Re: VC formats

That comparison matrix is gold, thanks! Spice isn’t there but that did come
after IIW.

There’s a lot in there and it seems a bit overwhelming. However I think
most of us are necessarily abstracting away from this level, assuming a
multi-model/format/etc world, to focus on business value, other aspects of
the ecosystem, etc.

As that happens, I think communities like this can play an important role
in facilitating understanding of impact of these differences on people.
Exciting stuff ahead!

On Tue, Mar 19, 2024 at 7:50 PM Kaliya Identity Woman <
kaliya@identitywoman.net> wrote:

> We didn't include  JSON-LD secured by SD-JWT which we knew of at least one
> vendor doing at the time we wrote the report.
>
> We covered the main formats that were "in market" and that were in some
> coherent spec.
>
> I will say about the report it covers The core components are all
> explained and the data model choices (JSON / JSON-LD / CBOR) and the "how
> we secure it" (JWT, SD-JWT, mDOC, Linked Data Signatures)
>
> If you really want to see all possible data format and signature
> combinations this chart was created out of IIW sessions. In the Credential
> Comparison Matrix
>
> https://docs.google.com/spreadsheets/d/1Z4cYfjbbE-rABcfC-xab8miocKLomivYMUFibOh9BVo/edit#gid=1590639334
>
>
> - Kaliya
>
>
> On Tue, Mar 19, 2024 at 7:37 PM Kim Hamilton <kimdhamilton@gmail.com>
> wrote:
>
>> Thanks Kaliya, I don't see some of the flavors mentioned in the report,
>> but they post-date the report. I'll link to things to be precise.
>>
>> Here's what I understand:
>>
>>    - Secure Patterns for Internet Credentials (SPICE) is one group at
>>    IETF working on VCs: https://datatracker.ietf.org/group/spice/about/
>>    - SD-JWT-VC is also at IETF:
>>    https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
>>
>> I'm curious if/how those are related. And also if there are any other
>> groups working on VC formats people are aware of.
>>
>> On Tue, Mar 19, 2024 at 6:19 PM Kaliya Identity Woman <
>> kaliya@identitywoman.net> wrote:
>>
>>> Lucy and I have written two reports explaining this landscape of formats
>>> and signatures.
>>>
>>> Here is the first one and infographic during the pandemic:
>>>
>>> https://www.lfph.io/wp-content/uploads/2021/02/Verifiable-Credentials-Flavors-Explained.pdf
>>>
>>> https://www.lfph.io/wp-content/uploads/2021/04/Verifiable-Credentials-Flavors-Explained-Infographic.pdf
>>>
>>> This was written last year
>>>
>>> https://medium.com/@identitywoman-in-business/new-paper-and-infographic-on-flavors-of-digital-credentials-released-b9b6ec5b95af
>>> https://drive.google.com/file/d/1mZVcGlcxAqQaOr-pBUt6-Amh2NocuaNp/view
>>>
>>> - Kaliya
>>>
>>>
>>> On Tue, Mar 19, 2024 at 5:42 PM Kim Hamilton <kimdhamilton@gmail.com>
>>> wrote:
>>>
>>>> Right, in the base media type. But SD-JWT describes a mechanism for
>>>> performing SD on JSON. It would be good to have a more transparent
>>>> mechanism to allow anchoring statements in something reference-able. It
>>>> seems a bit muddy now. Perhaps DIF, CCG, OIDF, and more can collaborate on
>>>> some rubric here.
>>>>
>>>> On Tue, Mar 19, 2024 at 5:35 PM Orie Steele <orie@transmute.industries>
>>>> wrote:
>>>>
>>>>> The VCDM is JSON-LD, and both JSON and RDF do not support selective
>>>>> disclosure in their base media types.
>>>>>
>>>>> SD-JWT only supports selective disclosure on JSON.
>>>>>
>>>>> ECDSA-SD only supports selective disclosure in JSON-LD (I think).
>>>>>
>>>>> MDoc only supports selective disclosure of in CBOR.
>>>>>
>>>>> There are basically 2 ways to secure media types... You can secure
>>>>> them in a media type agnostic manner, like JWS or COSE Sign1. Or you can
>>>>> secure them in a media type aware manner, like JWT, SD-JWT, mDoc, SD-CWT
>>>>> etc.
>>>>>
>>>>> The W3C VCDM is a media type that is built on +ld+json meaning it's
>>>>> always JSON-LD that you are securing... Regardless of how you secure it.
>>>>>
>>>>> OS
>>>>>
>>>>> On Wed, Mar 20, 2024, 10:27 AM Kim Hamilton <kimdhamilton@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Thanks for stating it clearly. This is why the statement "VCDM lacks
>>>>>> selective disclosure" trips the brain wires. It belongs at the
>>>>>> signature/proof level. And of course, selective disclosure can be performed
>>>>>> in different ways. Just wondering if I missed the boat on any
>>>>>> considerations that make the credential data model itself more or less
>>>>>> conducive to selective disclosure, which that statement appears to say.
>>>>>>
>>>>>> Or maybe it refers to a specific brand of selective disclosure, and
>>>>>> not selective disclosure in the general sense.
>>>>>>
>>>>>> Does SD-JWT-VC imply a landscape in which there will be a different
>>>>>> VC format for each signature suite? This is very different from my mental
>>>>>> model of VC data model, with the possibility of using different signature
>>>>>> suites. I'd be eager to learn more about the advantages of that.
>>>>>>
>>>>>> On Tue, Mar 19, 2024 at 5:10 PM Orie Steele <orie@transmute.industries>
>>>>>> wrote:
>>>>>>
>>>>>>> Selective disclosure is a property of the securing format, not the
>>>>>>> data model.
>>>>>>>
>>>>>>> Sd-jwt and ecdsa-sd both support selective disclosure, but with very
>>>>>>> different performance and security trade offs.
>>>>>>>
>>>>>>> It's not correct to say that CBOR, YAML, JSON, XML or JSON-LD
>>>>>>> support selective disclosure.
>>>>>>>
>>>>>>> It is correct to say SD-JWT, SD-CWT, mDoc, goridan envelopes or
>>>>>>> ecdsa-sd support selective disclosure.
>>>>>>>
>>>>>>> It seems jades as a requirement precludes the use of CBOR or Data
>>>>>>> Integrity Proofs, or even JWT, given JWTs are always compact (no JSON
>>>>>>> Serialization).
>>>>>>>
>>>>>>> OS
>>>>>>>
>>>>>>> On Wed, Mar 20, 2024, 9:53 AM Kim Hamilton <kimdhamilton@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>> I'm trying to get my head around the variety of VC formats. I ran
>>>>>>>> across this deck and I'm curious why it would say VCDM lacks selective
>>>>>>>> disclosure (included screenshot and deck). It does via signature suites, so
>>>>>>>> in a sense the statement "does not compute".
>>>>>>>>
>>>>>>>> Eager to learn about the new VC formats, similarities
>>>>>>>> and differences.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Kim
>>>>>>>> [image: Screenshot 2024-03-19 at 4.36.16 PM.png]
>>>>>>>>
>>>>>>>