Re: Verifiable Credentials with PGP from Orie Steele on 2022-12-13 (public-vc-wg@w3.org from December 2022)

From: Orie Steele <orie@transmute.industries>
Date: Mon, 12 Dec 2022 18:27:47 -0600
To: dzagidulin@gmail.com
Cc: W3C VC Working Group <public-vc-wg@w3.org>
Message-ID: <CAN8C-_LEUZT_xHWxEMZYhrvPc56stWEtjT1s4K1b3NpBHu5w9g@mail.gmail.com>

All 3 specs assume a content type of `application/credential+json`.

None of the specs require or recommend any form of canonicalization.

OS



On Mon, Dec 12, 2022 at 4:31 PM Dmitri Zagidulin <dzagidulin@gmail.com>
wrote:

> Hi Orie,
> Question about all 3 specs (vc-jws, vc-cose, vc-pgp) -- do any of them
> perform any sort of canonicalization (such as JCS, since you don't want to
> do URDNA)? I couldn't quite tell from reading through the spec docs.
>
> Dmitri
>
> On Fri, Dec 9, 2022 at 8:27 AM Orie Steele <orie@transmute.industries>
> wrote:
>
>> Friends,
>>
>> Building on the 2 previous proposals I have sent to the list,
>> I'm back once again to introduce yet another way to secure the W3C
>> Verifiable Credentials Data Model.
>>
>> This time with PGP:
>>
>> https://transmute-industries.github.io/vc-pgp
>>
>> Similar to previous 2 proposals:
>>
>> - https://transmute-industries.github.io/vc-jws
>> - https://transmute-industries.github.io/vc-cose
>>
>> All 3 of these approaches treat a credential as a content type:
>> application/credential+json
>>
>> And then secure that content by applying an external proof.
>>
>> Notice that all three approaches define a way to resolve the public key
>> that verifies this external proof,
>> and all three approaches avoid tampering with or transforming the
>> credential JSON itself as part of the issuance and verification process.
>>
>> All three approaches do not perform any JSON-LD processing as part of
>> issuance and verification.
>>
>> All three approaches could be used to secure other content types such as
>> `application/credential+cbor`
>>
>> If the working group defined that content type.
>>
>> Simplicity is a feature.
>>
>> The 2 existing proof formats that are defined to secure Verifiable
>> Credentials (Data Integrity Proofs and VC-JWT)
>> both perform preprocessing and postprocessing on the data model that is
>> computationally inefficient and can lead
>> to issuer's and verifiers storing different representation of the
>> `credential` that had been made verifiable.
>>
>> These 3 alternatives do not have that issue, and can lead to safer APIs,
>> by keeping the securing proofs and data model separated cleanly.
>>
>> Regards,
>>
>> OS
>>
>>
>> --
>> *ORIE STEELE*
>> Chief Technical Officer
>> www.transmute.industries
>>
>> <https://www.transmute.industries>
>>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>

Received on Tuesday, 13 December 2022 00:28:14 UTC