- All requests to the Proof Engine must be:
- signed by the user / Agent
- checked by Policy Engine
- tied to a specific
identity_commitment
- No proof can be generated:
- for revoked identities
- using expired attributes
- against old commitments (unless explicitly allowed for historical proofs)
- Templates are versioned:
age_over_18@v1, age_over_18@v2- Verification keys are rotated with template versions.