RE: Verifiable Credentials with COSE_Sign1 from Mike Jones on 2022-12-06 (public-vc-wg@w3.org from December 2022)

From: Mike Jones <Michael.Jones@microsoft.com>
Date: Tue, 6 Dec 2022 21:36:26 +0000
To: Orie Steele <orie@transmute.industries>
CC: W3C VC Working Group <public-vc-wg@w3.org>
Message-ID: <SA1PR00MB1311F2DD56FEEE718A73268EF51B9@SA1PR00MB1311.namprd00.prod.outlook.com>
While I support VCs using COSE_Sign1, I’d expected that the signed credential would be CBOR – not JSON.  Signing JSON unnecessarily gives up the significant size advantages of CBOR – for instance, using single-byte constants such as 3 for member names, instead of strings such as "credentialSubject" that are an order of magnitude larger – as described in https://github.com/w3c/vc-data-model/issues/985#issuecomment-1330133207.


Would you be willing to work with me on a true CBOR representation of Verifiable Credentials utilizing all the advantages of CBOR?

                                                -- Mike

From: Mike Prorock <mprorock@mesur.io>
Sent: Friday, December 2, 2022 5:36 PM
To: Orie Steele <orie@transmute.industries>
Cc: W3C VC Working Group <public-vc-wg@w3.org>
Subject: Re: Verifiable Credentials with COSE_Sign1

This is directly in line with our desired approach.  Huge support from us

There will be refinement of course, but this is an excellent start.

Thank you Orie
Mike Prorock
mesur.io<http://mesur.io>

On Fri, Dec 2, 2022, 17:10 Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>> wrote:
Friends,

Here is a simple proposal to use COSE Sign1 to protect W3C Verifiable Credentials:
https://transmute-industries.github.io/vc-cose<https://transmute-industries.github.io/vc-cose/>

Similar to the previous proposal to simplify protecting W3C Verifiable Credentials using JWS, which I shared previously:  https://lists.w3.org/Archives/Public/public-vc-wg/2022Nov/0034.html


These approaches when paired together demonstrate a very simple and very traditional approach to securing data using well established standards from IETF.

Both proposals rely on the assumption that the W3C VCWG will define a JSON media type for W3C Verifiable Credentials that looks essentially
exactly the same as the one registered for activity streams, which has seen huge success recently due to growth in interest in Mastodon.

Here is the section of both security suites which I believe belongs in the core data model instead:

- https://transmute-industries.github.io/vc-cose/#media-type

- https://transmute-industries.github.io/vc-jws/#media-type


If there is consensus to add this section to the core data model, I am happy to open a pull request to do so.

Finally here is a test vector for a W3C Verifiable Credential in the style of the COSE WG:

https://github.com/transmute-industries/vc-cose/blob/main/verifiable-credential.cose.json


Here is a shareable link that decodes the example test vector into a "JOSE like" JSON representation for readability:

https://v.gluecose.org/#pako:eJy71BLhsZglQiWjpKSg2EpfP7UiMbcgJ1UvNaVUP7O4uDS1qFjf0EQ5O7VS14BRjblCOrGgICczObEkMz9PP7koNSU1ryQzMUc7qzg_b8ENh0jG6dVKDsn5eSWpFSVKVtFKMHPLy8v1yo318ovS9Y0MDC2QtBbrlxkq6RClEOo4sI5YHaXMFCUrsD40dyNrMTY3NgKaXlJZkApyTlhqUWZaZmJSTqozXBFQOjQvswzo08ySSpfU9KJUZEmQPeBwgNqFO5CUICoT85JTXRJLgNYpAT1goGtgCEQhhpZWRsZWRiZRQFUI9wWXJmWlJgMDqhrimZTMFCuo4VaGRsZAtSlg94AUQLyg5JSYnJGak18EcShQRV5iLrK4Qn6aQnByZirQFQqJeSkKjkUlxUq1tbURDpnt8p5Cyq5yE2xkdsm43w7P5Aj7dHDhLjVLpvhTbCnrUw3a_Rfc2rJDsmCbWdNN3xDu7wVPKtxmMFpHGuoHXkhJPAIAXHHB0A


And here is the same verifiable credential payload shared in a way that clearly demonstrates the information
the issuer intended to protect by using a JWS or a COSE Sign1 to sign the JSON serialization of the credential,

WITHOUT performing any JSON-LD processing... and yet, the data is still valid JSON-LD that can be converted to
N-Quads / or used with SPARQL or other W3C Standards, should a holder wish to leverage those W3C Standards along side the current W3C Verifiable Credentials Data Model.

https://v.jsld.org/DFeanbohH5SCpwRdw4RWPysbt73ysfXJy2E8zovAiNTQ2gjfDhM6mFYKcXzWFty3BD86DaBUSeFZLsakxgqEmqR62bxA68yF4XeCNG99YWGM84HCCo7tNLApjRnp5zWbNaS6XpHATx7pjvqZM77E69TwPzPkdECpGQioE9FeULcRz2srNVheCJLMrPVtVpcyJWTncKXBds1EKe93JvnM2hKTvL2MSPZAZ3iPJS5BvaHdhepaEnLNpPW7B5nezBqxqSyYwhwQDG7N3gfqGEWCxwfh7vZxkqDT52f5CS9Eqvy71kqwqs8LN4BEe1acEE2278KmE13e6Jc7jUEyRCEgKHYisU9dtj9q6jYDQE


I hope this demonstrates several things and will allow us to proceed with the important work we have ahead of us as a WG.

1. Issuers and verifiers can protect and verify the integrity of a W3C Verifiable Credential without performing ANY JSON-LD Processing, or RDF Data Set Normalization.
2. JOSE and COSE are well suited to securing JSON (and CBOR) based data models and there are implementations in many languages that can easily be used to implement the basic requirements of issuance and verification.
3. The W3C VC Data Model has great interoperability (which should be preserved) with other W3C Standards such as ActivityPub (used by Mastodon), SPARQL, JSON-LD and RDF.

If there is interest in adopting these 2 JOSE and COSE based security suites for securing W3C Verifiable Credentials please indicate your interest by responding to the message.

Regards,

OS

--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries>

[https://drive.google.com/a/transmute.industries/uc?id=1hbftCJoB5KdeV_kzj4eeyS28V3zS9d9c&export=download]<https://www.transmute.industries/>
Received on Tuesday, 6 December 2022 21:36:44 UTC