From 6637f154fd8b6bc3c193c4890bf031b6b51dbf5a Mon Sep 17 00:00:00 2001 From: Ivan Herman Date: Sun, 23 Oct 2022 17:08:12 -0400 Subject: [PATCH] Add HTML, JSON-LD, and TURTLE renderings for security vocabulary. --- vocab/security/vocabulary.html | 122 ++++ vocab/security/vocabulary.jsonld | 1176 ++++++++++++++++++++++++++++++ vocab/security/vocabulary.ttl | 603 +++++++++++++++ 3 files changed, 1901 insertions(+) create mode 100644 vocab/security/vocabulary.html create mode 100644 vocab/security/vocabulary.jsonld create mode 100644 vocab/security/vocabulary.ttl diff --git a/vocab/security/vocabulary.html b/vocab/security/vocabulary.html new file mode 100644 index 00000000..9e5a051d --- /dev/null +++ b/vocab/security/vocabulary.html @@ -0,0 +1,122 @@ + + + + The Security Vocabulary + + + + + + +
+

This document describes the The Security Vocabulary, i.e., + the The Security vocabulary is used to enable Internet-based applications to encrypt, decrypt, and digitally sign information expressed as Linked Data. +. +

+

Alternate versions of the vocabulary definition exist in + Turtle and + JSON-LD. +

+
+
Published:
+
Version Info:
+
2.0
+
See Also: https://www.w3.org/TR/vc-data-integrity/
+
+
+
+

+ Comments regarding this document are welcome. Please file issues + directly on GitHub, or send them to + public-vc-comments@w3.org + (subscribe, + archives). +

+
+
+

Namespaces

+

This specification makes use of the following namespaces:

+
+
sec
https://w3id.org/security/v1
cred
https://w3.org/2018/credentials#
dc
http://purl.org/dc/terms/
owl
http://www.w3.org/2002/07/owl#
rdf
http://www.w3.org/1999/02/22-rdf-syntax-ns#
rdfs
http://www.w3.org/2000/01/rdf-schema#
xsd
http://www.w3.org/2001/XMLSchema#
+
+ +
+

Class definitions

+

The following are class definitions in the sec namespace:

KeyCryptographic key

This class represents a cryptographic key that may be used for encryption, decryption, or digitally signing data.

SignatureDigital signature

This class represents a digital signature on serialized data. It is an abstract class and should not be used other than for Semantic Web reasoning purposes, such as by a reasoning agent. This class MUST NOT be used directly, but only through its subclasses.

SignatureGraphAn RDF Graph for a digital signature

Instances of this class are RDF Graphs, where each of these graphs must include exactly one Signature.

EcdsaSecp256k1Signature2019TBD.

This class represents a linked data signature suite.

See also:
ecdsa-sep256k1
Subclass of:
sec:Signature
EcdsaSecp256k1RecoverySignature2020TBD.

This class represents a linked data signature verification key.

See also:
ecdsasecp256k1recoverysignature2020
Subclass of:
sec:Key
EcdsaSecp256k1VerificationKey2019TBD.

This class represents a linked data signature verification key.

See also:
ecdsa-secp256k1
Subclass of:
sec:Key
EcdsaSecp256k1RecoveryMethod2020TBD.

This class represents a linked data signature verification key.

See also:
ecdsasecp256k1recoverymethod2020
Subclass of:
sec:Key
RsaSignature2018Signature Suite for RSA

This class represents a linked data signature suite.

See also:
RSA registry entry
Subclass of:
sec:Signature
RsaVerificationKey2018Verification Key for RSA

This class represents a linked data signature verification key.

See also:
RSA registry entry
Subclass of:
sec:Key
SchnorrSecp256k1Signature2019TBD.

This class represents a linked data signature suite.

Subclass of:
sec:Signature
SchnorrSecp256k1VerificationKey2019TBD.

This class represents a linked data signature verification key.

Subclass of:
sec:Key
ServiceEndpointProxyServiceTBD.

T.B.D.

DigestMessage digest

This class represents a message digest that may be used for data integrity verification. The digest algorithm used will determine the cryptographic properties of the digest.

EncryptedMessageEncrypted message

A class of messages that are obfuscated in some cryptographic manner. These messages are incredibly difficult to decrypt without the proper decryption key.

GraphSignature2012RDF graph signature

A graph signature is used for digital signatures on RDF graphs. The default canonicalization mechanism is specified in the RDF Graph normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature.

Subclass of:
sec:Signature
LinkedDataSignature2015Linked data signature, 2015 version

A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature.

Subclass of:
sec:Signature
LinkedDataSignature2016Linked data signature, 2016 version

A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature.

Subclass of:
sec:Signature
MerkleProof2019Merkle Proof

Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and ECDSA to perform the digital signature.

See also:
Merkle Proof 2019
Subclass of:
sec:Signature
X25519KeyAgreementKey2019X25519 Key Agreement Key 2019

This class represents a verification key.

Subclass of:
sec:Key
Ed25519VerificationKey2018ED2559 Verification Key, 2018 version

This class represents a linked data signature verification key.

See also:
eddsa-ed25519 registry entry
Subclass of:
sec:Key
Ed25519VerificationKey2020ED2559 Verification Key, 2020 version

A linked data proof suite verification method type used with `Ed25519Signature2020`.

Subclass of:
sec:Key
Ed25519Signature2020ED2559 Signature Suite, 2020 version

A linked data proof suite proof type used with the verification method type `Ed25519VerificationKey2020`

Subclass of:
sec:Signature
JsonWebKey2020JSON Web Key, 2020 version

A linked data proof suite verification method type used with `JsonWebSignature2020`

Subclass of:
sec:Key
JsonWebSignature2020JSON Web Signature, 2020 version

A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and JWS to perform the digital signature.

Subclass of:
sec:Signature
BbsBlsSignature2020BBS Signature, 2020 version

A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. Importantly, a `BbsBlsSignature` digests each of the statements produced by the normalization process individually to enable selective disclosure. The signature mechanism uses Blake2B as the digest for each statement and produces a single output digital signature.

Subclass of:
sec:Signature
BbsBlsSignatureProof2020BBS Signature Proof, 2020 version

A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. Importantly, a `BbsBlsSignatureProof2020` is in fact a proof of knowledge of an unrevealed BbsBlsSignature2020 enabling the ability to selectively reveal information from the set that was originally signed. Each of the statements produced by the normalizing process for a JSON-LD document featuring a `BbsBlsSignatureProof2020` represent statements that were originally signed in producing the `BbsBlsSignature2020` and represent the denomination under which information can be selectively disclosed. The signature mechanism uses Blake2B as the digest for each statement and produces a single output digital signature.

Subclass of:
sec:Signature
Bls12381G1Key2020BLS 12381 G1 Signature Key, 2020 version

This class represents a linked data signature key.

See also:
eddsa-ed25519 registry entry
Subclass of:
sec:Key
Bls12381G2Key2020BLS 12381 G2 Signature Key, 2020 version

This class represents a linked data signature key.

See also:
eddsa-ed25519 registry entry
Subclass of:
sec:Key
+ +
+

Property definitions

+

The following are property definitions in the sec namespace:

cipherAlgorithmCipher algorithm

The cipher algorithm describes the mechanism used to encrypt a message. It is typically a string expressing the cipher suite, the strength of the cipher, and a block cipher mode.

Range:
xsd:string
Domain:
sec:EncryptedMessage
cipherDataCipher data

Cipher data is an opaque blob of information that is used to specify an encrypted message.

Range:
xsd:string
Domain:
sec:EncryptedMessage
cipherKeyCipher key

A cipher key is a symmetric key that is used to encrypt or decrypt a piece of information. The key itself may be expressed in clear text or encrypted.

Range:
xsd:string
Domain:
sec:EncryptedMessage
digestAlgorithmDigest algorithm

The digest algorithm is used to specify the cryptographic function to use when generating the data to be digitally signed. Typically, data that is to be signed goes through three steps: 1) canonicalization, 2) digest, and 3) signature. This property is used to specify the algorithm that should be used for step 2. A signature class typically specifies a default digest method, so this property is typically used to specify information for a signature algorithm.

Range:
xsd:string
digestValueDigest value

The digest value is used to express the output of the digest algorithm expressed in Base-16 (hexadecimal) format.

