W3C home > Mailing lists > Public > public-credentials@w3.org > July 2022

Re: Rendering Verifiable Credentials @ RWoT11

From: Leonard Rosenthol <lrosenth@adobe.com>
Date: Mon, 25 Jul 2022 15:25:38 +0000
To: Julien Fraichot <Julien.Fraichot@hyland.com>, Manu Sporny <msporny@digitalbazaar.com>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <DM8PR02MB8181BD229C912296CC25079FCD959@DM8PR02MB8181.namprd02.prod.outlook.com>
Julien – thanks for responding.

How does Blockcerts does with the security aspects of arbitrary UGC (user generated content – aka the presentation), which may contain scripting and external resource references being rendered in someone else’s domain/context?

This is the biggest issue – security/privacy – in a scenario like this.  The EPUB/publishing CG has been dealing with this for quite a long time as well.


From: Julien Fraichot <Julien.Fraichot@hyland.com>
Date: Monday, July 25, 2022 at 10:47 AM
To: Leonard Rosenthol <lrosenth@adobe.com>, Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org <public-credentials@w3.org>
Subject: Re: Rendering Verifiable Credentials @ RWoT11

EXTERNAL: Use caution when clicking on links or opening attachments.

Replying a bit late to the party,

Blockcerts has had the visual layer since its inception and we continue to make it one of the main “selling point” of the solution.

At this stage in Blockcerts v3 we do support HTML (with inline CSS), base64 pdf and base64 images (png, jpeg, gif and bmp). With HTML, we do run the code through an XSS sanitizer before rendering to mitigate the risk of attacks. The name of the property is `display` and it is an object with 3 subproperties, `content`, `contentMediaType` and `contentEncoding` (see https://www.blockcerts.org/schema/3.1/context.json).

We have a webcomponent for rendering, but we do expect at this point the HTML to be display ready, meaning that we don’t necessarily check the quality of the HTML in terms of accessibility before rendering and trust the issuer to have done their part. I doubt however the component itself is super a11y compatible, but I have never had it tested for that purpose.

We also have a `metadata` property which allows the issuer to provide more information that does not necessarily need to be part of the display, but is rendered by the webcomponent in a separate section.

I will try to get a budget to attend RWOT and would be happy to work on the question if I do. I think a standardized way of rendering VCs is important for the whole ecosystem.



From: Leonard Rosenthol <lrosenth@adobe.com>
Date: Tuesday, 19 July 2022 at 14:04
To: Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org <public-credentials@w3.org>
Subject: [EXTERNAL] [jfraichot@learningmachine.com] Re: Rendering Verifiable Credentials @ RWoT11
CAUTION: This email originated from outside of Hyland. Do not click links or open attachments unless you recognize the sender and know the content is safe.

SVG (the standard profile) supports JS and CSS, so all the same issues you have with HTML you have with SVG.  There are profiles of SVG that don’t allow JS or CSS, such as SVG Tiny or SVG Basic…

I will note, however, that the IETF tried using a reduced functionality profile for allowing SVG in RFC’s and ran into a lot of issues with lack of tool support…so they ended up having to write their own “SVG cleaner” application…


From: Manu Sporny <msporny@digitalbazaar.com>
Date: Monday, July 18, 2022 at 7:48 PM
To: public-credentials@w3.org <public-credentials@w3.org>
Subject: Re: Rendering Verifiable Credentials @ RWoT11
EXTERNAL: Use caution when clicking on links or opening attachments.

On 7/18/22 12:27 AM, Bill Claxton, NextID Founder & Operations Director wrote:
> This is why we use HTML and CSS to create responsive layouts and why the
> NextCert Issuer supports uploading of layouts using zip packages.

Bill, feel free to add links to any relevant work here as  PR:


We had considered HTML/CSS and had backed off a bit given the possibility of
all sorts of tracking/JS injection attacks. That said, it's a natural desire
to use what's already out there and deployed broadly... and there might be
hope in sandboxing components via Web Components:


Has anyone out there tried to use a Web Component as a rendering layer for VCs?

-- manu

Manu Sporny - https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fmanusporny%2F&amp;data=05%7C01%7Clrosenth%40adobe.com%7C71063fa04f7f49c182fe08da69180df5%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637937849283179812%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=jPX7b9hWGh%2BxHoOokGwX6ktFiGSjK9LtydWZ%2FSCpOwE%3D&amp;reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fmanusporny%2F&data=05%7C01%7Clrosenth%40adobe.com%7C377bcd11fe5745486cf108da6e4ca205%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637943572678418125%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Kw6J8pAdlwOCsPzyu%2BgD2%2FYvTh3NBunsPVRrYDN1aqE%3D&reserved=0>
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)

----------------------------------------- Please consider the environment before printing this e-mail -----------------------------------------

CONFIDENTIALITY NOTICE: This message and any attached documents may contain confidential information from Hyland Software, Inc. The information is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for the delivery of this message to the intended recipient, the reader is hereby notified that any dissemination, distribution or copying of this message or of any attached documents, or the taking of any action or omission to take any action in reliance on the contents of this message or of any attached documents, is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail or telephone, at +1 (440) 788-5000, and delete the original message immediately. Thank you.
Received on Monday, 25 July 2022 15:25:55 UTC

This archive was generated by hypermail 2.4.0 : Monday, 25 July 2022 15:25:56 UTC