+cose examples look wrong (diagnostic mode broken?)

[msporny]

The +cose examples that respec-vc spits out look wrong. The payload is nil, and if that's what is being signed, then all the +cose examples are wrong as well. Tagging @decentralgabe to look into fixing this (as we'll need this fixed before we go to PR).

[OR13]

nil signals detached payload per https://datatracker.ietf.org/doc/html/rfc8152#section-2

You can decide if you want to show examples that embed the payload, or leave the payload detached.

I think detached does a better job of showing the media type for the payload is different than the media type for the envelope.

[decentralgabe]

I would prefer to keep as-is for simplicity

[msporny]

Hmm, that's not what the vc-jose-cose spec says ... in fact, it doesn't say anything normatively about the payload. If the payload is detached, it isn't clear how you verify or what an application needs to do. We're going to have to tighten that language up in the vc-jose-cose spec. I'll raise an issue there.

To be specific about my concern, the spec says this today:

A conforming COSE issuer implementation MUST use COSE_Sign1 as specified in [RFC9052] to secure this media type. The unsecured verifiable credential is the unencoded COSE_Sign1 payload.

Which seems to indicate that detached payloads are not supported (which is the right call, IMHO).

[decentralgabe]

Simplest fix seems to be:

1. don't support detached payloads (278)
2. update cose examples here to include payloads

[OR13]

Verification of COSE requires you to read the COSE RFC.

In proof sets, a data integrity proof is a detached signature, which is embedded in a JSON-LD document.

You need to read the data integrity proofs spec to know how to verify it.

I've mentioned this to Gabe a few times, but randomly regenerating examples is not good for technical recommendations.

The content should be immutable, and examples should not change when the page is reloaded.

[decentralgabe]

#33