Be suspicious of QR Code flows that don't also check digital signatures at some point

[msporny]

From this article:

https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/

One of the security compromises had to do with the QR Code being trusted in some way without a digital signature being used. It's unclear what, if any, protection mechanism was in place for the QR Code, but what is clear was that it was not a digital signature that was being verified. Or if it was, the signature was created client-side and was not being checked for validity or revocation by the verifier.

Implementers should strive for digitally signed QR Codes. For example, every QRCode in the TruAge age verification program is a unique, digitally signed VC encoded as CBOR-LD and displayed as a QR Code. The verifier must check that the issuer is valid and the signature is valid before processing the data. QR Codes that don't result in a digital signature check happening at some point in the process are asking for trouble. We should provide some guidance to implementers that note that the use of QR Codes w/o some sort of digital signature validation at some point in the process is dangerous.