Range:
xsd:string
blockchainAccountIdBlockchain account ID

A `blockchainAccountId` property is used to specify a blockchain account identifier, as per the CAIP-10Account ID Specification.

Range:
xsd:string
ethereumAddressEthereum address

An `ethereumAddress` property is used to specify the Ethereum address. As per the Ethereum Yellow Paper “Ethereum: a secure decentralised generalised transaction ledger” in consists of a prefix "0x", a common identifier for hexadecimal, concatenated with the rightmost 20 bytes of the Keccak-256 hash (big endian) of the ECDSA public key (the curve used is the so-called secp256k1). In hexadecimal, 2 digits represent a byte, meaning addresses contain 40 hexadecimal digits. The Ethereum address should also contain a checksum as per EIP-55.

See also:
EIP-55
Ethereum Yellow Paper: Ethereum: a secure decentralised generalised transaction ledger
Range:
xsd:string
expiresExpiration time

The expiration time is typically associated with a `Key` and specifies when the validity of the key will expire.

Range:
xsd:dateTime
initializationVectorInitialization vector

The initialization vector (IV) is a byte stream that is typically used to initialize certain block cipher encryption schemes. For a receiving application to be able to decrypt a message, it must know the decryption key and the initialization vector. The value is typically base-64 encoded.

Range:
xsd:string
Domain:
sec:EncryptedMessage
nonceNonce

This property is used in conjunction with the input to the signature hashing function in order to protect against replay attacks. Typically, receivers need to track all nonce values used within a certain time period in order to ensure that an attacker cannot merely re-send a compromised packet in order to execute a privileged request.

Range:
xsd:string
Domain:
sec:Signature
canonicalizationAlgorithmCanonicalization algorithm

The canonicalization algorithm is used to transform the input data into a form that can be passed to a cryptographic digest method. The digest is then digitally signed using a digital signature algorithm. Canonicalization ensures that a piece of software that is generating a digital signature is able to do so on the same set of information in a deterministic manner.

Domain:
sec:Signature
controllerController

A controller is an entity that claims control over a particular resource. Note that control is best validated as a two-way relationship where the controller claims control over a particular resource, and the resource clearly identifies its controller.
The property's value should be a URL, i.e., not a literal.

ownerOwner (deprecated)

An owner is an entity that claims control over a particular resource. Note that ownership is best validated as a two-way relationship where the owner claims ownership over a particular resource, and the resource clearly identifies its owner.
The property's value should be a URL, i.e., not a literal.

true
passwordPassword

A secret that is used to generate a key that can be used to encrypt or decrypt message. It is typically a string value.

Range:
xsd:string
privateKeyPemPEM encoded private key

A private key PEM property is used to specify the PEM-encoded version of the private key. This encoding is compatible with almost every Secure Sockets Layer library implementation and typically plugs directly into functions intializing private keys.

See also:
Privacy Enhanced Mail
Range:
xsd:string
Domain:
sec:Key
publicKeyPublic Key

A public key property is used to specify a URL that contains information about a public key.
The property's value should be a URL, i.e., not a literal.

Domain:
sec:Key
verificationMethodVerification method

A `verificationMethod` property is used to specify a URL that contains information used for proof verification.
The property's value should be a URL, i.e., not a literal.

assertionMethodAssertion method

An `assertionMethod` property is used to specify a URL that contains information about a `verificationMethod` used for assertions.
The property's value should be a URL, i.e., not a literal.

authenticationAuthentication method

An `authentication` property is used to specify a URL that contains information about a `verificationMethod` used for authentication.
The property's value should be a URL, i.e., not a literal.

capabilityDelegationCapability Delegation Method

A `capabilityDelegation` property is used to express that one or more `verificationMethods` are authorized to verify cryptographic proofs that were created for the purpose of delegating capabilities.
A `verificationMethod` may be referenced by its identifier (a URL) or expressed in full.
The aforementioned proofs are created to prove that some entity is delegating the authority to take some action to another entity. A verifier of the proof should expect the proof to express a `proofPurpose` of `capabilityDelegation` and reference a `verificationMethod` to verify it. The dereferenced `verificationMethod` MUST have a controller property that has a property of `capabilityDelegation` that references the `verificationMethod`. This indicates that the controller has authorized it for the expressed `proofPurpose`.
The property's value should be a URL, i.e., not a literal.

capabilityInvocationCapability Invocation Method

A `capabilityInvocation` property is used to express that one or more `verificationMethods` are authorized to verify cryptographic proofs that were created for the purpose of invoking capabilities.
A `verificationMethod` MAY be referenced by its identifier (a URL) or expressed in full.
The aforementioned proofs are created to prove that some entity is attempting to exercise some authority they possess to take an action. A verifier of the proof should expect the proof to express a proofPurpose of capabilityInvocation and reference a verificationMethod to verify it. The dereferenced `verificationMethod` MUST have a controller property that, when dereferenced, has a property of capabilityInvocation that references the `verificationMethod.` This indicates that the controller has authorized it for the expressed proofPurpose.
The property's value should be a URL, i.e., not a literal.

publicKeyBase58Public Key Base58

A public key Base58 property is used to specify the base58-encoded version of the public key.

Range:
xsd:string
Domain:
sec:Key
publicKeyJwkPublic key JWK

See the JOSE suite.

See also:
IANA JOSE
RFC 7517
Range:
xsd:string
Domain:
sec:Key
publicKeyPemPublic key PEM

A public key PEM property is used to specify the PEM-encoded version of the public key. This encoding is compatible with almost every Secure Sockets Layer library implementation and typically plugs directly into functions initializing public keys.

Range:
xsd:string
Domain:
sec:Key
publicKeyHexHex-encoded version of public Key

A `publicKeyHex` property is used to specify the hex-encoded version of the public key, based on section 8 of rfc4648. Hex encoding is also known as Base16 encoding.

See also:
rfc4648
Range:
xsd:string
Domain:
sec:Key
publicKeyMultibasePublic key multibase

The public key multibase property is used to specify the multibase-encoded version of a public key. The contents of the property are defined by specifications such as ED25519-2020 and listed in the Linked Data Cryptosuite Registry. Most public key type definitions are expected to:
• Specify only a single encoding base per public key type as it reduces implementation burden and increases the chances of reaching broad interoperability.
• Specify a multicodec header on the encoded public key to aid encoding and decoding applications in confirming that they are serializing and deserializing an expected public key type.
• Use compressed binary formats to ensure efficient key sizes.

See also:
multibase
ld-cryptosuite-registry
multicodec
ed25519-2020
Range:
xsd:string
Domain:
sec:Key
publicKeyServicePublic key service

The publicKeyService property is used to express the REST URL that provides public key management services.
The property's value should be a URL, i.e., not a literal.

revokedRevocation time

The revocation time is typically associated with a `Key` that has been marked as invalid as of the date and time associated with the property. Key revocations are often used when a key is compromised, such as the theft of the private key, or during the course of best-practice key rotation schedules.

Range:
xsd:dateTime
proofProof graph

The value of the `proof` property MUST identify a `SignatureGraph` (informally, it indirectly identifies a Signature contained in a separate graph). The property is used to associate a proof with a graph of information. The proof property is typically not included in the canonicalized graph that is then digested, and digitally signed.

Range:
sec:SignatureGraph
Domain:
sec:Key
jwsJson Web Signature

The jws property is used to associate a detached Json Web Signature with a proof.

See also:
Detached JSON Web Signature
Range:
sec:Signature
proofPurposeProof purpose

The` proofPurpose` property is used to associate a purpose, such as `assertionMethod` or `authentication` with a proof.

Range:
xsd:string
Domain:
sec:Signature
challengeChallenge with a proof

The challenge property is used to associate a challenge with a proof, for use with a `proofPurpose` such as `authentication`.

Range:
xsd:string
Domain:
sec:Signature
domainDomain with a proof

The `domain` property is used to associate a domain with a proof, for use with a `proofPurpose` such as `authentication`.

Range:
xsd:string
Domain:
sec:Signature
expirationDateExpiration date for proof

The `expirationDate` property is used to associate an expiration date with a proof.

Range:
xsd:dateTime
Domain:
sec:Signature
proofValueProof value

The `proofValue` property is used to associate a proof value with a proof.

