W3C publishes first draft of Verifiable Credential Forgery Defense specification
The W3C Verifiable Credentials Working Group has published a First Public Working Draft for a mechanism intended to help issuers protect older verifiable credentials against future forgery risks linked to quantum-capable attacks.
The World Wide Web Consortium’s Verifiable Credentials Working Group has published the First Public Working Draft of Verifiable Credential Forgery Defense v1.0.
The draft was published on 30 June 2026. It proposes an anti-forgery mechanism for verifiable credentials using indexed cryptographic ‘witnesses’.
Verifiable credentials are digital records that can be cryptographically checked. They can be used to prove claims such as qualifications, licences, memberships, authorisations or other attributes. They usually rely on digital signatures from an issuer.
The problem addressed by the draft is key compromise. If an issuer’s private signing key is compromised, an attacker may be able to create forged credentials that appear valid under ordinary signature checks. The W3C draft also frames this as a post-quantum risk, because future quantum-capable attackers may be able to break some conventional signature algorithms.
The new specification is complementary to W3C’s work on quantum-resistant cryptosuites. Those cryptosuites are intended to let issuers protect new proofs with post-quantum signatures. The forgery defense draft addresses a different problem: how to protect credentials that were already issued, or still need to be issued, with conventional signatures that may later become vulnerable.
The proposed mechanism uses a witness list. An issuer publishes a list of compact cryptographic witnesses linked to credentials it actually issued. The witness list is itself a verifiable credential and may be signed with a post-quantum signature scheme.
A verifier can then check whether a credential matches the witness published by the claimed issuer. If the witness does not match, the credential may not have been genuinely issued by that issuer.
This approach allows an issuer to provide post-quantum-authenticated credentials for existing credentials without reissuing each one. That may be important where reissuance is costly, impractical or impossible.
The draft defines a data model and verification algorithms. It also describes three usage modes. An implicit mode can reuse existing status list infrastructure without modifying the protected credential. An explicit mode adds a witness list entry to the credential’s status information. A standalone mode supports use cases that define their own index allocation.
The document is still an early-stage W3C draft. Publication as a First Public Working Draft does not mean it has been endorsed by W3C or its members. It may still be updated, replaced or withdrawn as the standards process continues.
The Verifiable Credentials Working Group is inviting comments through its GitHub repository.
