Re: Question About Signatures & Contexts from Manu Sporny on 2021-07-30 (public-credentials@w3.org from July 2021)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 30 Jul 2021 10:15:55 -0400
To: public-credentials@w3.org
Message-ID: <b6ac2161-9266-51f6-b276-c47b06a04014@digitalbazaar.com>

On 7/30/21 9:31 AM, Kerri Lemoie wrote:
> Is a VC still considered to be valid if it contains fields that are not 
> described in its context file(s)? Does it depend on the signature type?

The short answers are "maybe" and "yes".

The VC Data Model specification does not require values to be expressed in the
`@context` because there was a contingent of people that didn't want to use
JSON-LD in the original VC WG. So, an uneasy compromise was made that
`@context` was required, but you didn't have to process the VC as JSON-LD.
This allowed the people that just wanted to use JWTs with no JSON-LD
processing to achieve their goals.

As you know, if a value doesn't exist in the `@context` and you do JSON-LD
processing AND the `@context` doesn't declare a default vocabulary, the value
is dropped and some JSON-LD signature libraries will complain loudly that the
signature attempt failed because of an undefined term.

It's broadly viewed as a really bad idea to not define all terms in the
`@context` -- it leads to all sorts of interop issues.

Some people have gotten around this (and I mean that in a negative way) by
specifying a term where the value is of type `@json`, which means that JCS is
used and you can shove whatever JSON you want to into that term. The downside
there being that there are no semantics associated with the inside of that
content. This is typically done in experiments (which is fine), when trying to
encapsulate legacy JSON data (which is fine), or when trying to say you're
technically JSON-LD and VC compliant while violating the spirit of what the
spec was trying to do (which is not fine).

Much of this comes down to "Do you care about the semantics of what you are
signing?" and "Do you care about interop between JSON and JSON-LD?".

But most importantly... if you're asking yourself the questions at the top of
this email, you're probably already on the wrong path.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Friday, 30 July 2021 14:16:12 UTC