Re: integrity-like property from Dmitri Zagidulin on 2020-04-17 (public-credentials@w3.org from April 2020)

From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Fri, 17 Apr 2020 19:29:23 -0400
To: Nikos Fotiou <fotiou@aueb.gr>
Cc: daniel.hardman@evernym.com, Credentials Community Group <public-credentials@w3.org>
Message-ID: <CANnQ-L56i7cyVke7eGw34mKfHjjpPnCJU5H4G_A5GkRnmUQeTw@mail.gmail.com>

Exactly, yeah - you can use hashlinks as the credentialSchema.id.

And yeah, the conversation of an SRI-like mechanism in JSON-LD has been
going on for a while. And I think Hashlinks are the current manifestation
of that. (Also, same spec author :) )

On Fri, Apr 17, 2020 at 11:59 AM Nikos Fotiou <fotiou@aueb.gr> wrote:

> Just to mention that I found out that including SRI (sub-resource
> integrity) is an open issue in JSON-LD  (
> https://github.com/w3c/json-ld-syntax/issues/108) and JSON-LD 1.1
> mentions "Future versions of this specification may incorporate subresource
> integrity [SRI] "
>
> Best,
> Nikos
>
> > On 17 Apr 2020, at 6:13 PM, Nikos Fotiou <fotiou@aueb.gr> wrote:
> >
> > That's interesting. So you could you use a hashlink as the "id" in
> credentialSchema property. Correct?
> >
> > Best,
> > Nikos
> >
> >> On 17 Apr 2020, at 6:04 PM, Dmitri Zagidulin <dzagidulin@gmail.com>
> wrote:
> >>
> >> Hi Nikos,
> >>
> >> Yes, you can use something like Hashlinks (
> https://tools.ietf.org/html/draft-sporny-hashlink-04 ) to provide
> integrity bindings to external resources references from VCs. Like Daniel
> mentioned, the VC itself is protected by digital signatures.
> >>
> >> On Fri, Apr 17, 2020 at 10:43 AM Nikos Fotiou <fotiou@aueb.gr> wrote:
> >> The digital signature covers the VC not the “external” resources (e.g.,
> the schema), i.e., it protects only the uri of the schema and not the
> schema itself. Note that even if this an HTTPs URI still you have the same
> issue.
> >>
> >>> On 17 Apr 2020, at 5:22 PM, Daniel Hardman <daniel.hardman@evernym.com>
> wrote:
> >>>
> >>> 
> >>> I believe that all approaches to VCs include digital signatures that
> already provide this guarantee. We don't need to add an additional field
> for it.
> >>>
> >>> On Fri, Apr 17, 2020 at 8:14 AM Nikos Fotiou <fotiou@aueb.gr> wrote:
> >>> Hi all,
> >>> I was reading "Verifiable Credentials Data Model 1.0". The Data schema
> part (https://www.w3.org/TR/vc-data-model/#data-schemas) specifies two
> properties: the id, and the type. IMHO it would have been really useful to
> have a third (optional) property similar to the "sub-resource integrity"
> tag used in HTML (
> https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity).
> What is your opinion? Is there any other way to provide some integrity
> information about external resources in the VC data model?
> >>>
> >>> Best,
> >>> Nikos
> >>>
> >
>
>

Received on Friday, 17 April 2020 23:29:48 UTC