Re: Verifiable Credentials v1.1 released for public review from Manu Sporny on 2021-11-10 (public-credentials@w3.org from November 2021)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 10 Nov 2021 08:52:18 -0500
To: public-credentials@w3.org
Message-ID: <1d67e9f2-8a66-c686-ac62-4e790782a244@digitalbazaar.com>

On 11/10/21 5:58 AM, David Chadwick wrote:
> I don't think this is exactly correct. Nesting of JWTs is already
> supported when a JWT VP incorporates a JWT VC.

Uh oh. Looks like more vagueness in the JWT section of the VC spec. A few
comments:

I believe the VC-EDU work requires arbitrarily nested VCs, so just a
collection of VCs in a VP isn't the only thing they need to do. They may need
to embed signed VCs in other signed VCs... you can't do that with JWT-based VCs.

You can do this if you use `proof` and Linked Data Integrity since that
technology was designed to allow arbitrary nesting of VCs in other VCs.

The JWT stuff was never specified to support arbitrary nesting of VCs in VCs
or multiple levels of signed nesting.

I've just now gone back and checked the JWT section of the spec (which I
didn't write or implement), and it looks like there is no normative statement
that says that you have to base-64 encode the `vp` property. All the spec says
normatively is:

https://w3c.github.io/vc-data-model/#json-web-token-extensions
"""
vp: JSON object, which MUST be present in a JWT verifiable presentation. The
object contains the verifiable presentation according to this specification.
"""

That presumes a non-JWT encoding, so looks like the JWT section of the spec is
missing any normative statement wrt. transformation to/from JWTs wrt.
Verifiable Presentations.

... and then there is one non-normative comment beside an example that hints
that vp's are encoded in base64:

https://w3c.github.io/vc-data-model/#example-31-jwt-payload-of-a-jwt-based-verifiable-presentation-non-normative

> Thus it would be perfectly possible to nest a VC JWT in another VC JWT. It
> is just that we do not have an example of this in the v1.0 or v1.1 spec.

We do have an example in the spec (link above), but it's clearly not based on
any normative language in the specification.

VC 2.0 is probably going to extract the JWT section of the VC Data Model spec
out into its own specification alongside the other LDI stuff, so we can fix
this at that point.

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Wednesday, 10 November 2021 13:52:36 UTC