Re: VC formats from Kim Hamilton on 2024-03-20 (public-credentials@w3.org from March 2024)

From: Kim Hamilton <kimdhamilton@gmail.com>
Date: Tue, 19 Mar 2024 19:37:32 -0700
To: Kaliya Identity Woman <kaliya@identitywoman.net>
Cc: Orie Steele <orie@transmute.industries>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CAFmmOzc3ZOh_tL_dFZH+hOvnTqVPupUP9EeEEREFFqbx2fDhGQ@mail.gmail.com>

Thanks Kaliya, I don't see some of the flavors mentioned in the report, but
they post-date the report. I'll link to things to be precise.

Here's what I understand:

   - Secure Patterns for Internet Credentials (SPICE) is one group at IETF
   working on VCs: https://datatracker.ietf.org/group/spice/about/
   - SD-JWT-VC is also at IETF:
   https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/

I'm curious if/how those are related. And also if there are any other
groups working on VC formats people are aware of.

On Tue, Mar 19, 2024 at 6:19 PM Kaliya Identity Woman <
kaliya@identitywoman.net> wrote:

> Lucy and I have written two reports explaining this landscape of formats
> and signatures.
>
> Here is the first one and infographic during the pandemic:
>
> https://www.lfph.io/wp-content/uploads/2021/02/Verifiable-Credentials-Flavors-Explained.pdf
>
> https://www.lfph.io/wp-content/uploads/2021/04/Verifiable-Credentials-Flavors-Explained-Infographic.pdf
>
> This was written last year
>
> https://medium.com/@identitywoman-in-business/new-paper-and-infographic-on-flavors-of-digital-credentials-released-b9b6ec5b95af
> https://drive.google.com/file/d/1mZVcGlcxAqQaOr-pBUt6-Amh2NocuaNp/view
>
> - Kaliya
>
>
> On Tue, Mar 19, 2024 at 5:42 PM Kim Hamilton <kimdhamilton@gmail.com>
> wrote:
>
>> Right, in the base media type. But SD-JWT describes a mechanism for
>> performing SD on JSON. It would be good to have a more transparent
>> mechanism to allow anchoring statements in something reference-able. It
>> seems a bit muddy now. Perhaps DIF, CCG, OIDF, and more can collaborate on
>> some rubric here.
>>
>> On Tue, Mar 19, 2024 at 5:35 PM Orie Steele <orie@transmute.industries>
>> wrote:
>>
>>> The VCDM is JSON-LD, and both JSON and RDF do not support selective
>>> disclosure in their base media types.
>>>
>>> SD-JWT only supports selective disclosure on JSON.
>>>
>>> ECDSA-SD only supports selective disclosure in JSON-LD (I think).
>>>
>>> MDoc only supports selective disclosure of in CBOR.
>>>
>>> There are basically 2 ways to secure media types... You can secure them
>>> in a media type agnostic manner, like JWS or COSE Sign1. Or you can secure
>>> them in a media type aware manner, like JWT, SD-JWT, mDoc, SD-CWT etc.
>>>
>>> The W3C VCDM is a media type that is built on +ld+json meaning it's
>>> always JSON-LD that you are securing... Regardless of how you secure it.
>>>
>>> OS
>>>
>>> On Wed, Mar 20, 2024, 10:27 AM Kim Hamilton <kimdhamilton@gmail.com>
>>> wrote:
>>>
>>>> Thanks for stating it clearly. This is why the statement "VCDM lacks
>>>> selective disclosure" trips the brain wires. It belongs at the
>>>> signature/proof level. And of course, selective disclosure can be performed
>>>> in different ways. Just wondering if I missed the boat on any
>>>> considerations that make the credential data model itself more or less
>>>> conducive to selective disclosure, which that statement appears to say.
>>>>
>>>> Or maybe it refers to a specific brand of selective disclosure, and not
>>>> selective disclosure in the general sense.
>>>>
>>>> Does SD-JWT-VC imply a landscape in which there will be a different VC
>>>> format for each signature suite? This is very different from my mental
>>>> model of VC data model, with the possibility of using different signature
>>>> suites. I'd be eager to learn more about the advantages of that.
>>>>
>>>> On Tue, Mar 19, 2024 at 5:10 PM Orie Steele <orie@transmute.industries>
>>>> wrote:
>>>>
>>>>> Selective disclosure is a property of the securing format, not the
>>>>> data model.
>>>>>
>>>>> Sd-jwt and ecdsa-sd both support selective disclosure, but with very
>>>>> different performance and security trade offs.
>>>>>
>>>>> It's not correct to say that CBOR, YAML, JSON, XML or JSON-LD support
>>>>> selective disclosure.
>>>>>
>>>>> It is correct to say SD-JWT, SD-CWT, mDoc, goridan envelopes or
>>>>> ecdsa-sd support selective disclosure.
>>>>>
>>>>> It seems jades as a requirement precludes the use of CBOR or Data
>>>>> Integrity Proofs, or even JWT, given JWTs are always compact (no JSON
>>>>> Serialization).
>>>>>
>>>>> OS
>>>>>
>>>>> On Wed, Mar 20, 2024, 9:53 AM Kim Hamilton <kimdhamilton@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi all,
>>>>>> I'm trying to get my head around the variety of VC formats. I ran
>>>>>> across this deck and I'm curious why it would say VCDM lacks selective
>>>>>> disclosure (included screenshot and deck). It does via signature suites, so
>>>>>> in a sense the statement "does not compute".
>>>>>>
>>>>>> Eager to learn about the new VC formats, similarities and differences.
>>>>>>
>>>>>> Thanks,
>>>>>> Kim
>>>>>> [image: Screenshot 2024-03-19 at 4.36.16 PM.png]
>>>>>>
>>>>>

Attachments

image/png attachment: Screenshot_2024-03-19_at_4.36.16___PM.png

Received on Wednesday, 20 March 2024 02:37:51 UTC