Credential Status checking in CLI

[clehner]

In DIDKit HTTP, there is a "checks" option allowed, an array with expected values "proof" and/or "credentialStatus", that is supposed to indicate what checks the verification should do. This usage comes from VC (HTTP) API Test Suite - but the "checks" option is not actually part of the VC (HTTP) API. A relevant issue on the test suite is here: w3c-ccg/vc-api-test-suite#8, which recommends that the test suite remove use of the checks verification option and that implementations use a fixed set of checks.

The checks option can also be used with DIDKit FFIs, where credential verification functions take an options argument.

In DIDKit CLI, there is no checks option. The CLI basically assumes the checks option is set to ["proof"], to just check the credential/presentation proof object (or JWS for a JWT VC/VP). This means the CLI doesn't have a way to request credentialStatus checking (e.g. use of revocation lists) currently. To fix this, we could add a CLI option for checks. -c (--created) and -C (--challenge) are already taken, so if for example it is -x (as in chex), it could be used like -x proof -x credentialStatus or maybe -x proof,credentialStatus. Alternatively, DIDKit could implement default checks as suggested in w3c-ccg/vc-api-test-suite#8. This would probably mean checking credentialStatus if the credentialStatus property is present, and always checking the proof/JWS. This behavior could be applied across HTTP, CLI, and FFI - and could enable deprecating the checks verification option.

• Add CLI checks option OR implement default checks

[bumblefudge]

sounds good