Pelle,

In late October, I responded to this email thread with a proposed revision to the signed JSON-LD/VCWG signature standards.  The proposal was prompted because verifying the signature is made difficult by these standards:  they require the signed content to be modified after it's signed; then, the modified signed data needs to be reconstructed in order to verify the signature. This same technique has been used in XML signatures, causing much hair-pulling.  We should abandon it.

I appreciate the open and frank replies to my earlier proposal.  From the conversation, I gathered that the VCWG was considering following one of two paths:

1.  Develop tools to make the existing standards easier to implement.  In my opinion, this isn’t an option because they require modification of the signed content.

2.  Use the JWT/JWS signature format instead.  After some additional research on this option, I’m presenting an updated proposal (attached .PDF below).

I’ll watch the evolution of these standards.  I hope that our formats are eventually compatible with each other.  In the mean time, we can’t wait for the standards process to play out.  We need to move forward using the format proposed below.

Thanks for your time,

Kevin Poulsen

p.s.  Spoiler alert:  Here's a side-by-side comparison of the current VCWG verifiable claim format and my proposed verifiable claim format based on the JSON serialization in the JWS standard: