Presentations timestamps - emitting and validating presentations with timestamps

A use case of the Verifiable Credential model⁷ is the presentation of credentials person to person, using QR codes. This article expresses some considerations that are important when implementing verification of this kind of presentations.

• Verifiable Presentations (VP) should always be signed by a DID controller.
• VC presentations (VP) must contain a presentation_date and, optionally, an expiration_date.
• Verifier should check both dates to make sure it is a Presentation that was signed at the verification time. If no expiration_date is present the Verifier should have a (configurable) parameter presentation_grace from the presentation_date, for example presentation_grace=1 minute. This prevents replay attacks.
• A recommended verification user experience is:
  1. Verifier asks credential to Holder
  2. Holder selects a credential
  3. Holder taps on show QR button
  4. Holder shows QR
  5. Verifier scans QR
  6. Verifier app verifies VP
  7. Verifier app displays presented credentials information
  8. Verifier validates information
• To prove that the person presenting the credential is really the owner of the credential, it is advisable to request that they present a verified photo of themselves, or other kind of physical proof
• The verifier app could stablish a communication channel when scanning the holder’s QR and request a challenge-response authentication to prove control of the DID - a new protocol can be defined for this specific case
• It is important to remark the difference between proving DID control and proving the person is the real owner