Improve DID URL dereferencing for verification methods #128
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allow object to be embedded under other verification method arrays besides verificationMethod.
This was referenced Mar 16, 2021
sbihel
approved these changes
Mar 17, 2021
wyc
approved these changes
Mar 17, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Copied from #122
Verification method maps may appear in a DID document in multiple places, e.g.
authenticationorassertionMethod. Previously we required them to be under theverificationMethodproperty. When a verification method (or itsid) is included in one of these arrays, it indicates a verification relationship between the DID subject and the verification method. These verification relationships correspond to the proofPurpose property in linked data proofs. DID Core says that theassertionMethodverification relationship is used for issuing Verifiable Credentials. It also says thatauthenticationis used for authenticating via challenge-response protocols. Typically, theauthenticationproof purpose is used for creating Verifiable Presentations, as seen in VC Data Model - Example 45, and in test cases in vc-http-api-test-server such ascase-1.json. We should respect verification relationships when verifying proofs.This PR sets the default behavior for verifying a verifiable credential or verifiable presentation to require the proof's verification method to be in the DID document with the verification relationship corresponding to the proof purpose in the verification options - with
assertionMethodthe default proof purpose for a VC, andauthenticationthe default for a VP.This change only affects verification. During issuance, the proof purpose and verification method must still be passed in as options.
The publicKey is added back to the DID document even though it is no longer in DID Core, since there is a test case in
vc-http-api-test-serverthat depends on it. It is treated as another place where verification methods may be stored, like theverificationMethodarray. A verification method in theverificationMethodarray orpublicKeyarray should also be referenced in one of the verification relationship arrays likeassertionMethodand/orauthentication, to express a verification relationship and therefore be used with linked data proofs.