Skip to content

Commit

Permalink
merge
Browse files Browse the repository at this point in the history
  • Loading branch information
gabe committed Sep 20, 2024
1 parent a9a7ee9 commit 78897fd
Showing 1 changed file with 1 addition and 252 deletions.
253 changes: 1 addition & 252 deletions index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1366,7 +1366,7 @@ <h3 id="alg-cose">Verifying a Credential or Presentation Secured with COSE</h3>
</ol>
</section>

<h3 id="validation-algorithm">Validation</h2>
<h3 id="validation-algorithm">Validation</h3>

<p>
All claims expected for the <code>typ</code> MUST be present.
Expand Down Expand Up @@ -2091,257 +2091,6 @@ <h2 id="cose-examples">COSE Examples</h2>
</p>
</section>
</section>
<section>
<h2 id="verification-algorithms">Verification Algorithms</h2>
<p>
This specification might be used with many different key discovery protocols.
Therefore, discovery of verification keys is described in <a href="#key_discovery"></a>,
and is assumed to have succeeded prior to beginning the verification process.
</p>
<p>
As a general rule, verifiers SHOULD strive to minimize the processing of
untrusted data. This includes minimizing any processing of the protected header,
unprotected header, or payload as part of the key discovery procedures.
</p>
<p>
After verification has succeeded, additional validation checks SHOULD be
performed as described in Section <a href="#validation-algorithm"></a>
</p>
<p>
The outputs for the following algorithms are:
</p>
<ul>
<li>
<code>status</code>: a boolean indicating the result of verification,
<code>true</code> for success and <code>false</code> for failure.
</li>
<li>
<code>document</code>: a document conforming to the [[[VC-DATA-MODEL-2.0]]] [[VC-DATA-MODEL-2.0]]
</li>
<li>
<code>mediaType</code>: <code>vc</code> or <code>vp</code>
</li>
</ul>
<section>
<h3 id="alg-jose">Algorithm for Verifying a Credential or Presentation Secured with JOSE</h3>
<p>
The inputs for this algorithm are:
</p>
<ul>
<li>
<code>inputMediaType</code>: <code>vc-ld+jwt</code> or
<code>vp-ld+jwt</code>
</li>
<li>
<code>inputDocument</code>: the [=verifiable credential=] secured as a JWT [[RFC7519]]
</li>
</ul>
<p>
Upon receipt of the [=verifiable credential=] or [=verifiable presentation=] secured as a JWT
[[RFC7519]], the [=holder=] or [=verifier=] follows this algorithm:
</p>
<ol>
<li>
Follow the algorithm defined in <a data-cite="RFC7519#section-7.2"> Validating a JWT</a> [[RFC7519]].
</li>
<li>
If processing completes successfully:
<ol>
<li>
Set <code>status</code> to <code>true</code>
</li>
<li>
Set <code>mediaType</code> to <code>vc</code> or <code>vp</code>
</li>
<li>
Set <code>document</code> to the decoded JWS payload.
</li>
<li>
Return
</li>
</ol>
</li>
<li>
If processing aborts for any reason or the JWT is rejected:
<ol>
<li>
Set <code>status</code> to <code>false</code>
</li>
<li>
Set <code>document</code> to <code>null</code>
</li>
<li>
Set <code>mediaType</code> to <code>null</code>
</li>
<li>
Return
</li>
</ol>
</li>
</ol>
</section>
<section>
<h3 id="alg-sd-jwt">Algorithm for Verifying a Credential or Presentation Secured with SD-JWT</h3>
<p>
The inputs for this algorithm are:
</p>
<ul>
<li>
<code>inputMediaType</code>: <code>vc-ld+sd-jwt</code>
</li>
<li>
<code>inputDocument</code>: the verifiable credential secured with [[SD-JWT]]
</li>
</ul>
<p>
Upon receipt of the [=verifiable credential=] or [=verifiable presentation=] secured with
[[SD-JWT]], the holder or verifier follows this algorithm:
</p>
<ol>
<li>
Follow the algorithms defined in <a data-cite="SD-JWT#section-8">SD-JWT</a> for
verification of the SD-JWT.
</li>
<li>
If processing completes successfully:
<ol>
<li>
Set <code>status</code> to <code>true</code>
</li>
<li>
Set <code>mediaType</code> to <code>vc</code>
</li>
<li>
Convert the SD-JWT payload back into the JSON claim set by reversing the process
in [[[SD-JWT]]] [[SD-JWT]]. Set <code>document</code> to the JSON claim set.
(For examples of the transition from JSON claim set to SD-JWT payload, please
see <a data-cite="SD-JWT#appendix-A">SD-JWT examples</a>).
</li>
<li>
Return
</li>
</ol>
</li>
<li>
If processing aborts for any reason or the SD-JWT is rejected:
<ol>
<li>
Set <code>status</code> to <code>false</code>
</li>
<li>
Set <code>document</code> to <code>null</code>
</li>
<li>
Set <code>mediaType</code> to <code>null</code>
</li>
<li>
Return
</li>
</ol>
</li>
</ol>
</section>
<section>
<h3 id="alg-cose">Algorithm for Verifying a Credential or Presentation Secured with COSE</h3>
<p>
The inputs for this algorithm are:
</p>
<ul>
<li>
<code>inputMediaType</code>: <code>vc-ld+cose</code> or
<code>vp-ld+cose</code>
</li>
<li>
<code>inputDocument</code>: the [=verifiable credential=] or [=verifiable presentation=]
secured with [[[RFC9052]]]
</li>
</ul>
<p>
Upon receipt of the [=verifiable credential=] or [=verifiable presentation=] secured with
[[RFC9052]], the [=holder=] or [=verifier=] follows this algorithm:
</p>
<ol>
<li>
Follow the algorithm defined in [[[RFC9052]]] [[RFC9052]] under the Signing and
Verification Process for COSE_Sign1.
</li>
<li>
If processing completes successfully:
<ol>
<li>
Set <code>status</code> to <code>true</code>
</li>
<li>
Set <code>mediaType</code> to <code>vc</code> or <code>vp</code>
</li>
<li>
Set <code>document</code> to the decoded COSE_Sign1 payload.
</li>
<li>
Return
</li>
</ol>
</li>
<li>
If processing aborts for any reason:
<ol>
<li>
Set <code>status</code> to <code>false</code>
</li>
<li>
Set <code>document</code> to <code>null</code>
</li>
<li>
Set <code>mediaType</code> to <code>null</code>
</li>
<li>
Return
</li>
</ol>
</li>
</ol>
</section>


