Pelle,

A friend who is on the mailing list forwarded the following message to me. It’s of particular interest to me because I’ve recently submitted proposed changes to the format for signed JSON-LD. I submitted the suggestion to the email posted at this page: https://w3c-dvcg.github.io/ld-signatures/ However, I haven’t heard a response and there no longer seems to be any activity on this standard.

I was referred to the VCWG credential format by Kaliya Identity Woman. I really appreciate the work that the group has done. It’s proving to be quite useful for a project in which I’m actively involved. However, it appears to be based on the same flawed format for signed JSON-LD.

The email below says that JSON-LD cons include:

- Difficult to integrity/canonicalization of graph for signing purposes
- Canonicalization requirement
- Difficult to understand what is signed

...

- You have to really know what you do to verify a signed json-ld document

After identifying the problems and discussing them with colleagues, it seems that this format evolved from XML, which does have canonicalization. However, JSON, does not. So, I certainly understand why you're experiencing these issues.

Since I haven’t received a response from those who created the signed JSON-LD format, I’m attaching my proposed revision. This eliminates the canonicalization requirement and minimizes changes to signed content (which really shouldn’t change after it’s signed - big no no). The changes that are still required consist of assigning a value. So, the chances of not being able to verify the signature are minimized.

I’ve also looked at JWT and JWS. At first, I thought they may be useful, mistaking them for signed JSON formats. They aren’t. As such, their usefulness is limited.

I’ve been interested in attending the Monday meetings of the VCWG, but haven’t yet. I hope you find this useful, and I’d like to participate when I can.

FYI,

Kevin Poulsen