Re: JSON-LD vs JWT for VC

Manu,
Regarding your comment about the  Canonicalization requirement:

This requirement is a problem because forces a new requirement onto the
JSON parser that many like myself don't think is a good idea.

For example, one thing we would love to see is for IoT devices to play a
role this new DID/VC world we are building. Many of these embedded systems
already have a minimal JSON parser, as well as Base64 libraries and
hardware encryption support.  That means they could build a JWT version of
DID/VC over the weekend (figuratively).  Requiring them to update to a new
JSON-parsing library to support this is a barrier to adoption.

BTW, as one who has developed protocol-level encryption software, the
comment "ability to add non-signature-destroying whitespace" makes me
cringe.  It seems like it is just needlessly opening the door to a new
attack vector.

   -chrisb

On Mon, Oct 29, 2018 at 7:36 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> > - Canonicalization requirement
>
> Why is the requirement a problem? You could just shove the entire VC in
> a JWT, but then you lose all the benefits of canonicalization (such as
> syntax-agnostic signatures, ability to protect the entire message,
> ability to add non-signature-destroying whitespace, compatibility with
> schema.org, etc.).
>

Received on Monday, 29 October 2018 17:08:20 UTC