clehner
commented
2 years ago Hi @Harasz,
You're correct, it is not checked; currently only the issuer property (or iss JWT claim) is checked, for correspondence with a proof object (or JWS) that verifies. Other VC Data Model properties must be checked by the caller. The analogous exp claim in JWT VCs is checked though. Relevant source code:
https://github.com/spruceid/ssi/blob/351c9238622cf39330297ea4d91931d6dcee0386/src/vc.rs#L2035-L2061
https://github.com/spruceid/ssi/blob/351c9238622cf39330297ea4d91931d6dcee0386/src/vc.rs#L2091-L2159
We're unsure how to go about deciding what additional checks to perform. In VC API there was a "checks" option for the caller to pass what checks to perform (e.g. "proof" and "credentialStatus"), but this was removed: https://github.com/w3c-ccg/di-ed25519-test-suite/issues/3 (but it is still supported in didkit-http for credential status / revocation list checking). So I think we may need to either agree on a new set of default checks, or add back the checks option or similar mechanism.
Harasz
Hi team, Verifiable Credentials Data Model has a expiration date, from what I can see currently DIDKit is not checking this date during verification. Does it not implemented yet or there is another reason?