- From: Mike Prorock <mprorock@mesur.io>
- Date: Tue, 6 Dec 2022 14:45:51 -0700
- To: Mike Jones <Michael.Jones@microsoft.com>
- Cc: Orie Steele <orie@transmute.industries>, W3C VC Working Group <public-vc-wg@w3.org>
- Message-ID: <CAGJKSNR1v+Jj9GkRtVNnxbe0WtCok_=ixAiuyqqv=NUcKioteA@mail.gmail.com>
To clarify, with Orie's work here as a starting place Mike Prorock mesur.io On Tue, Dec 6, 2022, 14:43 Mike Prorock <mprorock@mesur.io> wrote: > I would definitely be interested in working on that. > > Mike Prorock > mesur.io > > On Tue, Dec 6, 2022, 14:36 Mike Jones <Michael.Jones@microsoft.com> wrote: > >> While I support VCs using COSE_Sign1, Iād expected that the signed >> credential would be CBOR ā not JSON. Signing JSON unnecessarily gives up >> the significant size advantages of CBOR ā for instance, using single-byte >> constants such as 3 for member names, instead of strings such as "credentialSubject" >> that are an order of magnitude larger ā as described in >> https://github.com/w3c/vc-data-model/issues/985#issuecomment-1330133207. >> >> >> >> Would you be willing to work with me on a true CBOR representation of >> Verifiable Credentials utilizing all the advantages of CBOR? >> >> >> >> -- Mike >> >> >> >> *From:* Mike Prorock <mprorock@mesur.io> >> *Sent:* Friday, December 2, 2022 5:36 PM >> *To:* Orie Steele <orie@transmute.industries> >> *Cc:* W3C VC Working Group <public-vc-wg@w3.org> >> *Subject:* Re: Verifiable Credentials with COSE_Sign1 >> >> >> >> This is directly in line with our desired approach. Huge support from us >> >> >> >> There will be refinement of course, but this is an excellent start. >> >> >> >> Thank you Orie >> >> Mike Prorock >> mesur.io >> >> >> >> On Fri, Dec 2, 2022, 17:10 Orie Steele <orie@transmute.industries> wrote: >> >> Friends, >> >> Here is a simple proposal to use COSE Sign1 to protect W3C Verifiable >> Credentials: >> >> https://transmute-industries.github.io/vc-cose >> >> Similar to the previous proposal to simplify protecting W3C >> Verifiable Credentials using JWS, which I shared previously: >> https://lists.w3.org/Archives/Public/public-vc-wg/2022Nov/0034.html >> >> These approaches when paired together demonstrate a very simple and very >> traditional approach to securing data using well established standards from >> IETF. >> >> Both proposals rely on the assumption that the W3C VCWG will define a >> JSON media type for W3C Verifiable Credentials that looks essentially >> exactly the same as the one registered for activity streams, which has >> seen huge success recently due to growth in interest in Mastodon. >> >> Here is the section of both security suites which I believe belongs in >> the core data model instead: >> >> - https://transmute-industries.github.io/vc-cose/#media-type >> - https://transmute-industries.github.io/vc-jws/#media-type >> >> If there is consensus to add this section to the core data model, I am >> happy to open a pull request to do so. >> >> Finally here is a test vector for a W3C Verifiable Credential in the >> style of the COSE WG: >> >> >> https://github.com/transmute-industries/vc-cose/blob/main/verifiable-credential.cose.json >> >> Here is a shareable link that decodes the example test vector into a >> "JOSE like" JSON representation for readability: >> >> >> https://v.gluecose.org/#pako:eJy71BLhsZglQiWjpKSg2EpfP7UiMbcgJ1UvNaVUP7O4uDS1qFjf0EQ5O7VS14BRjblCOrGgICczObEkMz9PP7koNSU1ryQzMUc7qzg_b8ENh0jG6dVKDsn5eSWpFSVKVtFKMHPLy8v1yo318ovS9Y0MDC2QtBbrlxkq6RClEOo4sI5YHaXMFCUrsD40dyNrMTY3NgKaXlJZkApyTlhqUWZaZmJSTqozXBFQOjQvswzo08ySSpfU9KJUZEmQPeBwgNqFO5CUICoT85JTXRJLgNYpAT1goGtgCEQhhpZWRsZWRiZRQFUI9wWXJmWlJgMDqhrimZTMFCuo4VaGRsZAtSlg94AUQLyg5JSYnJGak18EcShQRV5iLrK4Qn6aQnByZirQFQqJeSkKjkUlxUq1tbURDpnt8p5Cyq5yE2xkdsm43w7P5Aj7dHDhLjVLpvhTbCnrUw3a_Rfc2rJDsmCbWdNN3xDu7wVPKtxmMFpHGuoHXkhJPAIAXHHB0A >> >> And here is the same verifiable credential payload shared in a way that >> clearly demonstrates the information >> the issuer intended to protect by using a JWS or a COSE Sign1 to sign the >> JSON serialization of the credential, >> >> WITHOUT performing any JSON-LD processing... and yet, the data is still >> valid JSON-LD that can be converted to >> N-Quads / or used with SPARQL or other W3C Standards, should a holder >> wish to leverage those W3C Standards along side the current W3C Verifiable >> Credentials Data Model. >> >> >> https://v.jsld.org/DFeanbohH5SCpwRdw4RWPysbt73ysfXJy2E8zovAiNTQ2gjfDhM6mFYKcXzWFty3BD86DaBUSeFZLsakxgqEmqR62bxA68yF4XeCNG99YWGM84HCCo7tNLApjRnp5zWbNaS6XpHATx7pjvqZM77E69TwPzPkdECpGQioE9FeULcRz2srNVheCJLMrPVtVpcyJWTncKXBds1EKe93JvnM2hKTvL2MSPZAZ3iPJS5BvaHdhepaEnLNpPW7B5nezBqxqSyYwhwQDG7N3gfqGEWCxwfh7vZxkqDT52f5CS9Eqvy71kqwqs8LN4BEe1acEE2278KmE13e6Jc7jUEyRCEgKHYisU9dtj9q6jYDQE >> >> I hope this demonstrates several things and will allow us to proceed with >> the important work we have ahead of us as a WG. >> >> 1. Issuers and verifiers can protect and verify the integrity of a W3C >> Verifiable Credential without performing ANY JSON-LD Processing, or RDF >> Data Set Normalization. >> 2. JOSE and COSE are well suited to securing JSON (and CBOR) based data >> models and there are implementations in many languages that can easily be >> used to implement the basic requirements of issuance and verification. >> 3. The W3C VC Data Model has great interoperability (which should be >> preserved) with other W3C Standards such as ActivityPub (used by Mastodon), >> SPARQL, JSON-LD and RDF. >> >> If there is interest in adopting these 2 JOSE and COSE based security >> suites for securing W3C Verifiable Credentials please indicate your >> interest by responding to the message. >> >> Regards, >> >> OS >> >> >> >> -- >> >> *ORIE STEELE* >> >> Chief Technical Officer >> >> www.transmute.industries >> >> >> >> <https://www.transmute.industries/> >> >>
Received on Tuesday, 6 December 2022 21:46:14 UTC