- From: Orie Steele <orie@transmute.industries>
- Date: Mon, 20 Apr 2020 15:56:47 -0500
- To: main@toolscci.groups.io, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CAN8C-_+b8U9wexV-cD-numgov4ruwWyw-BYxbeCL8sTf2UTJ0w@mail.gmail.com>
arguably you do need to define how key resolution works with JWTs.... https://www.w3.org/TR/vc-data-model/#json-web-token kid *MAY* be used if there are multiple keys associated with the issuer <https://www.w3.org/TR/vc-data-model/#dfn-issuers> of the JWT. The key discovery is out of the scope of this specification. For example, the kid can refer to a key in a DID document <https://www.w3.org/TR/vc-data-model/#dfn-decentralized-identifier-documents>, or can be the identifier of a key inside a JWKS. since `kid` can be anything.... there is no standard way for looking up the keys used to produce JWTs that are VCs.... it's not defined.... As of this publication, DIDs <https://www.w3.org/TR/vc-data-model/#dfn-decentralized-identifiers> are a new type of identifier that are not necessary for verifiable credentials <https://www.w3.org/TR/vc-data-model/#dfn-verifiable-credentials> to be useful. Specifically, verifiable credentials <https://www.w3.org/TR/vc-data-model/#dfn-verifiable-credentials> do not depend on DIDs <https://www.w3.org/TR/vc-data-model/#dfn-decentralized-identifiers> and DIDs <https://www.w3.org/TR/vc-data-model/#dfn-decentralized-identifiers> do not depend on verifiable credentials <https://www.w3.org/TR/vc-data-model/#dfn-verifiable-credentials>. ... but later... The digital signature provides a number of protections, other than tamper resistance, which are not immediately obvious. For example, a Linked Data Signature created property <https://www.w3.org/TR/vc-data-model/#dfn-property> establishes a date and time before which the credential <https://www.w3.org/TR/vc-data-model/#dfn-credential> should not be considered verified <https://www.w3.org/TR/vc-data-model/#dfn-verify>. The verificationMethod property <https://www.w3.org/TR/vc-data-model/#dfn-property> specifies, for example, the public key that can be used to verify the digital signature. Dereferencing a public key URL reveals information about the controller of the key, which can be checked against the issuer of the credential <https://www.w3.org/TR/vc-data-model/#dfn-credential>. The proofPurpose property <https://www.w3.org/TR/vc-data-model/#dfn-property> clearly expresses the purpose for the proof and ensures this information is protected by the signature. A proof is typically attached to a verifiable presentation <https://www.w3.org/TR/vc-data-model/#dfn-verifiable-presentations> for authentication purposes and to a verifiable credential <https://www.w3.org/TR/vc-data-model/#dfn-verifiable-credentials> as a method of assertion. There is no standard way to dereference a VC-JWT `kid` because `kid` can be anything... IMO, you need to solve this in order to have a usable standard way of using JWTs with the VC Data Model.... OIDC solved for it like this: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig ^ without this last bit... how would discovery of key material work for an `iss` ? So in summary... you don't need DIDs to make VCs, but you probably need something other than the VC Data Model to integrate X.509 in an unambiguous manner with JWTs. OS On Mon, Apr 20, 2020 at 3:43 PM David Chadwick < info@verifiablecredentials.info> wrote: > But this flexibility is already in the VC Data Model, because DIDs are not > required. The VC data model requires URIs, not DIDs, and https URLs are > URIs. So you dont need to upgrade a system that uses X.509 and JWTs to > adopt VCs. They already have everything that is needed :-) > _._,_._,_ > ------------------------------ > Groups.io Links: > > You receive all messages sent to this group. > > View/Reply Online (#149) <https://toolsCCI.groups.io/g/main/message/149> > | Reply To Group > <main@toolsCCI.groups.io?subject=Re:%20Re%3A%20%5BtoolsCCI%5D%20Hypothetical%20COVID-19%20Credential%20VC%20Data%20Model%20v2> > | Reply To Sender > <info@verifiablecredentials.info?subject=Private:%20Re:%20Re%3A%20%5BtoolsCCI%5D%20Hypothetical%20COVID-19%20Credential%20VC%20Data%20Model%20v2> > | Mute This Topic <https://groups.io/mt/73114730/1388286> | New Topic > <https://toolsCCI.groups.io/g/main/post> > > Your Subscription <https://toolsCCI.groups.io/g/main/editsub/1388286> | Contact > Group Owner <main+owner@toolsCCI.groups.io> | Unsubscribe > <https://toolsCCI.groups.io/g/main/leave/8108734/298559501/xyzzy> > [orie@transmute.industries] > _._,_._,_ > > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
Received on Monday, 20 April 2020 20:57:13 UTC