Re: Verifiable Credentials with COSE_Sign1 from Orie Steele on 2022-12-06 (public-vc-wg@w3.org from December 2022)

From: Orie Steele <orie@transmute.industries>
Date: Tue, 6 Dec 2022 15:47:32 -0600
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: W3C VC Working Group <public-vc-wg@w3.org>
Message-ID: <CAN8C-_KrPQ3UXGPKCeYWp5ZricEgXp9ShOztNj3apxZwtq9ehA@mail.gmail.com>
In the SCITT work, we often sign content types that are not natively CBOR,
for example:

https://github.com/opensbom-generator/spdx-sbom-generator

Notice the JSON examples here:
https://github.com/opensbom-generator/spdx-sbom-generator#module-json-example

The solution I propose supports doing the same for W3C Verifiable
Credentials, but would work with the existing data model, using the
content type `application/credential+json`.

If the working group wanted to define `application/credential+cbor` in the
future, we could do so.

I would expect the same structure in the headers, but a different structure
in the payload, and the `ctyp` to indicate the type of the payload.

I'm not in favor of "coupling" the core data model to the "security
format", either through a mapping such as VC-JWT today, or through
attempting to redefine the core data model in CBOR.

Regards,

OS



On Tue, Dec 6, 2022 at 3:36 PM Mike Jones <Michael.Jones@microsoft.com>
wrote:

> While I support VCs using COSE_Sign1, I’d expected that the signed
> credential would be CBOR – not JSON.  Signing JSON unnecessarily gives up
> the significant size advantages of CBOR – for instance, using single-byte
> constants such as 3 for member names, instead of strings such as "credentialSubject"
> that are an order of magnitude larger – as described in
> https://github.com/w3c/vc-data-model/issues/985#issuecomment-1330133207.
>
>
>
> Would you be willing to work with me on a true CBOR representation of
> Verifiable Credentials utilizing all the advantages of CBOR?
>
>
>
>                                                 -- Mike
>
>
>
> *From:* Mike Prorock <mprorock@mesur.io>
> *Sent:* Friday, December 2, 2022 5:36 PM
> *To:* Orie Steele <orie@transmute.industries>
> *Cc:* W3C VC Working Group <public-vc-wg@w3.org>
> *Subject:* Re: Verifiable Credentials with COSE_Sign1
>
>
>
> This is directly in line with our desired approach.  Huge support from us
>
>
>
> There will be refinement of course, but this is an excellent start.
>
>
>
> Thank you Orie
>
> Mike Prorock
> mesur.io
>
>
>
> On Fri, Dec 2, 2022, 17:10 Orie Steele <orie@transmute.industries> wrote:
>
> Friends,
>
> Here is a simple proposal to use COSE Sign1 to protect W3C Verifiable
> Credentials:
>
> https://transmute-industries.github.io/vc-cose
>
> Similar to the previous proposal to simplify protecting W3C
> Verifiable Credentials using JWS, which I shared previously:
> https://lists.w3.org/Archives/Public/public-vc-wg/2022Nov/0034.html
>
> These approaches when paired together demonstrate a very simple and very
> traditional approach to securing data using well established standards from
> IETF.
>
> Both proposals rely on the assumption that the W3C VCWG will define a JSON
> media type for W3C Verifiable Credentials that looks essentially
> exactly the same as the one registered for activity streams, which has
> seen huge success recently due to growth in interest in Mastodon.
>
> Here is the section of both security suites which I believe belongs in the
> core data model instead:
>
> - https://transmute-industries.github.io/vc-cose/#media-type
> - https://transmute-industries.github.io/vc-jws/#media-type
>
> If there is consensus to add this section to the core data model, I am
> happy to open a pull request to do so.
>
> Finally here is a test vector for a W3C Verifiable Credential in the style
> of the COSE WG:
>
>
> https://github.com/transmute-industries/vc-cose/blob/main/verifiable-credential.cose.json
>
> Here is a shareable link that decodes the example test vector into a "JOSE
> like" JSON representation for readability:
>
>
> https://v.gluecose.org/#pako:eJy71BLhsZglQiWjpKSg2EpfP7UiMbcgJ1UvNaVUP7O4uDS1qFjf0EQ5O7VS14BRjblCOrGgICczObEkMz9PP7koNSU1ryQzMUc7qzg_b8ENh0jG6dVKDsn5eSWpFSVKVtFKMHPLy8v1yo318ovS9Y0MDC2QtBbrlxkq6RClEOo4sI5YHaXMFCUrsD40dyNrMTY3NgKaXlJZkApyTlhqUWZaZmJSTqozXBFQOjQvswzo08ySSpfU9KJUZEmQPeBwgNqFO5CUICoT85JTXRJLgNYpAT1goGtgCEQhhpZWRsZWRiZRQFUI9wWXJmWlJgMDqhrimZTMFCuo4VaGRsZAtSlg94AUQLyg5JSYnJGak18EcShQRV5iLrK4Qn6aQnByZirQFQqJeSkKjkUlxUq1tbURDpnt8p5Cyq5yE2xkdsm43w7P5Aj7dHDhLjVLpvhTbCnrUw3a_Rfc2rJDsmCbWdNN3xDu7wVPKtxmMFpHGuoHXkhJPAIAXHHB0A
>
> And here is the same verifiable credential payload shared in a way that
> clearly demonstrates the information
> the issuer intended to protect by using a JWS or a COSE Sign1 to sign the
> JSON serialization of the credential,
>
> WITHOUT performing any JSON-LD processing... and yet, the data is still
> valid JSON-LD that can be converted to
> N-Quads / or used with SPARQL or other W3C Standards, should a holder wish
> to leverage those W3C Standards along side the current W3C Verifiable
> Credentials Data Model.
>
>
> https://v.jsld.org/DFeanbohH5SCpwRdw4RWPysbt73ysfXJy2E8zovAiNTQ2gjfDhM6mFYKcXzWFty3BD86DaBUSeFZLsakxgqEmqR62bxA68yF4XeCNG99YWGM84HCCo7tNLApjRnp5zWbNaS6XpHATx7pjvqZM77E69TwPzPkdECpGQioE9FeULcRz2srNVheCJLMrPVtVpcyJWTncKXBds1EKe93JvnM2hKTvL2MSPZAZ3iPJS5BvaHdhepaEnLNpPW7B5nezBqxqSyYwhwQDG7N3gfqGEWCxwfh7vZxkqDT52f5CS9Eqvy71kqwqs8LN4BEe1acEE2278KmE13e6Jc7jUEyRCEgKHYisU9dtj9q6jYDQE
>
> I hope this demonstrates several things and will allow us to proceed with
> the important work we have ahead of us as a WG.
>
> 1. Issuers and verifiers can protect and verify the integrity of a W3C
> Verifiable Credential without performing ANY JSON-LD Processing, or RDF
> Data Set Normalization.
> 2. JOSE and COSE are well suited to securing JSON (and CBOR) based data
> models and there are implementations in many languages that can easily be
> used to implement the basic requirements of issuance and verification.
> 3. The W3C VC Data Model has great interoperability (which should be
> preserved) with other W3C Standards such as ActivityPub (used by Mastodon),
> SPARQL, JSON-LD and RDF.
>
> If there is interest in adopting these 2 JOSE and COSE based security
> suites for securing W3C Verifiable Credentials please indicate your
> interest by responding to the message.
>
> Regards,
>
> OS
>
>
>
> --
>
> *ORIE STEELE*
>
> Chief Technical Officer
>
> www.transmute.industries
>
>
>
> <https://www.transmute.industries/>
>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>
Received on Tuesday, 6 December 2022 21:47:56 UTC