RE: Verifiable Credentials with COSE_Sign1 from Mike Jones on 2022-12-06 (public-vc-wg@w3.org from December 2022)

From: Mike Jones <Michael.Jones@microsoft.com>
Date: Tue, 6 Dec 2022 21:49:46 +0000
To: Orie Steele <orie@transmute.industries>
CC: W3C VC Working Group <public-vc-wg@w3.org>
Message-ID: <SA1PR00MB13117E0801E9F83067DEC71BF51B9@SA1PR00MB1311.namprd00.prod.outlook.com>
The “coupling” that you’re not in favor will result in more natural implementations, at least as I see it.

From: Orie Steele <orie@transmute.industries>
Sent: Tuesday, December 6, 2022 2:48 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: W3C VC Working Group <public-vc-wg@w3.org>
Subject: Re: Verifiable Credentials with COSE_Sign1

In the SCITT work, we often sign content types that are not natively CBOR, for example:

https://github.com/opensbom-generator/spdx-sbom-generator


Notice the JSON examples here: https://github.com/opensbom-generator/spdx-sbom-generator#module-json-example


The solution I propose supports doing the same for W3C Verifiable Credentials, but would work with the existing data model, using the content type `application/credential+json`.

If the working group wanted to define `application/credential+cbor` in the future, we could do so.

I would expect the same structure in the headers, but a different structure in the payload, and the `ctyp` to indicate the type of the payload.

I'm not in favor of "coupling" the core data model to the "security format", either through a mapping such as VC-JWT today, or through attempting to redefine the core data model in CBOR.

Regards,

OS


On Tue, Dec 6, 2022 at 3:36 PM Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
While I support VCs using COSE_Sign1, I’d expected that the signed credential would be CBOR – not JSON.  Signing JSON unnecessarily gives up the significant size advantages of CBOR – for instance, using single-byte constants such as 3 for member names, instead of strings such as "credentialSubject" that are an order of magnitude larger – as described in https://github.com/w3c/vc-data-model/issues/985#issuecomment-1330133207.


Would you be willing to work with me on a true CBOR representation of Verifiable Credentials utilizing all the advantages of CBOR?

                                                -- Mike

From: Mike Prorock <mprorock@mesur.io<mailto:mprorock@mesur.io>>
Sent: Friday, December 2, 2022 5:36 PM
To: Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Cc: W3C VC Working Group <public-vc-wg@w3.org<mailto:public-vc-wg@w3.org>>
Subject: Re: Verifiable Credentials with COSE_Sign1

This is directly in line with our desired approach.  Huge support from us

There will be refinement of course, but this is an excellent start.

Thank you Orie
Mike Prorock
mesur.io<http://mesur.io>

On Fri, Dec 2, 2022, 17:10 Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>> wrote:
Friends,

Here is a simple proposal to use COSE Sign1 to protect W3C Verifiable Credentials:
https://transmute-industries.github.io/vc-cose<https://transmute-industries.github.io/vc-cose/>

Similar to the previous proposal to simplify protecting W3C Verifiable Credentials using JWS, which I shared previously:  https://lists.w3.org/Archives/Public/public-vc-wg/2022Nov/0034.html


These approaches when paired together demonstrate a very simple and very traditional approach to securing data using well established standards from IETF.

Both proposals rely on the assumption that the W3C VCWG will define a JSON media type for W3C Verifiable Credentials that looks essentially
exactly the same as the one registered for activity streams, which has seen huge success recently due to growth in interest in Mastodon.

Here is the section of both security suites which I believe belongs in the core data model instead:

- https://transmute-industries.github.io/vc-cose/#media-type

- https://transmute-industries.github.io/vc-jws/#media-type


If there is consensus to add this section to the core data model, I am happy to open a pull request to do so.

