Presentation verification
Overview
Presentation verification is an end-to-end presentation request workflow to verify Web Credentials.
The verifier first communicates to the holder's wallet what types of credentials and information they need to verify. The wallet presents matching credentials to the holder and requires consent for sharing them with the verifier. Upon holder's consent, the wallet responds to the presentation request with a verifiable presentation response which includes the required credentials. The verifier then verifies this verifiable presentation to conclude the verification workflow.
Different interactions may require a single credential, multiple credentials, or just some claims from a credential.
DID Authentication: One specific use case of presentation verification is to obtain a DID
and use it to authenticate its holder. To achieve this, we create a presentation template of a
specific DIDAuth type, which only requests for the holder's subject DID. Once the wallet
responds with a verifiable presentation you can verify it, store the Subject DID included in it,
and then use that DID to engage directly with this specific wallet. For example, you can issue
credentials directly to the wallet or send a DID message.
The workflow comprises the following steps:
- The verifier creates a generic presentation template.
- The verifier creates a specific presentation request.
- The wallet creates a verifiable presentation and shares it with the verifier.
- The verifier verifies the verifiable presentation.
The Verifier creates a generic presentation template
Presentation templates define what type of credential and what information is requested by the verifier. The template is long-lived and is persisted on your tenant. MATTR VII supports two types of templates:
- Basic presentation template: The basic presentation template uses the
W3C Verifiable Presentation Request Specification (opens in a new tab)
QuerybyExamplequery method (opens in a new tab). It is used to request an entire credential, including all of its claims and details. This query method uses the credentialtypeandtrustedIssuerto only accept verifiable presentations that match these parameters. All the claims from credentials matching the query are included in the verifiable presentation, along with the Subject DIDs used for each credential. - Selective disclosure presentation template: The selective disclosure presentation template
uses the
W3C Verifiable Presentation Request Specification (opens in a new tab)
QuerybyFramequery method (opens in a new tab). It is used to request for specific claims from a credential, eg. just afirstNameattribute from a student ID credential. This is referred to as selective-disclosure.
The verifier creates a specific presentation request
When requesting a credential for verification from a specific holder, the credential template is used to create a presentation request. This short-lived object is used by the holder's mobile wallet to display a list of credentials that match the verifier's request.
Presentation requests can be created using a callback URL or the OIDC Bridge. They expire after five minutes by default and are not persisted on your tenant beyond that.
The wallet creates a verifiable presentation
Upon receiving a presentation request, the wallet uses its information to display all credentials that match the presentation requirements. The holder can then select and send the requested credentials in the form of a verifiable presentation. This presentation includes a cryptographic proof proving the included credentials were issued to the presenting holder.
The verifier verifies the verifiable presentation
When the verifier receives the verifiable presentation it will perform different verification checks, which differ based on the credential profile and type. Verification results are then passed by the verification platform to apply the required business logic. For example, some operators would deny a service if a credential is invalid, while others will only choose to show a warning.