Re: Verifying JWT Verifiable Credentials from Dave Longley on 2020-06-09 (public-credentials@w3.org from June 2020)

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Tue, 9 Jun 2020 11:42:35 -0400
To: Ivan Herman <ivan@w3.org>, Dominic Wörner <dom.woe@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <1b883be3-21e4-0974-5513-0ad92ce71230@digitalbazaar.com>

On 6/9/20 9:48 AM, Ivan Herman wrote:
> Dominic,
> 
> chiming in from the sidelines (ie, not on the JWT question):
> 
> 
>> On 9 Jun 2020, at 14:50, Dominic Wörner <dom.woe@gmail.com
>> <mailto:dom.woe@gmail.com>> wrote:
>>
>> Hi,
>>
>> We currently work with JWT VC because of the lack of proper JSON-LD
>> tooling in Java.
> 
> The JSON-LD 1.1 implementation report[1] has now a reference to a
> JSON-LD implementation in Java[2] referred to as 'Titanium JSON-LD'. I
> have no experience with the tool itself, but it scores pretty well in
> the implementation report[1].
> 
> Ivan
> 
> [1] https://w3c.github.io/json-ld-api/reports/
> [2] https://github.com/filip26/titanium

Looks like the github repo has moved here:

https://github.com/filip26/titanium-json-ld

> 
> 
>> The iss property of VCs is a DID and I have a question on the
>> verification algorithm since it's not well defined in the data model
>> spec because it is out of scope.
>>
>> After reading the spec, we implemented the following approach:
>>
>> * Resolve issuer DID
>> * If kid in header then get pubkey with kid form did doc. If not found
>> => abort
>> * If no kid in header then there must be only one public key
>>
>> Now, I've looked at the code
>> of https://github.com/decentralized-identity/did-jwt
>> There the following approach is taken (if I'm correct)
>>
>> * Resolve issuer DID
>> * Get authenticators (pub keys referenced in authentication array in
>> DID doc)
>> * Try all authenticators. Fail only of none of the authenticators work
>>
>> I don't think the library handles the usage of a kid in the header.
>>
>> This leaves me with the question, is there consensus about the
>> approach taken in did jwt? ;)
>> * Public Keys to verify VCs, need to be referenced in the
>> authentication block of the DID doc
>> * It's not required to reference a specific key in the VC if there are
>> multiple keys in the DID doc?
>>
>> I can see that the second point has some advantages. Given I have a
>> DID doc with a single public key and I create a VC without specifying
>> the kid, I would invalidate the VC by adding another key to the DID
>> doc, if the verifier would not try all keys.
>>
>> Best,
>> Dominic
> 
> 
> ----
> Ivan Herman, W3C 
> Home: http://www.w3.org/People/Ivan/
> mobile: +33 6 52 46 00 43
> ORCID ID: https://orcid.org/0000-0003-0782-2704
> 


-- 
Dave Longley
CTO
Digital Bazaar, Inc.

Received on Tuesday, 9 June 2020 15:42:59 UTC