Item verification
DiME, the open and trust-based data format building secure Application-based Public-Key Infrastructures (APKIs) in a breeze.
Before a DiME item should be trusted and then used, it must be verified. Verification is an important step and plays a part in the saying "Trust, but verify", or perhaps the more modern version "Never trust, always verify".
There are four steps in the verification of a DiME item, these are:
(if available/applicable) verify the issuer of the DiME item
verify that "iss" claim in verified item is equal to "sub" claim identity used to verify
verify the validity (dates) in the issuer identity, see point 2 for required steps
(if available) verify any dates in the DiME item
verify that issued at date is passed (if "iat" claim is set)
verify that issued at date is not after expiration date (if "iat" and "exp" claim are set)
verify that expiration date is not passed (if "exp" claim is set)
(if available) verify that linked items are valid
(if available) verify that the digital signature is correct
if verifying with a trust chain, then each identity in the trust chain to the root must also have their signatures verified
This order is used to ensure that the more expensive verification operations are done later in the verification process, this includes verification of item links and digital signatures. If any steps fail, then the verification must exit with an appropriate error code.
Each verification may be done separately if this is more appropriate. However, it is generally recommended to verify everything in one operation.
Verify issuer claim
If an DiME item is verified directly using a DiME identity, and thus using the public key inside the identity, then the claim "iss" must contain the same value in both items.
Verify dates
If any date-based claims are set in an item, then those need to be verified. This following order should be used when verifying:
The issued at date must be earlier than the current system date
The issued at date must not be later than the expiration date
The expiration date must be later than the current system date
Note that it is only necessary to validate those dates that are set in an item. If a date claim is excluded, then the item should be considered to never expire (missing "exp" claim) or have no start date (missing "iat" claim).
Date verification should be done using milliseconds. This may, however, introduce a time synchronization issue when sending instant or short-lived items between entities. For thoughts and solutions to this problem, refer to Time synchronization.
All dates processed must always be in Coordinated Universal Time (UTC).
Verify linked items
Linked items need to be verified before an item may be considered complete from an integrity perspective.
Multiple items may be linked to one DiME item and it should be possible to verify one or more items at the same time. If not all items linked are verified, then the integrity should be considered partly intact, only if all provided items are verified successfully. Intact integrity is only when all linked items are verified successfully against a complete and matching set of provided items.
If any item in a provided list is verified unsuccessfully, then integrity must be considered broken.
Linked items may be omitted when verifying for trust, which may be the case when the verifying entity do not have access to the original items that are linked.
Verify signature
Verification of a digital signature is normally the most expensive operation, thus it may be done last, and only if all other previous verification operations have completed successfully.
A provided public key, or locally stored trusted public keys, should be used to verify the integrity of the DiME item towards the signature. The item header together with any base 64 encoded content must be used when generating the signature, and thus, also when verifying the signature.
For additional details of signatures and how they are encoded, refer to Signature encoding.
Integrity state results
The following table outlines the integrity state result value for DiME item verification. These state must be used to indicate the result of a verification.
Last updated