Update authorization flow to reflect verification of VCs (#48)

docs/developer/decision-records/2022-06-08-identity-hub/README.md

@@ -23,6 +23,8 @@ Each participant in the dataspace will have a single [decentralized identifier](
 
 During participant-to-participant communication via IDS REST, the request destination participant queries the Verifiable Presentations of the request originator participant. Access to resources is granted or denied according to the policies in place and the available Verifiable Presentations.
 
+Verifiable Presentations are issued and signed by a trusted authority. Before applying any policies, participants access the public key of that trusted authority from its DID Document, and check that Verifiable Presentations are valid. Only valid Verifiable Presentations must be taken into account in policy evaluations. Participants are responsible for reacting to the presence of invalid Verifiable Presentations as they see fit.
+
 ![Authorization](authorization.png)
 
 Note that complex IDS flows, such as negotiating a contract agreement, requires multiple IDS requests flowing back and forth between participants. In that case, participants will alternate in the flow above, and both participants require an Identity Hub.

docs/developer/decision-records/2022-06-08-identity-hub/authorization.puml

@@ -8,6 +8,10 @@ end box
 box "Participant B" #LightGreen
 Participant "Participant B\nAPI" as B
 end box
+box "Authority" #LightYellow
+Participant "Authority\nDID Document" as DA
+end box
+
 
 ParticipantA -> B ++: Request:\n - DID JWS
 activate ParticipantA
@@ -17,6 +21,9 @@ group authorize request
   B -> B: Verify JWS
   B -> IDHUB ++: Get Verifiable Presentation
   return Verifiable Presentation
+  B -> DA ++: Get issuer DID Document
+  return DID Document (contains public key)
+  B -> B: verify Verifiable Presentation JWS
   B -> B: apply access policy
 end
 return response