</section>

<section>
<h2 id="validation-algorithms">Validation Algorithm</h2>

<p>
All claims expected for the <code>typ</code> MUST be present.
All claims that are understood MUST be evaluated according the [=verifier=]'s validation policies.
All claims that are not understood MUST be ignored.
</p>

<p>
The verified <code>document</code> returned from verification MUST be a
well-formed compact JSON-LD document, as described in
<a data-cite="VC-DATA-MODEL-2.0/#conformance">Verifiable Credentials Data Model v2.0</a>.
</p>

<p>
Schema extension mechanisms such as <code>credentialSchema</code> SHOULD be checked.
If the extension mechanism <code>type</code> is not understood, this property
MUST be ignored.
</p>

<p>
Status extension mechanisms such as <code>credentialStatus</code> SHOULD be checked.
If the extension mechanism <code>type</code> is not understood, this property
MUST be ignored.
</p>

<p>
Based on the validation policy of the verifier, the type of [=credentials=], and
the type of securing mechanism, additional validation checks MAY be applied.
For example, dependencies between multiple [=credentials=], ordering or timing
information associated with multiple credentials, and/or multiple [=presentations=]
could cause an otherwise valid [=credential=] or [=presentation=] to be considered
invalid.
</p>
</section>

<section class="appendix informative">
<h2>Acknowledgements</h2>

Expand Down

0 comments on commit 78897fd

Please sign in to comment.