Range:
xsd:string
Domain:
sec:Signature
signatureSignature

The property is used to associate a proof with a graph of information. The proof property is typically not included in the canonicalized graph that is then digested, and digitally signed.

Range:
sec:Signature
signatureValueSignature value

The signature value is used to express the output of the signature algorithm expressed in base-64 format.

Range:
xsd:string
Domain:
sec:Signature
signatureAlgorithmSignature algorithm

The signature algorithm is used to specify the cryptographic signature function to use when digitally signing the digest data. Typically, text to be signed goes through three steps: 1) canonicalization, 2) digest, and 3) signature. This property is used to specify the algorithm that should be used for step #3. A signature class typically specifies a default signature algorithm, so this property rarely needs to be used in practice when specifying digital signatures.
The property's value should be a URL, i.e., not a literal.

Domain:
sec:Signature
serviceService

Examples of specific services include discovery services, social networks, file storage services, and verifiable claim repository services.
The property's value should be a URL, i.e., not a literal.

Domain:
sec:Signature
serviceEndpointService endpoint

A network address at which a service operates on behalf of a controller. Examples of specific services include discovery services, social networks, file storage services, and verifiable claim repository services. Service endpoints might also be provided by a generalized data interchange protocol, such as extensible data interchange.
The property's value should be a URL, i.e., not a literal.

Domain:
sec:Signature
x509CertificateChainX509 Certificate chain

The x509CertificateChain property is used to associate a chain of X.509 Certificates with a proof. The value of this property is an ordered list where each value in the list is an X.509 Certificate expressed as a DER PKIX format, that is encoded with multibase using the base64pad variant. The certificate directly associated to the verification method used to verify the proof MUST be the first element in the list. Subsequent certificates in the list MAY be included where each one MUST certify the previous one.

See also:
X.509 Certificates
multibase
Range:
sec:Signature
Domain:
sec:Signature
x509CertificateFingerprintX509 Certificate fingerprint

The x509CertificateFingerprint property is used to associate an X.509 Certificate with a proof via its fingerprint. The value is a multihash encoded then multibase encoded value using the base64pad variant. It is RECOMMENDED that the fingerprint value be the SHA-256 hash of the X.509 Certificate.

See also:
X.509 Certificates
multibase
Range:
sec:Signature
Domain:
sec:Signature
allowedActionAllowed action

T.B.D.

capabilityCapability

T.B.D.

capabilityChainCapability chain

T.B.D.

capabilityActionCapability action

T.B.D.

caveatCaveat

T.B.D.

delegatorDelegator

T.B.D.

invocationTargetInvocation target

T.B.D.

invokerInvoker

T.B.D.

