- From: Dominic Wörner <dom.woe@gmail.com>
- Date: Tue, 9 Jun 2020 14:50:30 +0200
- To: public-credentials@w3.org
- Message-ID: <CALXJN2VV6eFjF4nO0GTDL=zv-HRt5pAXZvKeUryGj6MppZtpvg@mail.gmail.com>
Hi, We currently work with JWT VC because of the lack of proper JSON-LD tooling in Java. The iss property of VCs is a DID and I have a question on the verification algorithm since it's not well defined in the data model spec because it is out of scope. After reading the spec, we implemented the following approach: * Resolve issuer DID * If kid in header then get pubkey with kid form did doc. If not found => abort * If no kid in header then there must be only one public key Now, I've looked at the code of https://github.com/decentralized-identity/did-jwt There the following approach is taken (if I'm correct) * Resolve issuer DID * Get authenticators (pub keys referenced in authentication array in DID doc) * Try all authenticators. Fail only of none of the authenticators work I don't think the library handles the usage of a kid in the header. This leaves me with the question, is there consensus about the approach taken in did jwt? ;) * Public Keys to verify VCs, need to be referenced in the authentication block of the DID doc * It's not required to reference a specific key in the VC if there are multiple keys in the DID doc? I can see that the second point has some advantages. Given I have a DID doc with a single public key and I create a VC without specifying the kid, I would invalidate the VC by adding another key to the DID doc, if the verifier would not try all keys. Best, Dominic
Received on Tuesday, 9 June 2020 12:50:55 UTC