Verifiable Credentials with COSE_Sign1

Friends,

Here is a simple proposal to use COSE Sign1 to protect W3C Verifiable
Credentials:

https://transmute-industries.github.io/vc-cose

Similar to the previous proposal to simplify protecting W3C
Verifiable Credentials using JWS, which I shared previously:
https://lists.w3.org/Archives/Public/public-vc-wg/2022Nov/0034.html

These approaches when paired together demonstrate a very simple and very
traditional approach to securing data using well established standards from
IETF.

Both proposals rely on the assumption that the W3C VCWG will define a JSON
media type for W3C Verifiable Credentials that looks essentially
exactly the same as the one registered for activity streams, which has seen
huge success recently due to growth in interest in Mastodon.

Here is the section of both security suites which I believe belongs in the
core data model instead:

- https://transmute-industries.github.io/vc-cose/#media-type
- https://transmute-industries.github.io/vc-jws/#media-type

If there is consensus to add this section to the core data model, I am
happy to open a pull request to do so.

Finally here is a test vector for a W3C Verifiable Credential in the style
of the COSE WG:

https://github.com/transmute-industries/vc-cose/blob/main/verifiable-credential.cose.json

Here is a shareable link that decodes the example test vector into a "JOSE
like" JSON representation for readability:

https://v.gluecose.org/#pako:eJy71BLhsZglQiWjpKSg2EpfP7UiMbcgJ1UvNaVUP7O4uDS1qFjf0EQ5O7VS14BRjblCOrGgICczObEkMz9PP7koNSU1ryQzMUc7qzg_b8ENh0jG6dVKDsn5eSWpFSVKVtFKMHPLy8v1yo318ovS9Y0MDC2QtBbrlxkq6RClEOo4sI5YHaXMFCUrsD40dyNrMTY3NgKaXlJZkApyTlhqUWZaZmJSTqozXBFQOjQvswzo08ySSpfU9KJUZEmQPeBwgNqFO5CUICoT85JTXRJLgNYpAT1goGtgCEQhhpZWRsZWRiZRQFUI9wWXJmWlJgMDqhrimZTMFCuo4VaGRsZAtSlg94AUQLyg5JSYnJGak18EcShQRV5iLrK4Qn6aQnByZirQFQqJeSkKjkUlxUq1tbURDpnt8p5Cyq5yE2xkdsm43w7P5Aj7dHDhLjVLpvhTbCnrUw3a_Rfc2rJDsmCbWdNN3xDu7wVPKtxmMFpHGuoHXkhJPAIAXHHB0A

And here is the same verifiable credential payload shared in a way that
clearly demonstrates the information
the issuer intended to protect by using a JWS or a COSE Sign1 to sign the
JSON serialization of the credential,

WITHOUT performing any JSON-LD processing... and yet, the data is still
valid JSON-LD that can be converted to
N-Quads / or used with SPARQL or other W3C Standards, should a holder wish
to leverage those W3C Standards along side the current W3C Verifiable
Credentials Data Model.

https://v.jsld.org/DFeanbohH5SCpwRdw4RWPysbt73ysfXJy2E8zovAiNTQ2gjfDhM6mFYKcXzWFty3BD86DaBUSeFZLsakxgqEmqR62bxA68yF4XeCNG99YWGM84HCCo7tNLApjRnp5zWbNaS6XpHATx7pjvqZM77E69TwPzPkdECpGQioE9FeULcRz2srNVheCJLMrPVtVpcyJWTncKXBds1EKe93JvnM2hKTvL2MSPZAZ3iPJS5BvaHdhepaEnLNpPW7B5nezBqxqSyYwhwQDG7N3gfqGEWCxwfh7vZxkqDT52f5CS9Eqvy71kqwqs8LN4BEe1acEE2278KmE13e6Jc7jUEyRCEgKHYisU9dtj9q6jYDQE

I hope this demonstrates several things and will allow us to proceed with
the important work we have ahead of us as a WG.

1. Issuers and verifiers can protect and verify the integrity of a W3C
Verifiable Credential without performing ANY JSON-LD Processing, or RDF
Data Set Normalization.
2. JOSE and COSE are well suited to securing JSON (and CBOR) based data
models and there are implementations in many languages that can easily be
used to implement the basic requirements of issuance and verification.
3. The W3C VC Data Model has great interoperability (which should be
preserved) with other W3C Standards such as ActivityPub (used by Mastodon),
SPARQL, JSON-LD and RDF.

If there is interest in adopting these 2 JOSE and COSE based security
suites for securing W3C Verifiable Credentials please indicate your
interest by responding to the message.

Regards,

OS

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>