Verifiable Credential - savvato-software/all_docs GitHub Wiki

A verifiable credential has an issuer field, that refers to a DID id.

The DID id refers to a document, which has been signed by the owner (controller) of the DID. The document contains then a signature of the DID, and references to public keys controlled by this DID.

So the verifier could get one of those public keys, and check the signature of a VC, to see did the owner (controller) of the DID which this VC is using as proof of something, did that owner controller actually sign this VC.

So the VC has an issuer, with an ID. That ID refers to a DID document. The DID document has a field "Public keys" and this is a web reference, it is a provider of a public key it is not the key itself, its a way to get the key

And that key, when used to sign the DID, provides a signature matching the one in the DID.

So you have accessed a lilve resource, and got a key. You trust that this key has not been compromised, but you can compare it against other things which have been signed by the key, and would also have had to have been compromised to show they did sign the other thing, and that process increases confidence, this live resource is providing you an accurate key. Or maybe you get the key from several places, or a provably immutable place. Anyway, you get this key.

You want to be sure that Alice who has presented you a VC supposedly signed by Bob, did indeed get the signature for the VC that she has from a key controlled by Bob. And it does this because the signature had to have come from multiplying his private key and the given document. The verification of that signature takes the public key, a very large prime number, and uses it as a factor in an equation used to reduce the output of the encryption to the original document. And only this other number would do it, and it is a Hard Problem finding either of these two values, two factors, the public or private values, we call keys.

So we have Alice's VC, supposedly signed by Bob, and we have Bob's public key, which we got from a DID, that we were made aware of either by the VC itself, or some other public means Bob provides for people who want to know did he sign some stuff.

We take Bob's public key and decrypt the signature which should produce the VC he was attesting to (or it's hash). We compare this with what Alice is presenting, and we can be sure Bob had to have signed this with his private key, he had to have agreed. Assuming we trust this public private key math.

We can be sure then, that this attribute of Alice is true.

Or not. :)