Finally here is a test vector for a W3C Verifiable Credential in the style of the COSE WG:

https://github.com/transmute-industries/vc-cose/blob/main/verifiable-credential.cose.json

Here is a shareable link that decodes the example test vector into a "JOSE like" JSON representation for readability:

https://v.gluecose.org/#pako:eJy71BLhsZglQiWjpKSg2EpfP7UiMbcgJ1UvNaVUP7O4uDS1qFjf0EQ5O7VS14BRjblCOrGgICczObEkMz9PP7koNSU1ryQzMUc7qzg_b8ENh0jG6dVKDsn5eSWpFSVKVtFKMHPLy8v1yo318ovS9Y0MDC2QtBbrlxkq6RClEOo4sI5YHaXMFCUrsD40dyNrMTY3NgKaXlJZkApyTlhqUWZaZmJSTqozXBFQOjQvswzo08ySSpfU9KJUZEmQPeBwgNqFO5CUICoT85JTXRJLgNYpAT1goGtgCEQhhpZWRsZWRiZRQFUI9wWXJmWlJgMDqhrimZTMFCuo4VaGRsZAtSlg94AUQLyg5JSYnJGak18EcShQRV5iLrK4Qn6aQnByZirQFQqJeSkKjkUlxUq1tbURDpnt8p5Cyq5yE2xkdsm43w7P5Aj7dHDhLjVLpvhTbCnrUw3a_Rfc2rJDsmCbWdNN3xDu7wVPKtxmMFpHGuoHXkhJPAIAXHHB0A


And here is the same verifiable credential payload shared in a way that clearly demonstrates the information
the issuer intended to protect by using a JWS or a COSE Sign1 to sign the JSON serialization of the credential,

WITHOUT performing any JSON-LD processing... and yet, the data is still valid JSON-LD that can be converted to
N-Quads / or used with SPARQL or other W3C Standards, should a holder wish to leverage those W3C Standards along side the current W3C Verifiable Credentials Data Model.

https://v.jsld.org/DFeanbohH5SCpwRdw4RWPysbt73ysfXJy2E8zovAiNTQ2gjfDhM6mFYKcXzWFty3BD86DaBUSeFZLsakxgqEmqR62bxA68yF4XeCNG99YWGM84HCCo7tNLApjRnp5zWbNaS6XpHATx7pjvqZM77E69TwPzPkdECpGQioE9FeULcRz2srNVheCJLMrPVtVpcyJWTncKXBds1EKe93JvnM2hKTvL2MSPZAZ3iPJS5BvaHdhepaEnLNpPW7B5nezBqxqSyYwhwQDG7N3gfqGEWCxwfh7vZxkqDT52f5CS9Eqvy71kqwqs8LN4BEe1acEE2278KmE13e6Jc7jUEyRCEgKHYisU9dtj9q6jYDQE


I hope this demonstrates several things and will allow us to proceed with the important work we have ahead of us as a WG.

1. Issuers and verifiers can protect and verify the integrity of a W3C Verifiable Credential without performing ANY JSON-LD Processing, or RDF Data Set Normalization.
2. JOSE and COSE are well suited to securing JSON (and CBOR) based data models and there are implementations in many languages that can easily be used to implement the basic requirements of issuance and verification.
3. The W3C VC Data Model has great interoperability (which should be preserved) with other W3C Standards such as ActivityPub (used by Mastodon), SPARQL, JSON-LD and RDF.

If there is interest in adopting these 2 JOSE and COSE based security suites for securing W3C Verifiable Credentials please indicate your interest by responding to the message.

Regards,

OS

--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries>

[https://drive.google.com/a/transmute.industries/uc?id=1hbftCJoB5KdeV_kzj4eeyS28V3zS9d9c&export=download]<https://www.transmute.industries/>


--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<http://www.transmute.industries>

[https://drive.google.com/a/transmute.industries/uc?id=1hbftCJoB5KdeV_kzj4eeyS28V3zS9d9c&export=download]<https://www.transmute.industries/>
Received on Tuesday, 6 December 2022 21:50:03 UTC