[proposal] Support versionTime parameter when issuing a verifiable credential #1201
Description
When verifying a credential, the issuer id is resolved as-is. When the id is a DID did:example:foo, the credential is verified against the current version of the DID document. If a verification method is removed, all credentials signed with that key will become invalid. Depending on the use case, this can be the intended behavior or can be problematic.
The DID standard defines the versionTime parameter which resolves to the version of the DID document that was valid at a certain time. Typically, using versionTime the result is immutable.
While not defined specifically like this in the VC standard, the versionTime parameter can be added to the issuer id to ensure that VCs aren't implicitly revoked when the DID document is modified. This should work with all verifiers, as they'll resolve the identifier as-is and should remove any parameters.
{
credential: {
issuer: { id: `${identifier.did}?versionTime=${versionTime}` },
credentialSubject: {
id: 'did:web:example.com',
you: 'Rock',
},
},
proofFormat: 'jwt',
}In createVerifiableCredential, the issuer is extracted from the verifiable credential and used to look up the identifier from the manager.
It should remove the DID parameters (or just versionTime) when looking up the identifier.
The alternative would be to always add versionTime when resolving a DID for verifying a credential. However, the standard doesn't indicate that that's the correct behavior.