Proof Verification Policy Reference
This reference documents the proof verification policy for the verifier service. The proof policy validates the cryptographic signatures and proofs associated with credentials and presentations to ensure their authenticity and integrity.
Policy Overview
The proof verification policy is essential for establishing trust in digital credentials by cryptographically verifying that the credential was signed by the claimed issuer and has not been tampered with since issuance. This verification is a core component of the trust model for verifiable credentials.
Supported Standards
The proof verification policy supports cryptographic validation across multiple standards:
| Standard | Organization | Specification | Proof Type | Validation Aspect |
|---|---|---|---|---|
| Data Integrity BBS Cryptosuites | W3C | VC DI BBS | bbs-2023 | Validates zero-knowledge proofs with selective disclosure |
| Data Integrity ECDSA Cryptosuites | W3C | VC DI ECDSA | ecdsa-jcs-2019, ecdsa-rdfc-2019 | Confirms ECDSA signatures with P-256/secp256k1 |
| Data Integrity EdDSA Cryptosuites | W3C | VC DI EdDSA | eddsa-2022 | Verifies Ed25519 signatures with high performance |
| ISO Mobile Driving License | ISO | ISO 18013-5:2021 | mDL signatures | Verifies mobile credential signatures per ISO standard |
| JOSE-COSE | W3C | JOSE-COSE | JOSE/COSE signatures | Validates JSON/CBOR object signatures and encryption |
| JSON Web Token (JWT) | IETF | RFC 7519 | JWT signatures | Verifies JWT signatures using JOSE algorithms |
| SD-JWT Verifiable Credential | IETF | SD-JWT Draft | SD-JWT signatures | Validates signatures with selective disclosure support |
| Verifiable Credential Data Integrity 1.0 | W3C | VC Data Integrity | Data Integrity proofs | Validates signatures using multiple cryptosuites |
Proof Verification Process
When verifying cryptographic proofs, the policy follows these steps:
- Proof detection - Identifies the type of proof used in the credential
- Issuer resolution - Resolves the issuer's DID to retrieve verification methods
- Key retrieval - Fetches the appropriate cryptographic keys for verification
- Proof validation - Verifies the cryptographic proof against the credential
- Result determination - Returns the verification result based on cryptographic validation
Data Integrity Proofs
The W3C Data Integrity specification defines a framework for creating and verifying cryptographic proofs for credentials. The verifier supports multiple cryptosuites:
| Cryptosuite | Description | Key Algorithms | Best For |
|---|---|---|---|
eddsa-2022 | EdDSA signatures | Ed25519 | High-performance verification |
ecdsa-jcs-2019 | ECDSA with JSON canonicalization | secp256k1, P-256 | Cross-platform compatibility |
ecdsa-rdfc-2019 | ECDSA with RDF canonicalization | secp256k1, P-256 | Semantic web applications |
bbs-2023 | BBS+ signatures | BLS12-381 | Privacy-preserving credentials |
ecdsa-sd-2023 | ECDSA with selective disclosure | secp256k1, P-256 | Selective disclosure presentations |
Integration with Resolver
The proof verification policy depends on the resolver service to:
- Resolve DIDs to DID documents
- Retrieve verification methods (public keys)
- Validate proof chains for nested proofs
- Support multiple DID methods
Configuration
The proof verification policy offers various configuration options that control its behavior, including:
- Enabling or disabling proof verification via the
skipproperty - Configuring supported proof formats and cryptosuites
- Setting verification method resolution options
- Controlling validation behavior for different credential types
- Specifying accepted signing algorithms
For detailed configuration options, parameters, and default values, see the Verifier Configuration Reference.