Define algorithm for verification

[msporny]

In issue #1285 (comment) @jyasskin wrote:

The serious issue is the one about defining the algorithm for verification. The definition of validation in this spec says that verification is in scope: "This specification is constrained to verifying verifiable credentials and verifiable presentations regardless of their usage. Validating verifiable credentials or verifiable presentations is outside the scope of this specification." To be clear, I'll encourage Google to formally object to this spec if an algorithm for verification isn't moved to Proposed REC at the same time as this spec. It's fine for this algorithm to call out to algorithms in other specs, or to look up subroutines in a registry, but the top-level algorithm needs to be defined. That's for two reasons:

1. It's hard to be confident of interoperability if implementations have to gather verification requirements from many places across this and other specifications. If an implementation misses one or finds an extra one, it won't interoperate with implementations that found a different set of requirements.
2. The security and privacy properties of VCs depend critically on the exact algorithm that a verifier follows. Privacy, for example, gets compromised if a verifier fetches an extra URL that happens to identify the credential that it's verifying. In order for security and privacy reviewers to check that this spec meets its goals, they have to be able to read the verification algorithm.

[msporny]

PR #1338 has been raised to address this issue. This issue will be closed once PR #1338 has been merged.

[jyasskin]

I don't expect #1338 to be sufficient to close this. It's a good start, but it calls other algorithms that haven't been written yet, or which are missing important checks and type-consistency. This list is probably incomplete, but I see:

• Write an algorithm for verifying VC/VP JWTs vc-jose-cose#187
• Find somewhere to parse bytes into an RDF dataset vc-data-integrity#222

[iherman]

The issue was discussed in a meeting on 2023-12-13

• no resolutions were taken

View the transcript

2.1. Define algorithm for verification (issue vc-data-model#1337)

See github issue vc-data-model#1337.

Brent Zundel: some have PRs exist.

Manu Sporny: this one needs to be closed, we merged related PRs, and filed follow up issues.

[msporny]

@jyasskin we're tracking improvements to the verification algorithm in more specific issues/PRs. The WG decided that it would be best to close this PR as the verification algorithm now exists (it's imperfect, but it's there). Refinements to the algorithm will be performed via other existing issues/PRs.

[iherman]

The issue was discussed in a meeting on 2023-12-20

• no resolutions were taken

View the transcript

4.1. Define algorithm for verification (issue vc-data-model#1337)

See github issue vc-data-model#1337.

Brent Zundel: 1337 Define Alg for Verify. Main PR has been merged. I will close after call today.