search

w3c / vc-data-model

W3C Verifiable Credentials v2.0 Specification
https://w3c.github.io/vc-data-model/
Other
287 stars 104 forks source link

Define algorithm for verification #1337

Closed msporny closed 8 months ago

msporny commented 10 months ago

In issue https://github.com/w3c/vc-data-model/issues/1285#issuecomment-1731724138 @jyasskin wrote:

The serious issue is the one about defining the algorithm for verification. The definition of validation in this spec says that verification is in scope: "This specification is constrained to verifying verifiable credentials and verifiable presentations regardless of their usage. Validating verifiable credentials or verifiable presentations is outside the scope of this specification." To be clear, I'll encourage Google to formally object to this spec if an algorithm for verification isn't moved to Proposed REC at the same time as this spec. It's fine for this algorithm to call out to algorithms in other specs, or to look up subroutines in a registry, but the top-level algorithm needs to be defined. That's for two reasons:

  1. It's hard to be confident of interoperability if implementations have to gather verification requirements from many places across this and other specifications. If an implementation misses one or finds an extra one, it won't interoperate with implementations that found a different set of requirements.
  2. The security and privacy properties of VCs depend critically on the exact algorithm that a verifier follows. Privacy, for example, gets compromised if a verifier fetches an extra URL that happens to identify the credential that it's verifying. In order for security and privacy reviewers to check that this spec meets its goals, they have to be able to read the verification algorithm.
msporny commented 10 months ago

PR #1338 has been raised to address this issue. This issue will be closed once PR #1338 has been merged.

jyasskin commented 9 months ago

I don't expect #1338 to be sufficient to close this. It's a good start, but it calls other algorithms that haven't been written yet, or which are missing important checks and type-consistency. This list is probably incomplete, but I see:

iherman commented 9 months ago

The issue was discussed in a meeting on 2023-12-13

View the transcript #### 2.1. Define algorithm for verification (issue vc-data-model#1337) _See github issue [vc-data-model#1337](https://github.com/w3c/vc-data-model/issues/1337)._ **Brent Zundel:** some have PRs exist. **Manu Sporny:** this one needs to be closed, we merged related PRs, and filed follow up issues.
msporny commented 9 months ago

@jyasskin we're tracking improvements to the verification algorithm in more specific issues/PRs. The WG decided that it would be best to close this PR as the verification algorithm now exists (it's imperfect, but it's there). Refinements to the algorithm will be performed via other existing issues/PRs.

iherman commented 8 months ago

The issue was discussed in a meeting on 2023-12-20

View the transcript #### 4.1. Define algorithm for verification (issue vc-data-model#1337) _See github issue [vc-data-model#1337](https://github.com/w3c/vc-data-model/issues/1337)._ **Brent Zundel:** 1337 Define Alg for Verify. Main PR has been merged. I will close after call today.