A research paper on Blockcerts’ security analysis was recently published finding that they are vulnerable to a certain type of impersonation attack by fabricating a fake issuer profile to impersonate a legitimate issuer “name” : https://arxiv.org/abs/1910.04622
I know that Blockcerts does not currently attempt to solve the problem of issuer identity directly, and that the Issuers must declare their official blockchain address on their official website in the Issuer Profile and it must be verified that the address that signed the transaction belongs to the university by pointing out that the URL of the profile of the Issuer is really on the official Issuer’s website.
In addition, the proposed evolution V3 envisages the use of Decentralized Identifiers, which more directly represent the identity of the issuer: DIDs as a way to properly identify issuers
However in this perspective we are providing for informative actions to help the user pay more attention to identity verification, modifying the verifier to display useful elements such as the URL of the Issuer Profile.
I would like to examine your views on this issue and the proposals on changes to the Blockcerts viewer in addition to creating an informative web page that also explains the meaning of the Blockcerts verification and contains instructions for “manual” verification of the origin.
Thank you.
Dario_