Re: JSON-LD vs JWT for VC from Melvin Carvalho on 2018-10-25 (public-credentials@w3.org from October 2018)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Thu, 25 Oct 2018 08:09:37 +0200
To: Pelle Braendgaard <pelle.braendgaard@consensys.net>
Cc: W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAKaEYhJ-Wo+XvEdE1Y3C_Qh4Ek2vpVgXsJnax9kBDeW2BruRmA@mail.gmail.com>

On Thu, 25 Oct 2018 at 02:12, Pelle Braendgaard <
pelle.braendgaard@consensys.net> wrote:

> We had a session at IIW trying to figure out what the primary
> problems/benefits are with JSON-LD and JWT. While this was a general
> conversation it was seen in the context of W3C Verifiable Credentials.
>
> JSON-LD
> Pros:
> - Semantics
> - Graph
> - Human Readable
>
> Cons:
> - Difficult to integrity/canonicalization of graph for signing purposes
> - Canonicalization requirement
> - Difficult to understand what is signed
> - Cognitive overload when understanding data
> - Lack of diversity in tooling
> - You have to really know what you do to verify a signed json-ld document
>
> Asks of JSON-LD community to make it useful for Verifiable Credentials:
> - Better Tooling (automatically resolve DIDs and verify signatures)
> - Better documentation for specific use cases
> - Middleware for various server implementations to automatically verify
> signatures etc of json-ld requests
> - Remove embedded schema
>
> JWTs
> Pros:
> - Simple
> - You always know what is signed (easy to verify)
> - No canonicalization needed
> - Good tooling
>
> Cons:
> - Key definition/lookup part is not very well defined
> - No built in semantics/schemas
> - Not Human Readable
>
> Asks of JWT community:
> - Libraries should support DID resolution (eg implementation
> https://github.com/uport-project/did-jwt)
> - Help work on defining Verifiable Credentials using JWT
>
> Most people present felt that JWTs are the safest format at the moment,
> due in larger part to its simplicity. To be able to support JSON-LD signed
> VCs we need better tooling. The JSON-LD community should invest time in
> this, to make it as easy as being able to easily verify the data and
> understand what was signed.
>

FYI :

https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid

Might contain some useful pointers.

>
>
> Regards
> Pelle
> --
> *Pelle Brændgaard // uPort Engineering Lead*
> pelle.braendgaard@consensys.net
> 49 Bogart St, Suite 22, Brooklyn NY 11206
> Web <https://consensys.net/> | Twitter <https://twitter.com/ConsenSys> |
> Facebook <https://www.facebook.com/consensussystems> | Linkedin
> <https://www.linkedin.com/company/consensus-systems-consensys-> |
> Newsletter
> <http://consensys.us11.list-manage.com/subscribe?u=947c9b18fc27e0b00fc2ad055&id=257df01285&utm_content=buffer1ce12&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer>
>

Received on Thursday, 25 October 2018 06:10:12 UTC