Re: More questions about the VC Document 2.0 (part 2) from Orie Steele on 2023-10-31 (public-credentials@w3.org from October 2023)

From: Orie Steele <orie@transmute.industries>
Date: Tue, 31 Oct 2023 08:49:56 -0500
To: ステファニータン（SBIホールディングス） <tstefan@sbigroup.co.jp>
Cc: W3C Credentials CG <public-credentials@w3.org>, W3C VC Working Group <public-vc-wg@w3.org>
Message-ID: <CAN8C-_JXFb11QmCMbo6bvunrekTnDUNeqH79nv_3MeX9vTM8JQ@mail.gmail.com>

Inline:

On Tue, Oct 31, 2023 at 4:22 AM ステファニー タン（SBIホールディングス） <
tstefan@sbigroup.co.jp> wrote:

> Hello, everyone.
>
> We have more questions about some parts of the VC Document 2.0. Thanks
> again to all who answered last time and in our previous questions. It's
> certainly generating a lot of productive discussion in our team.
>
>
>    1. In the document, there is this line about multiple issuers in a VP:
>    "The data in a presentation
>    <https://www.w3.org/TR/vc-data-model-2.0/#dfn-presentation> is often
>    about the same subject
>    <https://www.w3.org/TR/vc-data-model-2.0/#dfn-subjects>, but might
>    have been issued by multiple issuers
>    <https://www.w3.org/TR/vc-data-model-2.0/#dfn-issuers>. The
>    aggregation of this information typically expresses an aspect of a person,
>    organization, or entity
>    <https://www.w3.org/TR/vc-data-model-2.0/#dfn-entities>. "
>    Has anyone here experimented with it before?
>
> Multiple issuer's use case is not supported by the current drafts, and
having been a part of those discussions, it seems unlikely to be supported
in the future.

It is fine to have a "single issuer" that is actually representing a group
of individual entities.



>
>    1. Is it correct to understand that it is generally possible to
>    convert JSON data with definitions as JSON-LD to JWT (SD-JWT) format?
>    Since the use cases for implementation using JSON-LD and BBS are not
>    common enough to be able to consider standards like ISO/W3C,
>    we must realistically consider using SD-JWT, but we would like to
>    confirm whether this is feasible with the VC2.0 Data model (using JSON-LD).
>
>
Yes:

JSON-LD is a concrete RDF syntax
<https://www.w3.org/TR/rdf11-concepts/#dfn-concrete-rdf-syntax> as
described in [RDF11-CONCEPTS
<https://www.w3.org/TR/json-ld11/#bib-rdf11-concepts>]. Hence, a JSON-LD
document is both an RDF document *and* a JSON document and correspondingly
represents an instance of an RDF data model
<https://www.w3.org/TR/rdf11-concepts/#data-model>.

- https://www.w3.org/TR/json-ld11/#relationship-to-rdf

Some people are still working on BBS at W3C, I will let them speak to that
topic.

The latest version of Securing Verifiable Credentials using JOSE and COSE,
supports securing JSON-LD claimsets that are of the content type that is
requested for registration from the core data model:

application/vc+ld+json
application/vp+ld+json

Per the JWT BCP
https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing

We recommend explicit typing, so these claimsets become:

application/vc+ld+json+sd-jwt
application/vp+ld+json+sd-jwt

- https://w3c.github.io/vc-jose-cose/


> Thank you so much for any advice you can give.
>
>
It's not surprising you ask these questions, since the core data model does
not contain a single example of securing via SD-JWT.

Contribution to this part of the W3C documents has been very poor,
most of the folks doing security work on formats other than Data Integrity
Proofs have contributed to IETF work items substantially more than they
have contributed to the W3C drafts.

In my opinion, W3C should drop the vc-jose-cose item entirely, or should
fix the core data model so that it does not lead to the conclusion that
data integrity proofs are required.

best regards,
> Stefannie
>
>
>
>

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

Received on Tuesday, 31 October 2023 13:50:15 UTC