Re: JSON-LD vs JWT for VC from Pelle Braendgaard on 2018-10-27 (public-credentials@w3.org from October 2018)

From: Pelle Braendgaard <pelle.braendgaard@consensys.net>
Date: Sat, 27 Oct 2018 17:30:16 -0600
To: Markus Sabadello <markus@danubetech.com>
Cc: Credentials Community Group <public-credentials@w3.org>
Message-ID: <CANQzS_gYG6y9G8veE2pACGSj+Q23WQwk=Z73Fn7PrjMthowSbw@mail.gmail.com>
Hi Markus,
What I mean is that in particular due to the complexity of JSON-LD it
should be able to look up did-documents for did's who have signed parts of
the JSON-LD document and verify them.

Having this being a manual process is not only error prone, but likely will
lead to many security issues in the future.

See DID-JWT `verifyJWT` function for an example of what I mean in a JWT
context.

https://github.com/uport-project/did-jwt#2-verify-a-did-jwt

Pelle


On Sat, Oct 27, 2018 at 11:58 AM Markus Sabadello <markus@danubetech.com>
wrote:

> Good thread, just wanted to quickly ask what is meant by "JWT DID
> resolution"?
>
> There's sometimes a misunderstanding that signatures on a DID document can
> prove ownership of a DID. This is not the case. The only way to make sure
> you got the correct DID document for a DID is to resolve it.
>
> See here "Binding of Identity":
> https://w3c-ccg.github.io/did-spec/#binding-of-identity
>
> Markus
> On 10/26/18 8:20 PM, Oliver Terbu wrote:
>
> Hi,
>
> I guess the posting was not about using one or the other. The IIW
> community identified clear needs for improvements on both ends and we
> should respect that needs::
>
> - We should make progress in defining JWT verifiable credentials and
> support JWT DID resolution.
> - We should make progress in addressing the concerns that the IIW
> community identified with JSON-LD.
>
> It doesn’t help to copy & paste links.
>
> Thanks,
> Oliver
>
>
> On 25. Oct 2018, at 01:58, a.a@tutanota.com wrote:
>
> >FYI :
> >
> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid
> >Might contain some useful pointers.
>
> And this one
> https://openid.net/specs/draft-jones-json-web-token-07.html
> Sorry if I repeat.
>
> ---
> Regards,
> Alexey Anshakov
> CEO, webRunes https://wr.io
> skype: alexey_anshakov
>
>
> 25. Окт 2018 08:09 от melvincarvalho@gmail.com:
>
>
>
> On Thu, 25 Oct 2018 at 02:12, Pelle Braendgaard <
> pelle.braendgaard@consensys.net> wrote:
>
>> We had a session at IIW trying to figure out what the primary
>> problems/benefits are with JSON-LD and JWT. While this was a general
>> conversation it was seen in the context of W3C Verifiable Credentials.
>>
>> JSON-LD
>> Pros:
>> - Semantics
>> - Graph
>> - Human Readable
>>
>> Cons:
>> - Difficult to integrity/canonicalization of graph for signing purposes
>> - Canonicalization requirement
>> - Difficult to understand what is signed
>> - Cognitive overload when understanding data
>> - Lack of diversity in tooling
>> - You have to really know what you do to verify a signed json-ld document
>>
>> Asks of JSON-LD community to make it useful for Verifiable Credentials:
>> - Better Tooling (automatically resolve DIDs and verify signatures)
>> - Better documentation for specific use cases
>> - Middleware for various server implementations to automatically verify
>> signatures etc of json-ld requests
>> - Remove embedded schema
>>
>> JWTs
>> Pros:
>> - Simple
>> - You always know what is signed (easy to verify)
>> - No canonicalization needed
>> - Good tooling
>>
>> Cons:
>> - Key definition/lookup part is not very well defined
>> - No built in semantics/schemas
>> - Not Human Readable
>>
>> Asks of JWT community:
>> - Libraries should support DID resolution (eg implementation
>> https://github.com/uport-project/did-jwt)
>> - Help work on defining Verifiable Credentials using JWT
>>
>> Most people present felt that JWTs are the safest format at the moment,
>> due in larger part to its simplicity. To be able to support JSON-LD signed
>> VCs we need better tooling. The JSON-LD community should invest time in
>> this, to make it as easy as being able to easily verify the data and
>> understand what was signed.
>>
>
> FYI :
>
>
> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid
>
> Might contain some useful pointers.
>
>>
>>
>> Regards
>> Pelle
>> --
>> *Pelle Brændgaard // uPort Engineering Lead*
>> pelle.braendgaard@consensys.net
>> 49 Bogart St, Suite 22, Brooklyn NY 11206
>> Web <https://consensys.net/> | Twitter <https://twitter.com/ConsenSys> |
>> Facebook <https://www.facebook.com/consensussystems> | Linkedin
>> <https://www.linkedin.com/company/consensus-systems-consensys-> |
>> Newsletter
>> <http://consensys.us11.list-manage.com/subscribe?u=947c9b18fc27e0b00fc2ad055&id=257df01285&utm_content=buffer1ce12&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer>
>>
>
>
>

-- 
*Pelle Brændgaard // uPort Engineering Lead*
pelle.braendgaard@consensys.net
49 Bogart St, Suite 22, Brooklyn NY 11206
Web <https://consensys.net/> | Twitter <https://twitter.com/ConsenSys> |
Facebook <https://www.facebook.com/consensussystems> | Linkedin
<https://www.linkedin.com/company/consensus-systems-consensys-> | Newsletter
<http://consensys.us11.list-manage.com/subscribe?u=947c9b18fc27e0b00fc2ad055&id=257df01285&utm_content=buffer1ce12&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer>
Received on Saturday, 27 October 2018 23:30:53 UTC