nissimsan
commented
1 month ago I support spelling these steps out on the spec!
Open PatStLouis opened 3 months ago
nissimsan
commented
1 month ago I support spelling these steps out on the spec!
nissimsan
commented
1 month ago Something like:
PatStLouis
commented
3 weeks ago @nissimsan we can refer to the algorithms section of the data model which I've recently became aware of. I will draft a PR with a section on this in the implementation guidelines to try and close this issue.
It would be worthwhile on having guidance on the steps to be included in the verification of the material vs validation. Perhaps in an implementers guideline?
The issue this would address is to clearly identify the role of verification and acknowledge that verifiers will have different validation needs. This is not a one size fits all.
Before proceeding to validate the document and see if it's suitable to consumption, some verification need to happen, both for trust and security reasons.
Some input validation is also a required step for security purpose. Multiple attack vectors are available such as data injection and graph poisoning. As with any software, proper security measures need to be put in place. While it's the responsibility of the implementers to put these measures in place, risks relevant to the technology used should be highlighted.
Once this 'verification' step is done, the validation sequence which involves the business needs of the verifier should be conducted. This could include fetching the issuer in a list of known-issuers to the verifier, checking the validity/expiration of the VC if this is valuable to the verifier, checking for a specific status, etc...
The distinction between these 2 phases is important to highlight. Simply referring to it as 'verifying' a credential is misleading.
While validation can't be made into a spec, some guidelines can surely be provided as to the order these operations should occur.