Blockcerts verification process: clarifications to authenticity check


We are rolling out the Blockcerts V2 schema changes, and I’d like to provide more context about those changes and how they improve Blockcerts’ alignment with other important standards. The V2 changes are tracked in detail in (quite long) github issues, but the posts here are intended to be topical – briefer and hopefully more readable.

One area of the Blockcerts verification specification we clarified is the authenticity check; i.e. verifying the claimed issuer actually signed the blockchain transaction. This resolves some formerly vague aspects of the verification process, and reflect the latest details of the Blockcerts verification libraries (cert-verifier, cert-verifier-js, and cert-wallet).

Previously, Blockcerts verification specified that the signing key must be consistent with those claimed by the issuer, but lacked some details. The latest documentation specifies that:

  • the transaction must be checked to ensure it was issued before the issuing key expired, before it was revoked, and after the created date
  • the transaction timestamp from blockchain’s transaction record itself must be used for comparison

The latter is significant to call out because the blockchain’s transaction record provides a reliable timestamp (by construction) to check against the signing keys claimed by the issuer.

Also note that, whereas previously keys could only be marked invalidated, now they can be marked expires or revoked. This is because the V2 issuer key schema now uses the Cryptographic Key class. This allows more precision than the previous issuer schema (by differentiating between expired and revoked cases), and improves standards alignment of Blockcerts.


Thanks for the note. We are working through these changes now.