Re: hashlinks vs trusty URIs from Manu Sporny on 2020-06-08 (public-credentials@w3.org from June 2020)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Mon, 8 Jun 2020 10:46:01 -0400
To: public-credentials@w3.org
Message-ID: <72288ecf-d60b-22ba-792c-e833a92f12b9@digitalbazaar.com>
What Ivan said, and...

On 6/7/20 7:03 PM, Kim Hamilton wrote:
>   * The VC data model lists certain syntaxes (JSON, JSON-LD), and while
>     it's clear that's not meant to be exhaustive, it doesn't have
>     recommendations for adding new syntaxes. Can we just do it? Or do we
>     need to add some sort of extension? We'd like to have certain things
>     hosted as official w3c artifacts (e.g. XML schemas), so maybe we
>     just need to worry about the latter category of artifacts

Yes, just do it -- writing XML-LD has been on my list of things to do
for years, mostly as an April 1st spec, but it looks like you actually
have a use case for it. I'm having to do something similar for CBOR-LD
recently... expect that both will be very closely aligned. The general
process is this:

Use JSON-LD compact, and then translate to XML-LD by walking the tree
and serializing to XML (using XML attributes and tags appropriately).
You can go from XML-LD to JSON-LD and do processing using existing
JSON-LD libraries that way as well.

You can run XML Digital Signatures over the XML-LD output, but honestly
it's going to be overly complicated... but I've heard other folks in the
banking community doing this due to their XML-based systems. The
approaches aren't incompatible.

The other approach is to use JSON-LD and Linked Data Signature libraries
to generate a digital signature, then JSON-LD compact and then walk the
tree generating XML-LD in the process.

You are correct in that the Linked Data Signature is syntax agnostic, so
the same signature can be used in JSON, XML, CBOR, etc... it's one of
the innovations that Linked Data Proofs brings to the table over JOSE
JWTs, XML Digital Signatures, etc.

Happy to discuss on a call, it would be good to get this out to a
community that is motivated to work on XML-LD.

>   * Are there other groups focused on XML/RDF signatures and tooling
>     (using similar approaches to our JSON-LD proofs)? Basically we want
>     to understand if we should join existing efforts or build something new?

As Ivan mentioned, nobody is working on XML/RDF signatures for
production systems these days (that I know of)... everyone has moved on
to less maddening things. That said, I do think that we have the tooling
now that would give you XML-LD and Linked Data Security at that layer
with only about a week or so of hacking involved for a proof of concept.
A production deployment would leverage the existing JSON-LD and RDF
Dataset Normalization libraries we already have.

The biggest lift is in writing a translator from JSON-LD->XML-LD->JSON-LD.

>   * In theory, it seems like if the signature is computed on the RDF
>     graph, it should preserve across XML/RDF and JSON-LD/RDF, but this
>     is an example of something we've been hand-waving about and need to
>     ensure.

Yes, this is true and should hold for what you're describing. There are
a few details that you have to make sure you get right (mostly the
loss-less conversion from JSON-LD -> XML-LD -> JSON-LD)... and if you
get those details right, everything else should fall into place.

>   * The EDCI effort is using XML VCs to comply with eIDAS legal
>     signature requirements, but they don't have anything official from
>     w3c to base that on and would like guidance

Yeah, and they won't until XML-LD becomes a thing. You could describe
XML-LD as a mapping from JSON-LD to XML and back. There are just two
transformations you'd need:

toXMLLD(jsonLdDocument, options)
fromXMLLD(xmlDocument, options) -> jsonLdDocument

If you define those correctly, which should only take about a week or so
of hacking, everything else should be reusable from the current JSON-LD
ecosystem.

>   * PESC/XML transcripts are very widely used in North America. They had
>     been focused on mapping to JSON-LD, but would be interested in
>     whether we're providing proper XML support

Depends on how much backwards compatability they want... you can also
just shove the entire XML document in a string literal and sign that. :)

Many ways to accomplish this task... would need to know more about the
requirements to hammer out the details.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches
Received on Monday, 8 June 2020 14:46:15 UTC