+ + + + + \ No newline at end of file diff --git a/vocab/security/vocabulary.jsonld b/vocab/security/vocabulary.jsonld new file mode 100644 index 00000000..836c813c --- /dev/null +++ b/vocab/security/vocabulary.jsonld @@ -0,0 +1,1176 @@ +{ + "@context": { + "sec": "https://w3id.org/security/v1", + "cred": "https://w3.org/2018/credentials#", + "dc": "http://purl.org/dc/terms/", + "owl": "http://www.w3.org/2002/07/owl#", + "rdf": "http://www.w3.org/1999/02/22-rdf-syntax-ns#", + "rdfs": "http://www.w3.org/2000/01/rdf-schema#", + "xsd": "http://www.w3.org/2001/XMLSchema#", + "dc:title": { + "@container": "@language" + }, + "dc:description": { + "@container": "@language" + }, + "dc:date": { + "@type": "xsd:date" + }, + "rdfs:comment": { + "@container": "@language" + }, + "rdfs:domain": { + "@type": "@id" + }, + "rdfs:label": { + "@container": "@language" + }, + "rdfs:range": { + "@type": "@id" + }, + "rdfs:seeAlso": { + "@type": "@id" + }, + "rdfs:subClassOf": { + "@type": "@id" + }, + "rdfs:subPropertyOf": { + "@type": "@id" + }, + "owl:equivalentClass": { + "@type": "@vocab" + }, + "owl:equivalentProperty": { + "@type": "@vocab" + }, + "owl:oneOf": { + "@container": "@list", + "@type": "@vocab" + }, + "owl:deprecated": { + "@type": "xsd:boolean" + }, + "owl:imports": { + "@type": "@id" + }, + "owl:versionInfo": { + "@type": "@id" + }, + "owl:inverseOf": { + "@type": "@vocab" + }, + "owl:unionOf": { + "@type": "@vocab", + "@container": "@list" + }, + "rdfs_classes": { + "@reverse": "rdfs:isDefinedBy", + "@type": "@id" + }, + "rdfs_properties": { + "@reverse": "rdfs:isDefinedBy", + "@type": "@id" + }, + "rdfs_instances": { + "@reverse": "rdfs:isDefinedBy", + "@type": "@id" + } + }, + "@id": "https://w3id.org/security/v1", + "@type": "owl:Ontology", + "dc:title": { + "en": "The Security Vocabulary" + }, + "dc:description": { + "en": "The Security vocabulary is used to enable Internet-based applications to encrypt, decrypt, and digitally sign information expressed as Linked Data.\n" + }, + "rdfs:seeAlso": "https://www.w3.org/TR/vc-data-integrity/", + "dc:date": "2022-10-22", + "rdfs_classes": [ + { + "@id": "sec:Key", + "@type": "rdfs:Class", + "rdfs:label": { + "en": "Cryptographic key" + }, + "rdfs:comment": { + "en": "This class represents a cryptographic key that may be used for encryption, decryption, or digitally signing data." + } + }, + { + "@id": "sec:Signature", + "@type": "rdfs:Class", + "rdfs:label": { + "en": "Digital signature" + }, + "rdfs:comment": { + "en": "This class represents a digital signature on serialized data. It is an abstract class and should not be used other than for Semantic Web reasoning purposes, such as by a reasoning agent. This class MUST NOT be used directly, but only through its subclasses." + } + }, + { + "@id": "sec:SignatureGraph", + "@type": "rdfs:Class", + "rdfs:label": { + "en": "An RDF Graph for a digital signature" + }, + "rdfs:comment": { + "en": "Instances of this class are RDF Graphs, where each of these graphs must include exactly one Signature." + } + }, + { + "@id": "sec:EcdsaSecp256k1Signature2019", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "TBD." + }, + "rdfs:comment": { + "en": "This class represents a linked data signature suite." + }, + "rdfs:seeAlso": [ + "https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsa-secp256k1" + ] + }, + { + "@id": "sec:EcdsaSecp256k1RecoverySignature2020", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "TBD." + }, + "rdfs:comment": { + "en": "This class represents a linked data signature verification key." + }, + "rdfs:seeAlso": [ + "https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsasecp256k1recoverysignature2020" + ] + }, + { + "@id": "sec:EcdsaSecp256k1VerificationKey2019", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "TBD." + }, + "rdfs:comment": { + "en": "This class represents a linked data signature verification key." + }, + "rdfs:seeAlso": [ + "https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsa-secp256k1" + ] + }, + { + "@id": "sec:EcdsaSecp256k1RecoveryMethod2020", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "TBD." + }, + "rdfs:comment": { + "en": "This class represents a linked data signature verification key." + }, + "rdfs:seeAlso": [ + "https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsasecp256k1recoverymethod2020" + ] + }, + { + "@id": "sec:RsaSignature2018", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "Signature Suite for RSA" + }, + "rdfs:comment": { + "en": "This class represents a linked data signature suite." + }, + "rdfs:seeAlso": [ + "https://w3c-ccg.github.io/ld-cryptosuite-registry/#rsa" + ] + }, + { + "@id": "sec:RsaVerificationKey2018", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "Verification Key for RSA" + }, + "rdfs:comment": { + "en": "This class represents a linked data signature verification key." + }, + "rdfs:seeAlso": [ + "https://w3c-ccg.github.io/ld-cryptosuite-registry/#rsa" + ] + }, + { + "@id": "sec:SchnorrSecp256k1Signature2019", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "TBD." + }, + "rdfs:comment": { + "en": "This class represents a linked data signature suite." + } + }, + { + "@id": "sec:SchnorrSecp256k1VerificationKey2019", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "TBD." + }, + "rdfs:comment": { + "en": "This class represents a linked data signature verification key." + } + }, + { + "@id": "sec:ServiceEndpointProxyService", + "@type": "rdfs:Class", + "rdfs:label": { + "en": "TBD." + }, + "rdfs:comment": { + "en": "T.B.D." + } + }, + { + "@id": "sec:Digest", + "@type": "rdfs:Class", + "rdfs:label": { + "en": "Message digest" + }, + "rdfs:comment": { + "en": "This class represents a message digest that may be used for data integrity verification. The digest algorithm used will determine the cryptographic properties of the digest." + } + }, + { + "@id": "sec:EncryptedMessage", + "@type": "rdfs:Class", + "rdfs:label": { + "en": "Encrypted message" + }, + "rdfs:comment": { + "en": "A class of messages that are obfuscated in some cryptographic manner. These messages are incredibly difficult to decrypt without the proper decryption key." + } + }, + { + "@id": "sec:GraphSignature2012", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "RDF graph signature" + }, + "rdfs:comment": { + "en": "A graph signature is used for digital signatures on RDF graphs. The default canonicalization mechanism is specified in the RDF Graph normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature." + } + }, + { + "@id": "sec:LinkedDataSignature2015", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "Linked data signature, 2015 version" + }, + "rdfs:comment": { + "en": "A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature." + } + }, + { + "@id": "sec:LinkedDataSignature2016", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "Linked data signature, 2016 version" + }, + "rdfs:comment": { + "en": "A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature." + } + }, + { + "@id": "sec:MerkleProof2019", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "Merkle Proof" + }, + "rdfs:comment": { + "en": "Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and ECDSA to perform the digital signature." + }, + "rdfs:seeAlso": [ + "https://w3c-ccg.github.io/lds-merkle-proof-2019/" + ] + }, + { + "@id": "sec:X25519KeyAgreementKey2019", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "X25519 Key Agreement Key 2019" + }, + "rdfs:comment": { + "en": "This class represents a verification key." + } + }, + { + "@id": "sec:Ed25519VerificationKey2018", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "ED2559 Verification Key, 2018 version" + }, + "rdfs:comment": { + "en": "This class represents a linked data signature verification key." + }, + "rdfs:seeAlso": [ + "https://w3c-ccg.github.io/ld-cryptosuite-registry/#ed25519" + ] + }, + { + "@id": "sec:Ed25519VerificationKey2020", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "ED2559 Verification Key, 2020 version" + }, + "rdfs:comment": { + "en": "A linked data proof suite verification method type used with `Ed25519Signature2020`." + } + }, + { + "@id": "sec:Ed25519Signature2020", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "ED2559 Signature Suite, 2020 version" + }, + "rdfs:comment": { + "en": "A linked data proof suite proof type used with the verification method type `Ed25519VerificationKey2020`" + } + }, + { + "@id": "sec:JsonWebKey2020", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "JSON Web Key, 2020 version" + }, + "rdfs:comment": { + "en": "A linked data proof suite verification method type used with `JsonWebSignature2020`" + } + }, + { + "@id": "sec:JsonWebSignature2020", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "JSON Web Signature, 2020 version" + }, + "rdfs:comment": { + "en": "A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and JWS to perform the digital signature." + } + }, + { + "@id": "sec:BbsBlsSignature2020", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "BBS Signature, 2020 version" + }, + "rdfs:comment": { + "en": "A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. Importantly, a `BbsBlsSignature` digests each of the statements produced by the normalization process individually to enable selective disclosure. The signature mechanism uses Blake2B as the digest for each statement and produces a single output digital signature." + } + }, + { + "@id": "sec:BbsBlsSignatureProof2020", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Signature" + ], + "rdfs:label": { + "en": "BBS Signature Proof, 2020 version" + }, + "rdfs:comment": { + "en": "A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. Importantly, a `BbsBlsSignatureProof2020` is in fact a proof of knowledge of an unrevealed BbsBlsSignature2020 enabling the ability to selectively reveal information from the set that was originally signed. Each of the statements produced by the normalizing process for a JSON-LD document featuring a `BbsBlsSignatureProof2020` represent statements that were originally signed in producing the `BbsBlsSignature2020` and represent the denomination under which information can be selectively disclosed. The signature mechanism uses Blake2B as the digest for each statement and produces a single output digital signature." + } + }, + { + "@id": "sec:Bls12381G1Key2020", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "BLS 12381 G1 Signature Key, 2020 version" + }, + "rdfs:comment": { + "en": "This class represents a linked data signature key." + }, + "rdfs:seeAlso": [ + "https://w3c-ccg.github.io/ld-cryptosuite-registry/#ed25519" + ] + }, + { + "@id": "sec:Bls12381G2Key2020", + "@type": "rdfs:Class", + "rdfs:subClassOf": [ + "sec:Key" + ], + "rdfs:label": { + "en": "BLS 12381 G2 Signature Key, 2020 version" + }, + "rdfs:comment": { + "en": "This class represents a linked data signature key." + }, + "rdfs:seeAlso": [ + "https://w3c-ccg.github.io/ld-cryptosuite-registry/#ed25519" + ] + } + ], + "rdfs_properties": [ + { + "@id": "sec:cipherAlgorithm", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:EncryptedMessage", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Cipher algorithm" + }, + "rdfs:comment": { + "en": "The cipher algorithm describes the mechanism