Re: Verifiable Credentials with PGP from Dmitri Zagidulin on 2022-12-12 (public-vc-wg@w3.org from December 2022)

From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Mon, 12 Dec 2022 17:31:02 -0500
To: Orie Steele <orie@transmute.industries>
Cc: W3C VC Working Group <public-vc-wg@w3.org>
Message-ID: <CANnQ-L6JviFn=f_VDfyQ=yQKmhW3giotuyh-ovmXwM32-Rpc6w@mail.gmail.com>

Hi Orie,
Question about all 3 specs (vc-jws, vc-cose, vc-pgp) -- do any of them
perform any sort of canonicalization (such as JCS, since you don't want to
do URDNA)? I couldn't quite tell from reading through the spec docs.

Dmitri

On Fri, Dec 9, 2022 at 8:27 AM Orie Steele <orie@transmute.industries>
wrote:

> Friends,
>
> Building on the 2 previous proposals I have sent to the list,
> I'm back once again to introduce yet another way to secure the W3C
> Verifiable Credentials Data Model.
>
> This time with PGP:
>
> https://transmute-industries.github.io/vc-pgp
>
> Similar to previous 2 proposals:
>
> - https://transmute-industries.github.io/vc-jws
> - https://transmute-industries.github.io/vc-cose
>
> All 3 of these approaches treat a credential as a content type:
> application/credential+json
>
> And then secure that content by applying an external proof.
>
> Notice that all three approaches define a way to resolve the public key
> that verifies this external proof,
> and all three approaches avoid tampering with or transforming the
> credential JSON itself as part of the issuance and verification process.
>
> All three approaches do not perform any JSON-LD processing as part of
> issuance and verification.
>
> All three approaches could be used to secure other content types such as
> `application/credential+cbor`
>
> If the working group defined that content type.
>
> Simplicity is a feature.
>
> The 2 existing proof formats that are defined to secure Verifiable
> Credentials (Data Integrity Proofs and VC-JWT)
> both perform preprocessing and postprocessing on the data model that is
> computationally inefficient and can lead
> to issuer's and verifiers storing different representation of the
> `credential` that had been made verifiable.
>
> These 3 alternatives do not have that issue, and can lead to safer APIs,
> by keeping the securing proofs and data model separated cleanly.
>
> Regards,
>
> OS
>
>
> --
> *ORIE STEELE*
> Chief Technical Officer
> www.transmute.industries
>
> <https://www.transmute.industries>
>

Received on Monday, 12 December 2022 22:31:33 UTC