Re: Verifying JWT Verifiable Credentials from Ivan Herman on 2020-06-09 (public-credentials@w3.org from June 2020)

From: Ivan Herman <ivan@w3.org>
Date: Tue, 9 Jun 2020 15:48:14 +0200
To: Dominic Wörner <dom.woe@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-Id: <F544A238-2D63-45E3-A60A-1238B49AEB38@w3.org>

Dominic,

chiming in from the sidelines (ie, not on the JWT question):


> On 9 Jun 2020, at 14:50, Dominic Wörner <dom.woe@gmail.com> wrote:
> 
> Hi,
> 
> We currently work with JWT VC because of the lack of proper JSON-LD tooling in Java.

The JSON-LD 1.1 implementation report[1] has now a reference to a JSON-LD implementation in Java[2] referred to as 'Titanium JSON-LD'. I have no experience with the tool itself, but it scores pretty well in the implementation report[1].

Ivan

[1] https://w3c.github.io/json-ld-api/reports/ <https://w3c.github.io/json-ld-api/reports/>
[2] https://github.com/filip26/titanium <https://github.com/filip26/titanium>


> The iss property of VCs is a DID and I have a question on the verification algorithm since it's not well defined in the data model spec because it is out of scope.
> 
> After reading the spec, we implemented the following approach:
> 
> * Resolve issuer DID
> * If kid in header then get pubkey with kid form did doc. If not found => abort
> * If no kid in header then there must be only one public key
> 
> Now, I've looked at the code of https://github.com/decentralized-identity/did-jwt <https://github.com/decentralized-identity/did-jwt>
> There the following approach is taken (if I'm correct)
> 
> * Resolve issuer DID
> * Get authenticators (pub keys referenced in authentication array in DID doc)
> * Try all authenticators. Fail only of none of the authenticators work
> 
> I don't think the library handles the usage of a kid in the header.
> 
> This leaves me with the question, is there consensus about the approach taken in did jwt? ;)
> * Public Keys to verify VCs, need to be referenced in the authentication block of the DID doc
> * It's not required to reference a specific key in the VC if there are multiple keys in the DID doc?
> 
> I can see that the second point has some advantages. Given I have a DID doc with a single public key and I create a VC without specifying the kid, I would invalidate the VC by adding another key to the DID doc, if the verifier would not try all keys.
> 
> Best,
> Dominic


----
Ivan Herman, W3C 
Home: http://www.w3.org/People/Ivan/
mobile: +33 6 52 46 00 43
ORCID ID: https://orcid.org/0000-0003-0782-2704

Received on Tuesday, 9 June 2020 13:48:18 UTC