used to encrypt a message. It is typically a string expressing the cipher suite, the strength of the cipher, and a block cipher mode." + } + }, + { + "@id": "sec:cipherData", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:EncryptedMessage", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Cipher data" + }, + "rdfs:comment": { + "en": "Cipher data is an opaque blob of information that is used to specify an encrypted message." + } + }, + { + "@id": "sec:cipherKey", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:EncryptedMessage", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Cipher key" + }, + "rdfs:comment": { + "en": "A cipher key is a symmetric key that is used to encrypt or decrypt a piece of information. The key itself may be expressed in clear text or encrypted." + } + }, + { + "@id": "sec:digestAlgorithm", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Digest algorithm" + }, + "rdfs:comment": { + "en": "The digest algorithm is used to specify the cryptographic function to use when generating the data to be digitally signed. Typically, data that is to be signed goes through three steps: 1) canonicalization, 2) digest, and 3) signature. This property is used to specify the algorithm that should be used for step 2. A signature class typically specifies a default digest method, so this property is typically used to specify information for a signature algorithm." + } + }, + { + "@id": "sec:digestValue", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Digest value" + }, + "rdfs:comment": { + "en": "The digest value is used to express the output of the digest algorithm expressed in Base-16 (hexadecimal) format." + } + }, + { + "@id": "sec:blockchainAccountId", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Blockchain account ID" + }, + "rdfs:comment": { + "en": "A `blockchainAccountId` property is used to specify a blockchain account identifier, as per the CAIP-10Account ID Specification." + } + }, + { + "@id": "sec:ethereumAddress", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Ethereum address" + }, + "rdfs:comment": { + "en": "An `ethereumAddress` property is used to specify the Ethereum address. As per the Ethereum Yellow Paper “Ethereum: a secure decentralised generalised transaction ledger” in consists of a prefix \"0x\", a common identifier for hexadecimal, concatenated with the rightmost 20 bytes of the Keccak-256 hash (big endian) of the ECDSA public key (the curve used is the so-called secp256k1). In hexadecimal, 2 digits represent a byte, meaning addresses contain 40 hexadecimal digits. The Ethereum address should also contain a checksum as per EIP-55." + }, + "rdfs:seeAlso": [ + "https://eips.ethereum.org/EIPS/eip-55", + "https://ethereum.github.io/yellowpaper/paper.pdf" + ] + }, + { + "@id": "sec:expires", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:range": "xsd:dateTime", + "rdfs:label": { + "en": "Expiration time" + }, + "rdfs:comment": { + "en": "The expiration time is typically associated with a `Key` and specifies when the validity of the key will expire." + } + }, + { + "@id": "sec:initializationVector", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:EncryptedMessage", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Initialization vector" + }, + "rdfs:comment": { + "en": "The initialization vector (IV) is a byte stream that is typically used to initialize certain block cipher encryption schemes. For a receiving application to be able to decrypt a message, it must know the decryption key and the initialization vector. The value is typically base-64 encoded." + } + }, + { + "@id": "sec:nonce", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Signature", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Nonce" + }, + "rdfs:comment": { + "en": "This property is used in conjunction with the input to the signature hashing function in order to protect against replay attacks. Typically, receivers need to track all nonce values used within a certain time period in order to ensure that an attacker cannot merely re-send a compromised packet in order to execute a privileged request." + } + }, + { + "@id": "sec:canonicalizationAlgorithm", + "@type": "rdfs:Property", + "rdfs:domain": "sec:Signature", + "rdfs:label": { + "en": "Canonicalization algorithm" + }, + "rdfs:comment": { + "en": "The canonicalization algorithm is used to transform the input data into a form that can be passed to a cryptographic digest method. The digest is then digitally signed using a digital signature algorithm. Canonicalization ensures that a piece of software that is generating a digital signature is able to do so on the same set of information in a deterministic manner." + } + }, + { + "@id": "sec:controller", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:range": [], + "rdfs:label": { + "en": "Controller" + }, + "rdfs:comment": { + "en": "A controller is an entity that claims control over a particular resource. Note that control is best validated as a two-way relationship where the controller claims control over a particular resource, and the resource clearly identifies its controller." + } + }, + { + "@id": "sec:owner", + "@type": [ + "rdf:Property", + "owl:DeprecatedProperty", + "owl:ObjectProperty" + ], + "owl:deprecated": true, + "rdfs:range": [], + "rdfs:label": { + "en": "Owner" + }, + "rdfs:comment": { + "en": "An owner is an entity that claims control over a particular resource. Note that ownership is best validated as a two-way relationship where the owner claims ownership over a particular resource, and the resource clearly identifies its owner." + } + }, + { + "@id": "sec:password", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Password" + }, + "rdfs:comment": { + "en": "A secret that is used to generate a key that can be used to encrypt or decrypt message. It is typically a string value." + } + }, + { + "@id": "sec:privateKeyPem", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Key", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "PEM encoded private key" + }, + "rdfs:comment": { + "en": "A private key PEM property is used to specify the PEM-encoded version of the private key. This encoding is compatible with almost every Secure Sockets Layer library implementation and typically plugs directly into functions intializing private keys." + }, + "rdfs:seeAlso": [ + "http://en.wikipedia.org/wiki/Privacy_Enhanced_Mail" + ] + }, + { + "@id": "sec:publicKey", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:domain": "sec:Key", + "rdfs:range": [], + "rdfs:label": { + "en": "Public Key" + }, + "rdfs:comment": { + "en": "A public key property is used to specify a URL that contains information about a public key." + } + }, + { + "@id": "sec:verificationMethod", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:range": [], + "rdfs:label": { + "en": "Verification method" + }, + "rdfs:comment": { + "en": "A `verificationMethod` property is used to specify a URL that contains information used for proof verification." + } + }, + { + "@id": "sec:assertionMethod", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:range": [], + "rdfs:label": { + "en": "Assertion method" + }, + "rdfs:comment": { + "en": "An `assertionMethod` property is used to specify a URL that contains information about a `verificationMethod` used for assertions." + } + }, + { + "@id": "sec:authentication", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:range": [], + "rdfs:label": { + "en": "Authentication method" + }, + "rdfs:comment": { + "en": "An `authentication` property is used to specify a URL that contains information about a `verificationMethod` used for authentication." + } + }, + { + "@id": "sec:capabilityDelegation", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:range": [], + "rdfs:label": { + "en": "Capability Delegation Method" + }, + "rdfs:comment": { + "en": "A `capabilityDelegation` property is used to express that one or more `verificationMethods` are authorized to verify cryptographic proofs that were created for the purpose of delegating capabilities.\nA `verificationMethod` may be referenced by its identifier (a URL) or expressed in full.\nThe aforementioned proofs are created to prove that some entity is delegating the authority to take some action to another entity. A verifier of the proof should expect the proof to express a `proofPurpose` of `capabilityDelegation` and reference a `verificationMethod` to verify it. The dereferenced `verificationMethod` MUST have a controller property that has a property of `capabilityDelegation` that references the `verificationMethod`. This indicates that the controller has authorized it for the expressed `proofPurpose`." + } + }, + { + "@id": "sec:capabilityInvocation", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:range": [], + "rdfs:label": { + "en": "Capability Invocation Method" + }, + "rdfs:comment": { + "en": "A `capabilityInvocation` property is used to express that one or more `verificationMethods` are authorized to verify cryptographic proofs that were created for the purpose of invoking capabilities.\nA `verificationMethod` MAY be referenced by its identifier (a URL) or expressed in full.\nThe aforementioned proofs are created to prove that some entity is attempting to exercise some authority they possess to take an action. A verifier of the proof should expect the proof to express a proofPurpose of capabilityInvocation and reference a verificationMethod to verify it. The dereferenced `verificationMethod` MUST have a controller property that, when dereferenced, has a property of capabilityInvocation that references the `verificationMethod.` This indicates that the controller has authorized it for the expressed proofPurpose." + } + }, + { + "@id": "sec:publicKeyBase58", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Key", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Public Key Base58" + }, + "rdfs:comment": { + "en": "A public key Base58 property is used to specify the base58-encoded version of the public key." + } + }, + { + "@id": "sec:publicKeyJwk", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Key", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Public key JWK" + }, + "rdfs:comment": { + "en": "See the JOSE suite." + }, + "rdfs:seeAlso": [ + "https://www.iana.org/assignments/jose/jose.xhtml", + "https://tools.ietf.org/html/rfc7517" + ] + }, + { + "@id": "sec:publicKeyPem", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Key", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Public key PEM" + }, + "rdfs:comment": { + "en": "A public key PEM property is used to specify the PEM-encoded version of the public key. This encoding is compatible with almost every Secure Sockets Layer library implementation and typically plugs directly into functions initializing public keys." + } + }, + { + "@id": "sec:publicKeyHex", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Key", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Hex-encoded version of public Key" + }, + "rdfs:comment": { + "en": "A `publicKeyHex` property is used to specify the hex-encoded version of the public key, based on section 8 of rfc4648. Hex encoding is also known as Base16 encoding." + }, + "rdfs:seeAlso": [ + "https://tools.ietf.org/html/rfc4648#section-8" + ] + }, + { + "@id": "sec:publicKeyMultibase", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Key", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Public key multibase" + }, + "rdfs:comment": { + "en": "The public key multibase property is used to specify the multibase-encoded version of a public key. The contents of the property are defined by specifications such as ED25519-2020 and listed in the Linked Data Cryptosuite Registry. Most public key type definitions are expected to:\n• Specify only a single encoding base per public key type as it reduces implementation burden and increases the chances of reaching broad interoperability.