Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credential verification fails when did:web issuer contains multiple verificationMethods #977

Open
shev-pro opened this issue Mar 5, 2025 · 2 comments · May be fixed by #986
Open

Credential verification fails when did:web issuer contains multiple verificationMethods #977

shev-pro opened this issue Mar 5, 2025 · 2 comments · May be fixed by #986
Assignees
@taminobaumann
Labels
bug Something isn't working

Comments

@shev-pro
Copy link
Contributor

shev-pro commented Mar 5, 2025

Credential verification fails when the credential issuer uses did:web with multiple verification methods (verificationMethods). According to the [DID Core Specification](https://www.w3.org/TR/did-core/), did:web supports multiple keys, but walt.id verification currently breaks when resolving such DIDs.

To Reproduce

Steps to reproduce the behavior:

  1. Create a did:web with multiple keys in the DID Document, it is not possible actually with current version of WaltID (but still possible with other providers)
  2. Issue a Verifiable Credential where the issuer is the did:web DID.
  3. Use walt.id (version 0.11) to verify the credential.
  4. Verification fails with an error related to key resolution.

Expected behavior

Verification should work with did:web issuers that have multiple keys, correctly identifying the correct key either from the kid field (if present) or by iterating through the available keys until a valid one is found.

Actual behavior

Verification eventually fails when did:web issuer has multiple keys, because is taken the first one from the set. The current implementation expects only one key in the DID Document and does not handle multi-key resolution.

Additional context

  • Suggested fix: Update resolveToKey to handle kid directly (resolving to did:web#key-id when provided) and fallback to iterating over all verification methods if kid is absent.
  • This is important for compatibility with W3C DID Core Specification, particularly for ecosystems with key rotation or multi-key issuers.
  • Relevant spec section: [Verification Methods](https://www.w3.org/TR/did-core/#verification-methods)
@shev-pro shev-pro added the bug Something isn't working label Mar 5, 2025
@alegomes
Copy link
Contributor

alegomes commented Mar 7, 2025

Hi and thanks again, @shev-pro

We are aware of that and the fix is already in the roadmap. I just can't guarantee when exactly it will be released. :-(

Best,
Ale

@alegomes alegomes self-assigned this Mar 7, 2025
@linear linear bot assigned taminobaumann and unassigned alegomes Mar 7, 2025
@shev-pro
Copy link
Contributor Author

Hi @alegomes . I've created PR 986

@SuperBatata SuperBatata linked a pull request Mar 20, 2025 that will close this issue
Multiple Keys Support for DID Resolution #986
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@taminobaumann taminobaumann

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Multiple Keys Support for DID Resolution shev-pro/waltid-identity
3 participants
@alegomes @shev-pro @taminobaumann