- From: Mike Prorock <mprorock@mesur.io>
- Date: Fri, 2 Dec 2022 17:36:21 -0700
- To: Orie Steele <orie@transmute.industries>
- Cc: W3C VC Working Group <public-vc-wg@w3.org>
- Message-ID: <CAGJKSNTnbx3Lh1D+grNA8htBtNXkgwsBN+iBJpHT-tEnsfKXLA@mail.gmail.com>
This is directly in line with our desired approach. Huge support from us There will be refinement of course, but this is an excellent start. Thank you Orie Mike Prorock mesur.io On Fri, Dec 2, 2022, 17:10 Orie Steele <orie@transmute.industries> wrote: > Friends, > > Here is a simple proposal to use COSE Sign1 to protect W3C Verifiable > Credentials: > > https://transmute-industries.github.io/vc-cose > > Similar to the previous proposal to simplify protecting W3C > Verifiable Credentials using JWS, which I shared previously: > https://lists.w3.org/Archives/Public/public-vc-wg/2022Nov/0034.html > > These approaches when paired together demonstrate a very simple and very > traditional approach to securing data using well established standards from > IETF. > > Both proposals rely on the assumption that the W3C VCWG will define a JSON > media type for W3C Verifiable Credentials that looks essentially > exactly the same as the one registered for activity streams, which has > seen huge success recently due to growth in interest in Mastodon. > > Here is the section of both security suites which I believe belongs in the > core data model instead: > > - https://transmute-industries.github.io/vc-cose/#media-type > - https://transmute-industries.github.io/vc-jws/#media-type > > If there is consensus to add this section to the core data model, I am > happy to open a pull request to do so. > > Finally here is a test vector for a W3C Verifiable Credential in the style > of the COSE WG: > > > https://github.com/transmute-industries/vc-cose/blob/main/verifiable-credential.cose.json > > Here is a shareable link that decodes the example test vector into a "JOSE > like" JSON representation for readability: > > > https://v.gluecose.org/#pako:eJy71BLhsZglQiWjpKSg2EpfP7UiMbcgJ1UvNaVUP7O4uDS1qFjf0EQ5O7VS14BRjblCOrGgICczObEkMz9PP7koNSU1ryQzMUc7qzg_b8ENh0jG6dVKDsn5eSWpFSVKVtFKMHPLy8v1yo318ovS9Y0MDC2QtBbrlxkq6RClEOo4sI5YHaXMFCUrsD40dyNrMTY3NgKaXlJZkApyTlhqUWZaZmJSTqozXBFQOjQvswzo08ySSpfU9KJUZEmQPeBwgNqFO5CUICoT85JTXRJLgNYpAT1goGtgCEQhhpZWRsZWRiZRQFUI9wWXJmWlJgMDqhrimZTMFCuo4VaGRsZAtSlg94AUQLyg5JSYnJGak18EcShQRV5iLrK4Qn6aQnByZirQFQqJeSkKjkUlxUq1tbURDpnt8p5Cyq5yE2xkdsm43w7P5Aj7dHDhLjVLpvhTbCnrUw3a_Rfc2rJDsmCbWdNN3xDu7wVPKtxmMFpHGuoHXkhJPAIAXHHB0A > > And here is the same verifiable credential payload shared in a way that > clearly demonstrates the information > the issuer intended to protect by using a JWS or a COSE Sign1 to sign the > JSON serialization of the credential, > > WITHOUT performing any JSON-LD processing... and yet, the data is still > valid JSON-LD that can be converted to > N-Quads / or used with SPARQL or other W3C Standards, should a holder wish > to leverage those W3C Standards along side the current W3C Verifiable > Credentials Data Model. > > > https://v.jsld.org/DFeanbohH5SCpwRdw4RWPysbt73ysfXJy2E8zovAiNTQ2gjfDhM6mFYKcXzWFty3BD86DaBUSeFZLsakxgqEmqR62bxA68yF4XeCNG99YWGM84HCCo7tNLApjRnp5zWbNaS6XpHATx7pjvqZM77E69TwPzPkdECpGQioE9FeULcRz2srNVheCJLMrPVtVpcyJWTncKXBds1EKe93JvnM2hKTvL2MSPZAZ3iPJS5BvaHdhepaEnLNpPW7B5nezBqxqSyYwhwQDG7N3gfqGEWCxwfh7vZxkqDT52f5CS9Eqvy71kqwqs8LN4BEe1acEE2278KmE13e6Jc7jUEyRCEgKHYisU9dtj9q6jYDQE > > I hope this demonstrates several things and will allow us to proceed with > the important work we have ahead of us as a WG. > > 1. Issuers and verifiers can protect and verify the integrity of a W3C > Verifiable Credential without performing ANY JSON-LD Processing, or RDF > Data Set Normalization. > 2. JOSE and COSE are well suited to securing JSON (and CBOR) based data > models and there are implementations in many languages that can easily be > used to implement the basic requirements of issuance and verification. > 3. The W3C VC Data Model has great interoperability (which should be > preserved) with other W3C Standards such as ActivityPub (used by Mastodon), > SPARQL, JSON-LD and RDF. > > If there is interest in adopting these 2 JOSE and COSE based security > suites for securing W3C Verifiable Credentials please indicate your > interest by responding to the message. > > Regards, > > OS > > -- > *ORIE STEELE* > Chief Technical Officer > www.transmute.industries > > <https://www.transmute.industries> >
Received on Saturday, 3 December 2022 00:36:45 UTC