\n• Specify a multicodec header on the encoded public key to aid encoding and decoding applications in confirming that they are serializing and deserializing an expected public key type.\n• Use compressed binary formats to ensure efficient key sizes." + }, + "rdfs:seeAlso": [ + "https://datatracker.ietf.org/doc/html/draft-multiformats-multibase-03", + "https://w3c-ccg.github.io/ld-cryptosuite-registry/", + "https://github.com/multiformats/multicodec/blob/master/table.csv", + "https://w3c-ccg.github.io/lds-ed25519-2020/" + ] + }, + { + "@id": "sec:publicKeyService", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:range": [], + "rdfs:label": { + "en": "Public key service" + }, + "rdfs:comment": { + "en": "The publicKeyService property is used to express the REST URL that provides public key management services." + } + }, + { + "@id": "sec:revoked", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:range": "xsd:dateTime", + "rdfs:label": { + "en": "Revocation time" + }, + "rdfs:comment": { + "en": "The revocation time is typically associated with a `Key` that has been marked as invalid as of the date and time associated with the property. Key revocations are often used when a key is compromised, such as the theft of the private key, or during the course of best-practice key rotation schedules." + } + }, + { + "@id": "sec:proof", + "@type": "rdfs:Property", + "rdfs:domain": "sec:Key", + "rdfs:range": "sec:SignatureGraph", + "rdfs:label": { + "en": "Proof graph" + }, + "rdfs:comment": { + "en": "The value of the `proof` property MUST identify a `SignatureGraph` (informally, it indirectly identifies a Signature contained in a separate graph). The property is used to associate a proof with a graph of information. The proof property is typically not included in the canonicalized graph that is then digested, and digitally signed." + } + }, + { + "@id": "sec:jws", + "@type": "rdfs:Property", + "rdfs:range": "sec:Signature", + "rdfs:label": { + "en": "Json Web Signature" + }, + "rdfs:comment": { + "en": "The jws property is used to associate a detached Json Web Signature with a proof." + }, + "rdfs:seeAlso": [ + "https://tools.ietf.org/html/rfc7797" + ] + }, + { + "@id": "sec:proofPurpose", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Signature", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Proof purpose" + }, + "rdfs:comment": { + "en": "The` proofPurpose` property is used to associate a purpose, such as `assertionMethod` or `authentication` with a proof." + } + }, + { + "@id": "sec:challenge", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Signature", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Challenge with a proof" + }, + "rdfs:comment": { + "en": "The challenge property is used to associate a challenge with a proof, for use with a `proofPurpose` such as `authentication`." + } + }, + { + "@id": "sec:domain", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Signature", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Domain with a proof" + }, + "rdfs:comment": { + "en": "The `domain` property is used to associate a domain with a proof, for use with a `proofPurpose` such as `authentication`." + } + }, + { + "@id": "sec:expirationDate", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Signature", + "rdfs:range": "xsd:dateTime", + "rdfs:label": { + "en": "Expiration date for proof" + }, + "rdfs:comment": { + "en": "The `expirationDate` property is used to associate an expiration date with a proof." + } + }, + { + "@id": "sec:proofValue", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Signature", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Proof value" + }, + "rdfs:comment": { + "en": "The `proofValue` property is used to associate a proof value with a proof." + } + }, + { + "@id": "sec:signature", + "@type": "rdfs:Property", + "rdfs:range": "sec:Signature", + "rdfs:label": { + "en": "Signature" + }, + "rdfs:comment": { + "en": "The property is used to associate a proof with a graph of information. The proof property is typically not included in the canonicalized graph that is then digested, and digitally signed." + } + }, + { + "@id": "sec:signatureValue", + "@type": [ + "rdfs:Property", + "owl:DatatypeProperty" + ], + "rdfs:domain": "sec:Signature", + "rdfs:range": "xsd:string", + "rdfs:label": { + "en": "Signature value" + }, + "rdfs:comment": { + "en": "The signature value is used to express the output of the signature algorithm expressed in base-64 format." + } + }, + { + "@id": "sec:signatureAlgorithm", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:domain": "sec:Signature", + "rdfs:range": [], + "rdfs:label": { + "en": "Signature algorithm" + }, + "rdfs:comment": { + "en": "The signature algorithm is used to specify the cryptographic signature function to use when digitally signing the digest data. Typically, text to be signed goes through three steps: 1) canonicalization, 2) digest, and 3) signature. This property is used to specify the algorithm that should be used for step #3. A signature class typically specifies a default signature algorithm, so this property rarely needs to be used in practice when specifying digital signatures." + } + }, + { + "@id": "sec:service", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:domain": "sec:Signature", + "rdfs:range": [], + "rdfs:label": { + "en": "Service" + }, + "rdfs:comment": { + "en": "Examples of specific services include discovery services, social networks, file storage services, and verifiable claim repository services." + } + }, + { + "@id": "sec:serviceEndpoint", + "@type": [ + "rdfs:Property", + "owl:ObjectProperty" + ], + "rdfs:domain": "sec:Signature", + "rdfs:range": [], + "rdfs:label": { + "en": "Service endpoint" + }, + "rdfs:comment": { + "en": "A network address at which a service operates on behalf of a controller. Examples of specific services include discovery services, social networks, file storage services, and verifiable claim repository services. Service endpoints might also be provided by a generalized data interchange protocol, such as extensible data interchange." + } + }, + { + "@id": "sec:x509CertificateChain", + "@type": "rdfs:Property", + "rdfs:domain": "sec:Signature", + "rdfs:range": "sec:Signature", + "rdfs:label": { + "en": "X509 Certificate chain" + }, + "rdfs:comment": { + "en": "The x509CertificateChain property is used to associate a chain of X.509 Certificates with a proof. The value of this property is an ordered list where each value in the list is an X.509 Certificate expressed as a DER PKIX format, that is encoded with multibase using the base64pad variant. The certificate directly associated to the verification method used to verify the proof MUST be the first element in the list. Subsequent certificates in the list MAY be included where each one MUST certify the previous one." + }, + "rdfs:seeAlso": [ + "https://tools.ietf.org/html/rfc5280", + "https://tools.ietf.org/id/draft-multiformats-multibase-00.html" + ] + }, + { + "@id": "sec:x509CertificateFingerprint", + "@type": "rdfs:Property", + "rdfs:domain": "sec:Signature", + "rdfs:range": "sec:Signature", + "rdfs:label": { + "en": "X509 Certificate fingerprint" + }, + "rdfs:comment": { + "en": "The x509CertificateFingerprint property is used to associate an X.509 Certificate with a proof via its fingerprint. The value is a multihash encoded then multibase encoded value using the base64pad variant. It is RECOMMENDED that the fingerprint value be the SHA-256 hash of the X.509 Certificate." + }, + "rdfs:seeAlso": [ + "https://tools.ietf.org/html/rfc5280", + "https://tools.ietf.org/id/draft-multiformats-multibase-00.html" + ] + }, + { + "@id": "sec:allowedAction", + "@type": "rdfs:Property", + "rdfs:label": { + "en": "Allowed action" + }, + "rdfs:comment": { + "en": "T.B.D." + } + }, + { + "@id": "sec:capability", + "@type": "rdfs:Property", + "rdfs:label": { + "en": "Capability" + }, + "rdfs:comment": { + "en": "T.B.D." + } + }, + { + "@id": "sec:capabilityChain", + "@type": "rdfs:Property", + "rdfs:label": { + "en": "Capability chain" + }, + "rdfs:comment": { + "en": "T.B.D." + } + }, + { + "@id": "sec:capabilityAction", + "@type": "rdfs:Property", + "rdfs:label": { + "en": "Capability action" + }, + "rdfs:comment": { + "en": "T.B.D." + } + }, + { + "@id": "sec:caveat", + "@type": "rdfs:Property", + "rdfs:label": { + "en": "Caveat" + }, + "rdfs:comment": { + "en": "T.B.D." + } + }, + { + "@id": "sec:delegator", + "@type": "rdfs:Property", + "rdfs:label": { + "en": "Delegator" + }, + "rdfs:comment": { + "en": "T.B.D." + } + }, + { + "@id": "sec:invocationTarget", + "@type": "rdfs:Property", + "rdfs:label": { + "en": "Invocation target" + }, + "rdfs:comment": { + "en": "T.B.D." + } + }, + { + "@id": "sec:invoker", + "@type": "rdfs:Property", + "rdfs:label": { + "en": "Invoker" + }, + "rdfs:comment": { + "en": "T.B.D." + } + } + ] +} \ No newline at end of file diff --git a/vocab/security/vocabulary.ttl b/vocab/security/vocabulary.ttl new file mode 100644 index 00000000..f8001cff --- /dev/null +++ b/vocab/security/vocabulary.ttl @@ -0,0 +1,603 @@ +@prefix sec: . +@prefix cred: . +@prefix dc: . +@prefix owl: . +@prefix rdf: . +@prefix rdfs: . +@prefix xsd: . + +# Ontology definition +cred: a owl:Ontology ; + dc:title """The Security Vocabulary"""@en ; + dc:description """The Security vocabulary is used to enable Internet-based applications to encrypt, decrypt, and digitally sign information expressed as Linked Data. +"""@en ; + rdfs:seeAlso ; + dc:date "2022-10-22"^^xsd:date ; +. + +# Class definitions +sec:Key a rdfs:Class ; + rdfs:label "Cryptographic key" ; + rdfs:comment """This class represents a cryptographic key that may be used for encryption, decryption, or digitally signing data."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:Signature a rdfs:Class ; + rdfs:label "Digital signature" ; + rdfs:comment """This class represents a digital signature on serialized data. It is an abstract class and should not be used other than for Semantic Web reasoning purposes, such as by a reasoning agent. This class MUST NOT be used directly, but only through its subclasses."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:SignatureGraph a rdfs:Class ; + rdfs:label "An RDF Graph for a digital signature" ; + rdfs:comment """Instances of this class are RDF Graphs, where each of these graphs must include exactly one Signature."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:EcdsaSecp256k1Signature2019 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "TBD." ; + rdfs:comment """This class represents a linked data signature suite."