- From: Orie Steele <orie@transmute.industries>
- Date: Tue, 6 Dec 2022 15:47:32 -0600
- To: Mike Jones <Michael.Jones@microsoft.com>
- Cc: W3C VC Working Group <public-vc-wg@w3.org>
- Message-ID: <CAN8C-_KrPQ3UXGPKCeYWp5ZricEgXp9ShOztNj3apxZwtq9ehA@mail.gmail.com>
In the SCITT work, we often sign content types that are not natively CBOR, for example: https://github.com/opensbom-generator/spdx-sbom-generator Notice the JSON examples here: https://github.com/opensbom-generator/spdx-sbom-generator#module-json-example The solution I propose supports doing the same for W3C Verifiable Credentials, but would work with the existing data model, using the content type `application/credential+json`. If the working group wanted to define `application/credential+cbor` in the future, we could do so. I would expect the same structure in the headers, but a different structure in the payload, and the `ctyp` to indicate the type of the payload. I'm not in favor of "coupling" the core data model to the "security format", either through a mapping such as VC-JWT today, or through attempting to redefine the core data model in CBOR. Regards, OS On Tue, Dec 6, 2022 at 3:36 PM Mike Jones <Michael.Jones@microsoft.com> wrote: > While I support VCs using COSE_Sign1, Iād expected that the signed > credential would be CBOR ā not JSON. Signing JSON unnecessarily gives up > the significant size advantages of CBOR ā for instance, using single-byte > constants such as 3 for member names, instead of strings such as "credentialSubject" > that are an order of magnitude larger ā as described in > https://github.com/w3c/vc-data-model/issues/985#issuecomment-1330133207. > > > > Would you be willing to work with me on a true CBOR representation of > Verifiable Credentials utilizing all the advantages of CBOR? > > > > -- Mike > > > > *From:* Mike Prorock <mprorock@mesur.io> > *Sent:* Friday, December 2, 2022 5:36 PM > *To:* Orie Steele <orie@transmute.industries> > *Cc:* W3C VC Working Group <public-vc-wg@w3.org> > *Subject:* Re: Verifiable Credentials with COSE_Sign1 > > > > This is directly in line with our desired approach. Huge support from us > > > > There will be refinement of course, but this is an excellent start. > > > > Thank you Orie > > Mike Prorock > mesur.io > > > > On Fri, Dec 2, 2022, 17:10 Orie Steele <orie@transmute.industries> wrote: > > Friends, > > Here is a simple proposal to use COSE Sign1 to protect W3C Verifiable > Credentials: > > https://transmute-industries.github.io/vc-cose > > Similar to the previous proposal to simplify protecting W3C > Verifiable Credentials using JWS, which I shared previously: > https://lists.w3.org/Archives/Public/public-vc-wg/2022Nov/0034.html > > These approaches when paired together demonstrate a very simple and very > traditional approach to securing data using well established standards from > IETF. > > Both proposals rely on the assumption that the W3C VCWG will define a JSON > media type for W3C Verifiable Credentials that looks essentially > exactly the same as the one registered for activity streams, which has > seen huge success recently due to growth in interest in Mastodon. > > Here is the section of both security suites which I believe belongs in the > core data model instead: > > - https://transmute-industries.github.io/vc-cose/#media-type > - https://transmute-industries.github.io/vc-jws/#media-type > > If there is consensus to add this section to the core data model, I am > happy to open a pull request to do so. > > Finally here is a test vector for a W3C Verifiable Credential in the style > of the COSE WG: > > > https://github.com/transmute-industries/vc-cose/blob/main/verifiable-credential.cose.json > > Here is a shareable link that decodes the example test vector into a "JOSE > like" JSON representation for readability: > > > https://v.gluecose.org/#pako:eJy71BLhsZglQiWjpKSg2EpfP7UiMbcgJ1UvNaVUP7O4uDS1qFjf0EQ5O7VS14BRjblCOrGgICczObEkMz9PP7koNSU1ryQzMUc7qzg_b8ENh0jG6dVKDsn5eSWpFSVKVtFKMHPLy8v1yo318ovS9Y0MDC2QtBbrlxkq6RClEOo4sI5YHaXMFCUrsD40dyNrMTY3NgKaXlJZkApyTlhqUWZaZmJSTqozXBFQOjQvswzo08ySSpfU9KJUZEmQPeBwgNqFO5CUICoT85JTXRJLgNYpAT1goGtgCEQhhpZWRsZWRiZRQFUI9wWXJmWlJgMDqhrimZTMFCuo4VaGRsZAtSlg94AUQLyg5JSYnJGak18EcShQRV5iLrK4Qn6aQnByZirQFQqJeSkKjkUlxUq1tbURDpnt8p5Cyq5yE2xkdsm43w7P5Aj7dHDhLjVLpvhTbCnrUw3a_Rfc2rJDsmCbWdNN3xDu7wVPKtxmMFpHGuoHXkhJPAIAXHHB0A > > And here is the same verifiable credential payload shared in a way that > clearly demonstrates the information > the issuer intended to protect by using a JWS or a COSE Sign1 to sign the > JSON serialization of the credential, > > WITHOUT performing any JSON-LD processing... and yet, the data is still > valid JSON-LD that can be converted to > N-Quads / or used with SPARQL or other W3C Standards, should a holder wish > to leverage those W3C Standards along side the current W3C Verifiable > Credentials Data Model. > > > https://v.jsld.org/DFeanbohH5SCpwRdw4RWPysbt73ysfXJy2E8zovAiNTQ2gjfDhM6mFYKcXzWFty3BD86DaBUSeFZLsakxgqEmqR62bxA68yF4XeCNG99YWGM84HCCo7tNLApjRnp5zWbNaS6XpHATx7pjvqZM77E69TwPzPkdECpGQioE9FeULcRz2srNVheCJLMrPVtVpcyJWTncKXBds1EKe93JvnM2hKTvL2MSPZAZ3iPJS5BvaHdhepaEnLNpPW7B5nezBqxqSyYwhwQDG7N3gfqGEWCxwfh7vZxkqDT52f5CS9Eqvy71kqwqs8LN4BEe1acEE2278KmE13e6Jc7jUEyRCEgKHYisU9dtj9q6jYDQE > > I hope this demonstrates several things and will allow us to proceed with > the important work we have ahead of us as a WG. > > 1. Issuers and verifiers can protect and verify the integrity of a W3C > Verifiable Credential without performing ANY JSON-LD Processing, or RDF > Data Set Normalization. > 2. JOSE and COSE are well suited to securing JSON (and CBOR) based data > models and there are implementations in many languages that can easily be > used to implement the basic requirements of issuance and verification. > 3. The W3C VC Data Model has great interoperability (which should be > preserved) with other W3C Standards such as ActivityPub (used by Mastodon), > SPARQL, JSON-LD and RDF. > > If there is interest in adopting these 2 JOSE and COSE based security > suites for securing W3C Verifiable Credentials please indicate your > interest by responding to the message. > > Regards, > > OS > > > > -- > > *ORIE STEELE* > > Chief Technical Officer > > www.transmute.industries > > > > <https://www.transmute.industries/> > > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
Received on Tuesday, 6 December 2022 21:47:56 UTC