Hello
I am relatively new to using blockchain-based credentials and recently received my first Blockcert. While I understand the basics of how it works…, I want to ensure I am verifying these credentials in the most secure and reliable way.
Verification Process: What’s the best practice for verifying a Blockcert credential using the Blockcerts Universal Verifier? Are there specific steps or tips to ensure accuracy: ??
Trusted Sources: How do I confirm that the issuing authority is legitimate and not a spoofed entity: ??
Common Issues: Are there any common errors or pitfalls I should watch out for during the verification process: ??
Offline Options: Is there a secure way to verify Blockcerts offline in case I don’t have internet access: ??
I would appreciate any guidance or resources from the experienced members here. Your help will go a long way in making sure I am on the right track. I have also read this thread https://community.blockcerts.org/t/blockchain-based-certificate-useless-sac-analytics-cloud it helped me alittle but still need some more help.
Thanks in advance !!
Looking forward to your insights.
With Regards,
Marcelo Salas
Verification Process: What’s the best practice for verifying a Blockcert credential using the Blockcerts Universal Verifier? Are there specific steps or tips to ensure accuracy: ??
I’m not sure exactly what you are asking here. The blockcerts verifier component is a UI on top of cert-verifier-js which is the highly maintained and up-to-date official verifier for blockcerts. If you drag and drop, or upload or refer to a URL of a contextually valid blockcerts, it will proceed with verification and give you the status of the credential.
You can also spin-up a server with cert-verifier-js (cvjs-docker library is advised in this case as it does the heavy lifting for you) and verify through an API call.
Trusted Sources: How do I confirm that the issuing authority is legitimate and not a spoofed entity: ??
This one is trickier and we are currently in the process of improving the way issuer profiles are handled by Blockcerts. However Blockcerts already works with DIDs so you are not stuck with the issuer profile as it is implemented today. It is then up to the DID to implement the mechanisms to improve trustability in the issuer, although the verifier does not take extra steps at this time (but this is work in progress as it also gets standardized by the W3C CCG group).
Common Issues: Are there any common errors or pitfalls I should watch out for during the verification process: ??
I’m not sure again what is the question here. If you use the UI or comply to the API the verification is handled for you.
Offline Options: Is there a secure way to verify Blockcerts offline in case I don’t have internet access: ??
No, the verifier does not cache blockchain transactions and performs a new read every time a verification occurs. So you need internet access.
As an additional note on DIDs and Issuer Profiles (generally under the Controller Document spec), we expect the verification method of the credentials’ proof to be pointing to a reference of a public key in the Controller’s document, that’s authorized for the purpose of the proof, and that can derive back to the blockchain address used for the Blockcerts issuance.
That way we are binding the ownership of the Blockchain address to the controller document. Again we are currently looking at ways to improve trust and security of the controller document.