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:EcdsaSecp256k1RecoverySignature2020 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "TBD." ; + rdfs:comment """This class represents a linked data signature verification key."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:EcdsaSecp256k1VerificationKey2019 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "TBD." ; + rdfs:comment """This class represents a linked data signature verification key."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:EcdsaSecp256k1RecoveryMethod2020 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "TBD." ; + rdfs:comment """This class represents a linked data signature verification key."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:RsaSignature2018 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "Signature Suite for RSA" ; + rdfs:comment """This class represents a linked data signature suite."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:RsaVerificationKey2018 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "Verification Key for RSA" ; + rdfs:comment """This class represents a linked data signature verification key."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:SchnorrSecp256k1Signature2019 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "TBD." ; + rdfs:comment """This class represents a linked data signature suite."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:SchnorrSecp256k1VerificationKey2019 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "TBD." ; + rdfs:comment """This class represents a linked data signature verification key."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:ServiceEndpointProxyService a rdfs:Class ; + rdfs:label "TBD." ; + rdfs:comment """T.B.D."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:Digest a rdfs:Class ; + rdfs:label "Message digest" ; + rdfs:comment """This class represents a message digest that may be used for data integrity verification. The digest algorithm used will determine the cryptographic properties of the digest."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:EncryptedMessage a rdfs:Class ; + rdfs:label "Encrypted message" ; + rdfs:comment """A class of messages that are obfuscated in some cryptographic manner. These messages are incredibly difficult to decrypt without the proper decryption key."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:GraphSignature2012 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "RDF graph signature" ; + rdfs:comment """A graph signature is used for digital signatures on RDF graphs. The default canonicalization mechanism is specified in the RDF Graph normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:LinkedDataSignature2015 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "Linked data signature, 2015 version" ; + rdfs:comment """A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:LinkedDataSignature2016 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "Linked data signature, 2016 version" ; + rdfs:comment """A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:MerkleProof2019 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "Merkle Proof" ; + rdfs:comment """Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and ECDSA to perform the digital signature."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:X25519KeyAgreementKey2019 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "X25519 Key Agreement Key 2019" ; + rdfs:comment """This class represents a verification key."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:Ed25519VerificationKey2018 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "ED2559 Verification Key, 2018 version" ; + rdfs:comment """This class represents a linked data signature verification key."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:Ed25519VerificationKey2020 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "ED2559 Verification Key, 2020 version" ; + rdfs:comment """A linked data proof suite verification method type used with `Ed25519Signature2020`."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:Ed25519Signature2020 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "ED2559 Signature Suite, 2020 version" ; + rdfs:comment """A linked data proof suite proof type used with the verification method type `Ed25519VerificationKey2020`"""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:JsonWebKey2020 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "JSON Web Key, 2020 version" ; + rdfs:comment """A linked data proof suite verification method type used with `JsonWebSignature2020`"""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:JsonWebSignature2020 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "JSON Web Signature, 2020 version" ; + rdfs:comment """A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and JWS to perform the digital signature."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:BbsBlsSignature2020 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "BBS Signature, 2020 version" ; + rdfs:comment """A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. Importantly, a `BbsBlsSignature` digests each of the statements produced by the normalization process individually to enable selective disclosure. The signature mechanism uses Blake2B as the digest for each statement and produces a single output digital signature."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:BbsBlsSignatureProof2020 a rdfs:Class ; + rdfs:subClassOf sec:Signature ; + rdfs:label "BBS Signature Proof, 2020 version" ; + rdfs:comment """A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. Importantly, a `BbsBlsSignatureProof2020` is in fact a proof of knowledge of an unrevealed BbsBlsSignature2020 enabling the ability to selectively reveal information from the set that was originally signed. Each of the statements produced by the normalizing process for a JSON-LD document featuring a `BbsBlsSignatureProof2020` represent statements that were originally signed in producing the `BbsBlsSignature2020` and represent the denomination under which information can be selectively disclosed. The signature mechanism uses Blake2B as the digest for each statement and produces a single output digital signature."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:Bls12381G1Key2020 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "BLS 12381 G1 Signature Key, 2020 version" ; + rdfs:comment """This class represents a linked data signature key."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:Bls12381G2Key2020 a rdfs:Class ; + rdfs:subClassOf sec:Key ; + rdfs:label "BLS 12381 G2 Signature Key, 2020 version" ; + rdfs:comment """This class represents a linked data signature key."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + + + +# Property definitions +sec:cipherAlgorithm a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:EncryptedMessage ; + rdfs:range xsd:string ; + rdfs:label "Cipher algorithm" ; + rdfs:comment """The cipher algorithm describes the mechanism used to encrypt a message. It is typically a string expressing the cipher suite, the strength of the cipher, and a block cipher mode."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:cipherData a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:EncryptedMessage ; + rdfs:range xsd:string ; + rdfs:label "Cipher data" ; + rdfs:comment """Cipher data is an opaque blob of information that is used to specify an encrypted message."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:cipherKey a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:EncryptedMessage ; + rdfs:range xsd:string ; + rdfs:label "Cipher key" ; + rdfs:comment """A cipher key is a symmetric key that is used to encrypt or decrypt a piece of information. The key itself may be expressed in clear text or encrypted."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:digestAlgorithm a rdfs:Property, owl:DatatypeProperty ; + rdfs:range xsd:string ; + rdfs:label "Digest algorithm" ; + rdfs:comment """The digest algorithm is used to specify the cryptographic function to use when generating the data to be digitally signed. Typically, data that is to be signed goes through three steps: 1) canonicalization, 2) digest, and 3) signature. This property is used to specify the algorithm that should be used for step 2. A signature class typically specifies a default digest method, so this property is typically used to specify information for a signature algorithm."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:digestValue a rdfs:Property, owl:DatatypeProperty ; + rdfs:range xsd:string ; + rdfs:label "Digest value" ; + rdfs:comment """The digest value is used to express the output of the digest algorithm expressed in Base-16 (hexadecimal) format."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:blockchainAccountId a rdfs:Property, owl:DatatypeProperty ; + rdfs:range xsd:string ; + rdfs:label "Blockchain account ID" ; + rdfs:comment """A `blockchainAccountId` property is used to specify a blockchain account identifier, as per the CAIP-10Account ID Specification."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:ethereumAddress a rdfs:Property, owl:DatatypeProperty ; + rdfs:range xsd:string ; + rdfs:label "Ethereum address" ; + rdfs:comment """An `ethereumAddress` property is used to specify the Ethereum address. As per the Ethereum Yellow Paper “Ethereum: a secure decentralised generalised transaction ledger” in consists of a prefix "0x", a common identifier for hexadecimal, concatenated with the rightmost 20 bytes of the Keccak-256 hash (big endian) of the ECDSA public key (the curve used is the so-called secp256k1). In hexadecimal, 2 digits represent a byte, meaning addresses contain 40 hexadecimal digits. The Ethereum address should also contain a checksum as per EIP-55."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso , ; +. + +sec:expires a rdfs:Property, owl:DatatypeProperty ; + rdfs:range xsd:dateTime ; + rdfs:label "Expiration time" ; + rdfs:comment """The expiration time is typically associated with a `Key` and specifies when the validity of the key will expire."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:initializationVector a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:EncryptedMessage ; + rdfs:range xsd:string ; + rdfs:label "Initialization vector" ; + rdfs:comment """The initialization vector (IV) is a byte stream that is typically used to initialize certain block cipher encryption schemes. For a receiving application to be able to decrypt a message, it must know the decryption key and the initialization vector. The value is typically base-64 encoded."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:nonce a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Signature ; + rdfs:range xsd:string ; + rdfs:label "Nonce" ; + rdfs:comment """This property is used in conjunction with the input to the signature hashing function in order to protect against replay attacks. Typically, receivers need to track all nonce values used within a certain time period in order to ensure that an attacker cannot merely re-send a compromised packet in order to execute a privileged request."