So the credentials themselves are verifiable.<p>But in most cases, wouldn't you need to also verify the identity of the person presenting them?<p>I assume this is where the "payload" field comes into play but due to the brevity, the security seems questionable.<p>With several examples of valid credentials and the available info, it shouldn't be <i>that</i> difficult to work out the signing key and start forging credentials.<p>Unless I misunderstand, this is interesting but it appears to only be a small part of the verification process.