Unsigned claims not secure

[msporny]

Claims that are not digitally signed are not verifiable. The specification should allow unsigned claims, but should say something about claims that are unsigned.

[David-Chadwick]

They are simply self-asserted claims. A user can always make whatever claims he wants to. It is up to the inspector to decide what trust or value he places in self-asserted claims.

[agropper]

Self-asserted claims can still be signed by the user. Given self-sovereign (blockchain) identifiers, the reputation linked to any particular signature can be highly variable and it's up to the inspector to decide what trust or value he places on the identity associated with a signature.

[David-Chadwick]

True. But practically speaking, if the holder has a secure connection to the inspector, and sends an unsigned credential in a signed message, or sends a self-signed credential in an unsigned message, this makes little difference from a trust perspective. It is still a self asserted claim that the inspector has to decide how much to trust it.

[agropper]

Practically speaking, it's preferred (from the perspective of driving adoption of our work) to have all claims handled the same way, regardless of the degree of trust in the signature.

[msporny]

if the holder has a secure connection to the inspector, and sends an unsigned credential in a signed message, or sends a self-signed credential in an unsigned message,

Those are both effectively signed claims.

This particular issue is about claims that have absolutely no digital signature associated with them. For example, Verifiable Claims can be used to assert product information like so:

http://schema.org/Product#eg-10 (See JSON-LD example)

That information can be shoved into any website. You can argue that if served over HTTPS, that it's effectively the site self-asserting the claim in a digitally verifiable way, but that's not always the case. For example, it could be served over HTTP... or it could be a blogging site that allows that sort of markup anywhere, asserted by any user of the site. In those particular cases, we fall back into the "No, or effectively no useful digital signature" scenario. Which is what this issue is attempting to call attention to.

[David-Chadwick]

In which case I return to my initial comment. Simply say "These are self-asserted claims that provide no technical means of verification. The inspector will need to use other out of band means to ascertain the veracity of the claim."