W3C home > Mailing lists > Public > public-credentials@w3.org > April 2020

Re: [toolsCCI] Hypothetical COVID-19 Credential VC Data Model v2

From: Orie Steele <orie@transmute.industries>
Date: Mon, 20 Apr 2020 15:56:47 -0500
Message-ID: <CAN8C-_+b8U9wexV-cD-numgov4ruwWyw-BYxbeCL8sTf2UTJ0w@mail.gmail.com>
To: main@toolscci.groups.io, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
arguably you do need to define how key resolution works with JWTs....
https://www.w3.org/TR/vc-data-model/#json-web-token

kid *MAY* be used if there are multiple keys associated with the issuer
<https://www.w3.org/TR/vc-data-model/#dfn-issuers> of the JWT. The key
discovery is out of the scope of this specification. For example, the kid can
refer to a key in a DID document
<https://www.w3.org/TR/vc-data-model/#dfn-decentralized-identifier-documents>,
or can be the identifier of a key inside a JWKS.

since `kid` can be anything.... there is no standard way for looking up the
keys used to produce JWTs that are VCs.... it's not defined....

As of this publication, DIDs
<https://www.w3.org/TR/vc-data-model/#dfn-decentralized-identifiers> are a
new type of identifier that are not necessary for verifiable credentials
<https://www.w3.org/TR/vc-data-model/#dfn-verifiable-credentials> to be
useful. Specifically, verifiable credentials
<https://www.w3.org/TR/vc-data-model/#dfn-verifiable-credentials> do not
depend on DIDs
<https://www.w3.org/TR/vc-data-model/#dfn-decentralized-identifiers> and
DIDs <https://www.w3.org/TR/vc-data-model/#dfn-decentralized-identifiers> do
not depend on verifiable credentials
<https://www.w3.org/TR/vc-data-model/#dfn-verifiable-credentials>.

... but later...

The digital signature provides a number of protections, other than tamper
resistance, which are not immediately obvious. For example, a Linked Data
Signature created property
<https://www.w3.org/TR/vc-data-model/#dfn-property> establishes a date and
time before which the credential
<https://www.w3.org/TR/vc-data-model/#dfn-credential> should not be
considered verified <https://www.w3.org/TR/vc-data-model/#dfn-verify>. The
verificationMethod property
<https://www.w3.org/TR/vc-data-model/#dfn-property> specifies, for example,
the public key that can be used to verify the digital signature.

Dereferencing a public key URL reveals information about the controller of
the key, which can be checked against the issuer of the credential
<https://www.w3.org/TR/vc-data-model/#dfn-credential>. The proofPurpose
property <https://www.w3.org/TR/vc-data-model/#dfn-property> clearly
expresses the purpose for the proof and ensures this information is
protected by the signature. A proof is typically attached to a verifiable
presentation
<https://www.w3.org/TR/vc-data-model/#dfn-verifiable-presentations> for
authentication purposes and to a verifiable credential
<https://www.w3.org/TR/vc-data-model/#dfn-verifiable-credentials> as a
method of assertion.

There is no standard way to dereference a VC-JWT `kid` because `kid` can be
anything...

IMO, you need to solve this in order to have a usable standard way of using
JWTs with the VC Data Model.... OIDC solved for it like this:
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

^ without this last bit... how would discovery of key material work for an
`iss` ?

So in summary... you don't need DIDs to make VCs, but you probably need
something other than the VC Data Model to integrate X.509 in an
unambiguous manner with JWTs.

OS


On Mon, Apr 20, 2020 at 3:43 PM David Chadwick <
info@verifiablecredentials.info> wrote:

> But this flexibility is already in the VC Data Model, because DIDs are not
> required. The VC data model requires URIs, not DIDs, and https URLs are
> URIs. So you dont need to upgrade a system that uses X.509 and JWTs to
> adopt VCs. They already have everything that is needed :-)
> _._,_._,_
> ------------------------------
> Groups.io Links:
>
> You receive all messages sent to this group.
>
> View/Reply Online (#149) <https://toolsCCI.groups.io/g/main/message/149>
> | Reply To Group
> <main@toolsCCI.groups.io?subject=Re:%20Re%3A%20%5BtoolsCCI%5D%20Hypothetical%20COVID-19%20Credential%20VC%20Data%20Model%20v2>
> | Reply To Sender
> <info@verifiablecredentials.info?subject=Private:%20Re:%20Re%3A%20%5BtoolsCCI%5D%20Hypothetical%20COVID-19%20Credential%20VC%20Data%20Model%20v2>
> | Mute This Topic <https://groups.io/mt/73114730/1388286> | New Topic
> <https://toolsCCI.groups.io/g/main/post>
>
> Your Subscription <https://toolsCCI.groups.io/g/main/editsub/1388286> | Contact
> Group Owner <main+owner@toolsCCI.groups.io> | Unsubscribe
> <https://toolsCCI.groups.io/g/main/leave/8108734/298559501/xyzzy>
> [orie@transmute.industries]
> _._,_._,_
>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>
Received on Monday, 20 April 2020 20:57:13 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:58 UTC