Credential Verification

Verifying the integrity and authenticity of delegation credentials

Credential Verification

DID Resolution and Key Verification

The foundation of MCP-I verification is resolving DIDs to their corresponding DID Documents.

Resolution Process

  1. The verifier receives a DID (e.g., did:web:example.com)
  2. The verifier uses the appropriate resolver for the DID method
  3. The resolver returns a DID Document containing verification methods
  4. The verifier extracts the public key material needed for signature verification

Key Types Support

MCP-I verification must support these key types:

  • Ed25519: Recommended for most implementations
  • secp256k1: Required for blockchain compatibility
  • RSA: Required for legacy compatibility (Level 1 only)

Credential Verification

Once DIDs are resolved, the credential itself must be verified through multiple checks.

Signature Verification

The verifier must:

  1. Extract the verification method from the issuer's DID Document
  2. Validate the credential's signature using the appropriate algorithm
  3. Ensure the signature was created by the issuer's key

Example Signature Verification

import { Ed25519Signature2020 } from "@digitalbazaar/ed25519-signature-2020";
import { documentLoader } from "./document-loader.js";

async function verifyCredentialSignature(credential) {
  // Create verification suite using the verification method from the credential
  const suite = new Ed25519Signature2020();

  // Verify the credential signature
  const result = await vc.verify({
    credential,
    suite,
    documentLoader,
  });

  if (!result.verified) {
    throw new Error(`Signature verification failed: ${result.error}`);
  }

  return true;
}

Structural Validation

The verifier must:

  1. Ensure the credential contains all required fields
  2. Validate that the credential format follows the MCP-I specification
  3. Check that the credential type includes the appropriate values

Temporal Validation

The verifier must:

  1. Check that the credential's issuanceDate is in the past
  2. Verify that the current time is before the credential's expirationDate
  3. Apply any time-based constraints specified in the credential