- From: Orie Steele <orie@transmute.industries>
- Date: Fri, 9 Dec 2022 07:26:31 -0600
- To: W3C VC Working Group <public-vc-wg@w3.org>
- Message-ID: <CAN8C-_KOWyN374KPNAys8YZh95yrr+kOeTMoD9To+YcKJYR_-Q@mail.gmail.com>
Friends, Building on the 2 previous proposals I have sent to the list, I'm back once again to introduce yet another way to secure the W3C Verifiable Credentials Data Model. This time with PGP: https://transmute-industries.github.io/vc-pgp Similar to previous 2 proposals: - https://transmute-industries.github.io/vc-jws - https://transmute-industries.github.io/vc-cose All 3 of these approaches treat a credential as a content type: application/credential+json And then secure that content by applying an external proof. Notice that all three approaches define a way to resolve the public key that verifies this external proof, and all three approaches avoid tampering with or transforming the credential JSON itself as part of the issuance and verification process. All three approaches do not perform any JSON-LD processing as part of issuance and verification. All three approaches could be used to secure other content types such as `application/credential+cbor` If the working group defined that content type. Simplicity is a feature. The 2 existing proof formats that are defined to secure Verifiable Credentials (Data Integrity Proofs and VC-JWT) both perform preprocessing and postprocessing on the data model that is computationally inefficient and can lead to issuer's and verifiers storing different representation of the `credential` that had been made verifiable. These 3 alternatives do not have that issue, and can lead to safer APIs, by keeping the securing proofs and data model separated cleanly. Regards, OS -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
Received on Friday, 9 December 2022 13:26:55 UTC