Hi, I want to understand how a verifiable credential can be checked for authenticity after it’s issued. Currently, there are four main functions for issuing a credential. If a relying party wants to verify a specific credential, do they just decode the JWT token, or is there another method? It seems like the JWT can be decoded easily, so I’m wondering if that means it’s not secure.
1 Like
Hi @Jonath-z
Please have a look at the validate_ii_presentation_and_claims function here. It contains all the necessary validation steps to make sure the information is genuine.
Note that the credentials are only signed and not encrypted. Hence they can be decoded. Privacy about the claim content (as opposed to the principals) is achieved by being selective about the parties the credentials are shared with, not through cryptographic means.
4 Likes
Thank you, this is helpful