8PJw4GPGKWztaZ7fhJJrgFPgUUJHAAZ4vzWorxLjk96iP3C2z5DVYo1NVSG64HJCFoSHNLQCmcCpxXg6iTnQ"
}
}This is only a problem with pre-VC2 libraries. The latest VC libs (which support VC2 and BitstringStatusList) don't allow a non-uri id at all, so the verification will always fail.
If I remove characters from the json of a valid verifiable credential and then try to verify in V+ it still shows as valid.
Here is a valid VC that correctly validates. But, remove any character, say from the top level 'name', and paste the json into V+ and it will still show as valid: