Limiting and verifying attribute issuer

My application has a need to verify a specific user attribute before authorizing access to a resource…but that user attribute must be issued by a specific application to have the integrity necessary to use that attribute.

I apologize if this is stupid(I am new to building on Solid), but I can’t seem to determine how I can build an ACP that binds a user attribute to a specific attribute issuer. Any help would be greatly appreciated!

Can you use digital signatures for this?

In general this would include:

• the attribute issuer has a private and public key
• the attribute issuer would sign the attribute (or hash of it) with its private key, see eg HMAC
• the attribute issuer saves the attribute and signature in the pod
• your application reads the attribute and signature from the pod and the public key from the attribute issuer
• your application verifies the signature with the public key

Note that the private key should stay private. So either it always stays in the backend of the application. Or if it is used in the frontend, the person using the application should be trusted (as they could copy the private key).

I think verifiable credentials go into the same direction, though I haven’t looked into this.

@A_A That absolutely makes sense! I think this implementation would be rather simple…thank you for taking the time to respond.