Proof Verification Policy Reference
This reference documents the proof verification policy for the verifier service. The proof policy validates the cryptographic signatures and proofs associated with credentials and presentations to ensure their authenticity and integrity.
Policy Overview
Section titled “Policy Overview”The proof verification policy is essential for establishing trust in digital credentials by cryptographically verifying that the credential was signed by the claimed issuer and has not been tampered with since issuance. This verification is a core component of the trust model for verifiable credentials.
Supported Standards
Section titled “Supported Standards”The proof verification policy supports cryptographic validation across multiple standards:
| Standard | Organization | Specification | Proof Type | Validation Aspect |
|---|---|---|---|---|
| Data Integrity BBS Cryptosuites | W3C | VC DI BBS | bbs-2023 | Validates zero-knowledge proofs with selective disclosure |
| Data Integrity ECDSA Cryptosuites | W3C | VC DI ECDSA | ecdsa-jcs-2019, ecdsa-rdfc-2019 | Confirms ECDSA signatures with P-256/secp256k1 |
| Data Integrity EdDSA Cryptosuites | W3C | VC DI EdDSA | eddsa-2022 | Verifies Ed25519 signatures with high performance |
| ISO Mobile Driving License | ISO | ISO 18013-5:2021 | mDL signatures | Verifies mobile credential signatures per ISO standard |
| JOSE-COSE | W3C | JOSE-COSE | JOSE/COSE signatures | Validates JSON/CBOR object signatures and encryption |
| JSON Web Token (JWT) | IETF | RFC 7519 | JWT signatures | Verifies JWT signatures using JOSE algorithms |
| SD-JWT Verifiable Credential | IETF | SD-JWT Draft | SD-JWT signatures | Validates signatures with selective disclosure support |
| Verifiable Credential Data Integrity 1.0 | W3C | VC Data Integrity | Data Integrity proofs | Validates signatures using multiple cryptosuites |
Proof Verification Process
Section titled “Proof Verification Process”flowchart TD
subgraph "Proof Verification"
Input[Credential/Presentation] --> DetectProof[Detect Proof Type]
DetectProof --> ResolveIssuer[Resolve Issuer]
ResolveIssuer --> FetchKeys[Fetch Verification Methods]
FetchKeys --> ValidateProof[Validate Proof]
ValidateProof --> Decision{Valid Proof?}
Decision -->|Yes| Valid[Valid]
Decision -->|No| Invalid[Invalid Proof]
end
Resolver[Resolver] -.-> |"DID Resolution"| ResolveIssuer
style Input fill:#f9f9f9,stroke:#333,stroke-width:1px
style DetectProof fill:#e1f5fe,stroke:#333,stroke-width:1px
style ResolveIssuer fill:#e1f5fe,stroke:#333,stroke-width:1px
style FetchKeys fill:#e1f5fe,stroke:#333,stroke-width:1px
style ValidateProof fill:#e1f5fe,stroke:#333,stroke-width:1px
style Decision fill:#e1f5fe,stroke:#333,stroke-width:1px
style Valid fill:#dcedc8,stroke:#333,stroke-width:1px
style Invalid fill:#ffcdd2,stroke:#333,stroke-width:1px
style Resolver fill:#fff9c4,stroke:#333,stroke-width:1px
When verifying cryptographic proofs, the policy follows these steps:
- Proof detection - Identifies the type of proof used in the credential
- Issuer resolution - Resolves the issuer’s DID to retrieve verification methods
- Key retrieval - Fetches the appropriate cryptographic keys for verification
- Proof validation - Verifies the cryptographic proof against the credential
- Result determination - Returns the verification result based on cryptographic validation
Data Integrity Proofs
Section titled “Data Integrity Proofs”The W3C Data Integrity specification defines a framework for creating and verifying cryptographic proofs for credentials. The verifier supports multiple cryptosuites:
| Cryptosuite | Description | Key Algorithms | Best For |
|---|---|---|---|
eddsa-2022 | EdDSA signatures | Ed25519 | High-performance verification |
ecdsa-jcs-2019 | ECDSA with JSON canonicalization | secp256k1, P-256 | Cross-platform compatibility |
ecdsa-rdfc-2019 | ECDSA with RDF canonicalization | secp256k1, P-256 | Semantic web applications |
bbs-2023 | BBS+ signatures | BLS12-381 | Privacy-preserving credentials |
ecdsa-sd-2023 | ECDSA with selective disclosure | secp256k1, P-256 | Selective disclosure presentations |
Integration with Resolver
Section titled “Integration with Resolver”The proof verification policy depends on the resolver service to:
- Resolve DIDs to DID documents
- Retrieve verification methods (public keys)
- Validate proof chains for nested proofs
- Support multiple DID methods
Configuration
Section titled “Configuration”The proof verification policy offers various configuration options that control its behavior, including:
- Enabling or disabling proof verification via the
skipproperty - Configuring supported proof formats and cryptosuites
- Setting verification method resolution options
- Controlling validation behavior for different credential types
- Specifying accepted signing algorithms
For detailed configuration options, parameters, and default values, see the Verifier Configuration Reference.