Open in app

Sign in

Write

Sign in

Mastodon

Trust is not verifiable!

Volodymyr Pavlyshyn
2 min readAug 20, 2023

--

What verifier verifies verifiable credentials, and what could go wrong. ?

The sure short and correct answer is a Verifiable Presentation but let's put it on hold for another article and focus on a single Verifiable Credential.

Verification of Credential

If we talk about classical json-ld vc:

  • the validity of a context and corresponding data . It is a point of a few big performance and security issues in case your json-ld context is represented as external link . Could enforce recursive http calls.
  • signature of issuer : give a data integrity and authenticity of data. Often depends on did resolution that relay on external did registry . In case of blockchain-based did resolution could be slow
  • cryptographical suite should be supported by verifier. As the same as a key format.
  • Revocation lists in case or revocable credential one more dependency for revocation list credentials and possibly on revacation list resolution.
    - expiration date of VC . General topic of handling time stamps .
    - optionally, json schema could be a part of VC but often ignored so it is application's responsibility .

What is not verifiable?

Probably it is the most important part of our article

  • ownership of the presented VC or any holder correlation, even if the holder section is present. VP partially solves this challenge, but the general binding problem is open.
  • validity of a data
  • validity of data capturing
  • any kind of chains of trust and trust-related topics.

Trust

All shifted from cryptography and algorithms to trust protocol and trust infrastructure. When you start the verification process, you somehow have embedded trust relations to:

- Issuer and his data capturing and data validation process for VC issuance. Relation to issuer and data capturing protocols and procedures regulated by trust frameworks and trust registries, some of them require policy and legal frameworks. To manage this relationship effectively you need a Trust registry of issuers

- Trust in DID methods and DID registries
- Trust in Schema registries
- Trust in Revocation list registries

As a user of a verifier services, we should trust that the verifier follows a verification procedure and check all possible parts of VC validity.

--

--

Volodymyr Pavlyshyn
Volodymyr Pavlyshyn

Written by Volodymyr Pavlyshyn

1.1K Followers
1.4K Following

I believe in SSI, web5 web3 and democratized open data.I make all magic happens! dream & make ideas real, read poetry, write code, cook, do mate, and love.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams