Re: JSON-LD vs JWT for VC from Dean Kevin Poulsen on 2018-10-25 (public-credentials@w3.org from October 2018)

From: Dean Kevin Poulsen <dean@authenticity.ac>
Date: Thu, 25 Oct 2018 15:24:39 -0700
To: pelle.braendgaard@consensys.net
Cc: public-credentials@w3.org
Message-Id: <9E9868D6-841B-4610-B715-079E042A6DE7@authenticity.ac>
Pelle,

A friend who is on the mailing list forwarded the following message to me.  It’s of particular interest to me because I’ve recently submitted proposed changes to the format for signed JSON-LD.  I submitted the suggestion to the email posted at this page:  https://w3c-dvcg.github.io/ld-signatures/  However, I haven’t heard a response and there no longer seems to be any activity on this standard.

I was referred to the VCWG credential format by Kaliya Identity Woman.  I really appreciate the work that the group has done.  It’s proving to be quite useful for a project in which I’m actively involved.  However, it appears to be based on the same flawed format for signed JSON-LD.  

The email below says that JSON-LD cons include:

> - Difficult to integrity/canonicalization of graph for signing purposes
> - Canonicalization requirement
> - Difficult to understand what is signed
> ...
> - You have to really know what you do to verify a signed json-ld document


After identifying the problems and discussing them with colleagues, it seems that this format evolved from XML, which does have canonicalization.  However, JSON, does not.  So, I certainly understand why you're experiencing these issues. 

Since I haven’t received a response from those who created the signed JSON-LD format, I’m attaching my proposed revision.  This eliminates the canonicalization requirement and minimizes changes to signed content (which really shouldn’t change after it’s signed - big no no).  The changes that are still required consist of assigning a value.  So, the chances of not being able to verify the signature are minimized.

I’ve also looked at JWT and JWS.  At first, I thought they may be useful, mistaking them for signed JSON formats.  They aren’t.  As such, their usefulness is limited.  

I’ve been interested in attending the Monday meetings of the VCWG, but haven’t yet.  I hope you find this useful, and I’d like to participate when I can.

FYI,
Kevin Poulsen










============ Forwarded message ============
From : Pelle Braendgaard<pelle.braendgaard@consensys.net>
To : "Credentials Community Group"<public-credentials@w3.org>
Date : Wed, 24 Oct 2018 19:10:02 -0500
Subject : JSON-LD vs JWT for VC
============ Forwarded message ============
We had a session at IIW trying to figure out what the primary problems/benefits are with JSON-LD and JWT. While this was a general conversation it was seen in the context of W3C Verifiable Credentials.

JSON-LD 
Pros:
- Semantics
- Graph
- Human Readable

Cons:
- Difficult to integrity/canonicalization of graph for signing purposes
- Canonicalization requirement
- Difficult to understand what is signed
- Cognitive overload when understanding data
- Lack of diversity in tooling
- You have to really know what you do to verify a signed json-ld document

Asks of JSON-LD community to make it useful for Verifiable Credentials:
- Better Tooling (automatically resolve DIDs and verify signatures)
- Better documentation for specific use cases
- Middleware for various server implementations to automatically verify signatures etc of json-ld requests
- Remove embedded schema

JWTs
Pros:
- Simple
- You always know what is signed (easy to verify)
- No canonicalization needed
- Good tooling

Cons:
- Key definition/lookup part is not very well defined
- No built in semantics/schemas
- Not Human Readable

Asks of JWT community:
- Libraries should support DID resolution (eg implementation https://github.com/uport-project/did-jwt <https://github.com/uport-project/did-jwt>)
- Help work on defining Verifiable Credentials using JWT

Most people present felt that JWTs are the safest format at the moment, due in larger part to its simplicity. To be able to support JSON-LD signed VCs we need better tooling. The JSON-LD community should invest time in this, to make it as easy as being able to easily verify the data and understand what was signed.

Regards
Pelle
-- 

Pelle Brændgaard // uPort Engineering Lead
pelle.braendgaard@consensys.net <mailto:pelle.braendgaard@consensys.net>
49 Bogart St, Suite 22, Brooklyn NY 11206
Web <https://consensys.net/> | Twitter <https://twitter.com/ConsenSys> | Facebook <https://www.facebook.com/consensussystems> | Linkedin <https://www.linkedin.com/company/consensus-systems-consensys-> | Newsletter <http://consensys.us11.list-manage.com/subscribe?u=947c9b18fc27e0b00fc2ad055&id=257df01285&utm_content=buffer1ce12&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer>
Attachments

text/html attachment: stored
application/pdf attachment: SignedJSON-LDFormat_Proposal_v5.pdf
text/html attachment: stored
Received on Friday, 26 October 2018 18:32:02 UTC