- From: Matthieu Dionne <mtthdnn@outlook.com>
- Date: Tue, 3 Mar 2026 01:45:17 +0000
- To: "public-uora@w3.org" <public-uora@w3.org>
- Message-ID: <SCYPR80MB7936280DF9E0F8169D6F90A5E87EA@SCYPR80MB7936.lamprd80.prod.outlook.com>
Hi all,
I recently joined the UORA CG and would like to share an open-source
project, Apercue, as a potential use case. It aligns with several focus
areas: lifecycle tracking, attestation, provenance, and multi-party
access policies.
The project uses CUE's type system to model dependency graphs where
assets are represented as typed nodes. For example, a physical asset
lifecycle (Raw Material → Manufacturing → QC → Shipping) maps directly
to the graph. A single CUE definition simultaneously produces:
- Verifiable Credentials 2.0: SHACL validation reports wrapped as
attestations.
- PROV-O Provenance: Chain of custody computed from dependency edges
(prov:wasDerivedFrom).
- ODRL 2.2 Policies: Access control based on resource types (e.g.,
QC results vs. shipping data).
- OWL-Time Scheduling: Critical path analysis and slack computation.
Because constraints are part of the CUE type lattice, an incomplete or
non-conformant lifecycle cannot be serialized. This eliminates the need
for a separate runtime policy engine or provenance store; the data model
is the policy.
I treat cryptographic proof generation as a downstream deployment
concern. The CUE layer defines what is attested, while UORA's protocol
work defines how those attestations are signed and verified.
I have a detailed use case document with computed JSON evidence for all
17 supported specs. I'm happy to share this via mailing list, a PR to
the group repo, or a brief presentation.
Resources:
Project: https://github.com/quicue/apercue (Apache 2.0)
W3C Evidence Report: https://github.com/quicue/apercue/blob/main/w3c/core-report.md
VC Pattern Source: https://github.com/quicue/apercue/blob/main/patterns/credentials.cue
Looking forward to contributing,
Matthieu Dionne
Received on Tuesday, 3 March 2026 02:51:01 UTC