Recommendations for Storing VC-JWT from Orie Steele on 2022-02-17 (public-credentials@w3.org from February 2022)

From: Orie Steele <orie@transmute.industries>
Date: Thu, 17 Feb 2022 08:21:18 -0600
To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>, Mike Jones <Michael.Jones@microsoft.com>, David Waite <dwaite@pingidentity.com>
Message-ID: <CAN8C-_Kx8GE-oscmXrqTwwaZXex8hd=3duJaf_Zn8u4VveoLAw@mail.gmail.com>

Hey Folks,

As you know JWT compact representations are base64url encoded, making them
impossible to query over from a database like Cosmos, Neo4j, MongoDB etc.

A natural solution is to store the JWT in flattened form, like this:
https://www.rfc-editor.org/rfc/rfc7515#section-7.2.2

However, it's not clear to me from the RFC what these actually look like...
this is what I want:

{
      "header": {
        "alg": "EdDSA",
        "kid":
"did:key:z6MkneEzjgD4Rerd14F62MmcKXY5LQsLQeY6UntTQmtSKwFh#z6MkneEzjgD4Rerd14F62MmcKXY5LQsLQeY6UntTQmtSKwFh"
      },
      "payload": {
        "iss": "did:key:z6MkneEzjgD4Rerd14F62MmcKXY5LQsLQeY6UntTQmtSKwFh",
        "sub": "did:example:123",
        "vc": {
          "@context": [
            "https://www.w3.org/2018/credentials/v1",
            "https://w3id.org/security/suites/jws-2020/v1"
          ],
          "id": "urn:uuid:494",
          "type": ["VerifiableCredential"],
          "issuer":
"did:key:z6MkneEzjgD4Rerd14F62MmcKXY5LQsLQeY6UntTQmtSKwFh",
          "issuanceDate": "2010-01-01T19:23:24Z",
          "credentialSubject": { "id": "did:example:123" }
        },
        "jti": "urn:uuid:494",
        "nbf": 1262373804
      },
      "signature":
"pRMwWUl1rjVpUIChduHosy2NeZfdeBo0jkWfLKVXfmVO8Q31PN3kcw0CGIG78hS0z9MdXnOV7L3mBQtKBslQDA"
    }

If I can't represent a VC-JWT as JSON in a database, then I can't query
over its contents, which is important for many public credential use cases.

It would seem the rational thing to do is:

1. to store them decoded
2. store a decoded version next to the encoded version.

I would still avoid transmitting them decoded since JSON member order might
not be preserved, and reordering would break signatures.

My question are:

1. What is the name for the representation I gave above in JSON (is this
what flattened looks like), or is there a better way?
2. Which of the 2 storage options should JWT developers take, when planning
to query over JWT verifiable credentials?

Regards,

OS

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>
ᐧ

Received on Thursday, 17 February 2022 14:21:43 UTC