vc-imp-guide
vc-imp-guide copied to clipboard
Specify that VCs that are not signed are not VCs
Based on this security compromise:
https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/
One of the issues in the compromise described by the article above is that there are no digital signatures on any of the data transmitted by the mobile driver's license app. Verifiable Credentials would've prevented this first error because VCs have to be digitally signed to be trusted. At least, we hope that's what people out there are doing. The takeaway for us is to clearly outline this in the implementation guide -- it's not a VC if it's not signed by an issuer, there is no security if it is not signed.
It's important for us to provide guidance to implementers that VCs that are not signed are not VCs and are not safe to use for any critical task. An unsigned VC is effectively self-asserted information.