But in most cases, wouldn't you need to also verify the identity of the person presenting them?
I assume this is where the "payload" field comes into play but due to the brevity, the security seems questionable.
With several examples of valid credentials and the available info, it shouldn't be that difficult to work out the signing key and start forging credentials.
Unless I misunderstand, this is interesting but it appears to only be a small part of the verification process.
So the credentials themselves are verifiable.
But in most cases, wouldn't you need to also verify the identity of the person presenting them?
I assume this is where the "payload" field comes into play but due to the brevity, the security seems questionable.
With several examples of valid credentials and the available info, it shouldn't be that difficult to work out the signing key and start forging credentials.
Unless I misunderstand, this is interesting but it appears to only be a small part of the verification process.