Paper-First Verifiable Credentials Specification Using QR Codes
github.comSo the credentials themselves are verifiable.
But in most cases, wouldn't you need to also verify the identity of the person presenting them?
I assume this is where the "payload" field comes into play but due to the brevity, the security seems questionable.
With several examples of valid credentials and the available info, it shouldn't be that difficult to work out the signing key and start forging credentials.
Unless I misunderstand, this is interesting but it appears to only be a small part of the verification process.
I think we've thought the same, although you've put it better than I would: exactly how verifiably would this be for such a large deployment like the COVID passports of one of the examples?
As far as I can tell, this is just a slightly more sophisticated version of the Luhn check digit used to verify credit card numbers.