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:canonicalizationAlgorithm a rdfs:Property ; + rdfs:domain sec:Signature ; + rdfs:label "Canonicalization algorithm" ; + rdfs:comment """The canonicalization algorithm is used to transform the input data into a form that can be passed to a cryptographic digest method. The digest is then digitally signed using a digital signature algorithm. Canonicalization ensures that a piece of software that is generating a digital signature is able to do so on the same set of information in a deterministic manner."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:controller a rdfs:Property, owl:ObjectProperty ; + rdfs:range ; + rdfs:label "Controller" ; + rdfs:comment """A controller is an entity that claims control over a particular resource. Note that control is best validated as a two-way relationship where the controller claims control over a particular resource, and the resource clearly identifies its controller."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:owner a rdf:Property, owl:DeprecatedProperty, owl:ObjectProperty ; + owl:deprecated true ; + rdfs:range ; + rdfs:label "Owner" ; + rdfs:comment """An owner is an entity that claims control over a particular resource. Note that ownership is best validated as a two-way relationship where the owner claims ownership over a particular resource, and the resource clearly identifies its owner."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:password a rdfs:Property, owl:DatatypeProperty ; + rdfs:range xsd:string ; + rdfs:label "Password" ; + rdfs:comment """A secret that is used to generate a key that can be used to encrypt or decrypt message. It is typically a string value."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:privateKeyPem a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Key ; + rdfs:range xsd:string ; + rdfs:label "PEM encoded private key" ; + rdfs:comment """A private key PEM property is used to specify the PEM-encoded version of the private key. This encoding is compatible with almost every Secure Sockets Layer library implementation and typically plugs directly into functions intializing private keys."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:publicKey a rdfs:Property, owl:ObjectProperty ; + rdfs:domain sec:Key ; + rdfs:range ; + rdfs:label "Public Key" ; + rdfs:comment """A public key property is used to specify a URL that contains information about a public key."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:verificationMethod a rdfs:Property, owl:ObjectProperty ; + rdfs:range ; + rdfs:label "Verification method" ; + rdfs:comment """A `verificationMethod` property is used to specify a URL that contains information used for proof verification."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:assertionMethod a rdfs:Property, owl:ObjectProperty ; + rdfs:range ; + rdfs:label "Assertion method" ; + rdfs:comment """An `assertionMethod` property is used to specify a URL that contains information about a `verificationMethod` used for assertions."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:authentication a rdfs:Property, owl:ObjectProperty ; + rdfs:range ; + rdfs:label "Authentication method" ; + rdfs:comment """An `authentication` property is used to specify a URL that contains information about a `verificationMethod` used for authentication."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:capabilityDelegation a rdfs:Property, owl:ObjectProperty ; + rdfs:range ; + rdfs:label "Capability Delegation Method" ; + rdfs:comment """A `capabilityDelegation` property is used to express that one or more `verificationMethods` are authorized to verify cryptographic proofs that were created for the purpose of delegating capabilities. +A `verificationMethod` may be referenced by its identifier (a URL) or expressed in full. +The aforementioned proofs are created to prove that some entity is delegating the authority to take some action to another entity. A verifier of the proof should expect the proof to express a `proofPurpose` of `capabilityDelegation` and reference a `verificationMethod` to verify it. The dereferenced `verificationMethod` MUST have a controller property that has a property of `capabilityDelegation` that references the `verificationMethod`. This indicates that the controller has authorized it for the expressed `proofPurpose`."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:capabilityInvocation a rdfs:Property, owl:ObjectProperty ; + rdfs:range ; + rdfs:label "Capability Invocation Method" ; + rdfs:comment """A `capabilityInvocation` property is used to express that one or more `verificationMethods` are authorized to verify cryptographic proofs that were created for the purpose of invoking capabilities. +A `verificationMethod` MAY be referenced by its identifier (a URL) or expressed in full. +The aforementioned proofs are created to prove that some entity is attempting to exercise some authority they possess to take an action. A verifier of the proof should expect the proof to express a proofPurpose of capabilityInvocation and reference a verificationMethod to verify it. The dereferenced `verificationMethod` MUST have a controller property that, when dereferenced, has a property of capabilityInvocation that references the `verificationMethod.` This indicates that the controller has authorized it for the expressed proofPurpose."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:publicKeyBase58 a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Key ; + rdfs:range xsd:string ; + rdfs:label "Public Key Base58" ; + rdfs:comment """A public key Base58 property is used to specify the base58-encoded version of the public key."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:publicKeyJwk a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Key ; + rdfs:range xsd:string ; + rdfs:label "Public key JWK" ; + rdfs:comment """See the JOSE suite."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso , ; +. + +sec:publicKeyPem a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Key ; + rdfs:range xsd:string ; + rdfs:label "Public key PEM" ; + rdfs:comment """A public key PEM property is used to specify the PEM-encoded version of the public key. This encoding is compatible with almost every Secure Sockets Layer library implementation and typically plugs directly into functions initializing public keys."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:publicKeyHex a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Key ; + rdfs:range xsd:string ; + rdfs:label "Hex-encoded version of public Key" ; + rdfs:comment """A `publicKeyHex` property is used to specify the hex-encoded version of the public key, based on section 8 of rfc4648. Hex encoding is also known as Base16 encoding."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:publicKeyMultibase a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Key ; + rdfs:range xsd:string ; + rdfs:label "Public key multibase" ; + rdfs:comment """The public key multibase property is used to specify the multibase-encoded version of a public key. The contents of the property are defined by specifications such as ED25519-2020 and listed in the Linked Data Cryptosuite Registry. Most public key type definitions are expected to: +• Specify only a single encoding base per public key type as it reduces implementation burden and increases the chances of reaching broad interoperability. +• Specify a multicodec header on the encoded public key to aid encoding and decoding applications in confirming that they are serializing and deserializing an expected public key type. +• Use compressed binary formats to ensure efficient key sizes."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso , , , ; +. + +sec:publicKeyService a rdfs:Property, owl:ObjectProperty ; + rdfs:range ; + rdfs:label "Public key service" ; + rdfs:comment """The publicKeyService property is used to express the REST URL that provides public key management services."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:revoked a rdfs:Property, owl:DatatypeProperty ; + rdfs:range xsd:dateTime ; + rdfs:label "Revocation time" ; + rdfs:comment """The revocation time is typically associated with a `Key` that has been marked as invalid as of the date and time associated with the property. Key revocations are often used when a key is compromised, such as the theft of the private key, or during the course of best-practice key rotation schedules."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:proof a rdfs:Property ; + rdfs:domain sec:Key ; + rdfs:range sec:SignatureGraph ; + rdfs:label "Proof graph" ; + rdfs:comment """The value of the `proof` property MUST identify a `SignatureGraph` (informally, it indirectly identifies a Signature contained in a separate graph). The property is used to associate a proof with a graph of information. The proof property is typically not included in the canonicalized graph that is then digested, and digitally signed."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:jws a rdfs:Property ; + rdfs:range sec:Signature ; + rdfs:label "Json Web Signature" ; + rdfs:comment """The jws property is used to associate a detached Json Web Signature with a proof."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso ; +. + +sec:proofPurpose a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Signature ; + rdfs:range xsd:string ; + rdfs:label "Proof purpose" ; + rdfs:comment """The` proofPurpose` property is used to associate a purpose, such as `assertionMethod` or `authentication` with a proof."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:challenge a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Signature ; + rdfs:range xsd:string ; + rdfs:label "Challenge with a proof" ; + rdfs:comment """The challenge property is used to associate a challenge with a proof, for use with a `proofPurpose` such as `authentication`."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:domain a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Signature ; + rdfs:range xsd:string ; + rdfs:label "Domain with a proof" ; + rdfs:comment """The `domain` property is used to associate a domain with a proof, for use with a `proofPurpose` such as `authentication`."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:expirationDate a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Signature ; + rdfs:range xsd:dateTime ; + rdfs:label "Expiration date for proof" ; + rdfs:comment """The `expirationDate` property is used to associate an expiration date with a proof."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:proofValue a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Signature ; + rdfs:range xsd:string ; + rdfs:label "Proof value" ; + rdfs:comment """The `proofValue` property is used to associate a proof value with a proof."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:signature a rdfs:Property ; + rdfs:range sec:Signature ; + rdfs:label "Signature" ; + rdfs:comment """The property is used to associate a proof with a graph of information. The proof property is typically not included in the canonicalized graph that is then digested, and digitally signed."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:signatureValue a rdfs:Property, owl:DatatypeProperty ; + rdfs:domain sec:Signature ; + rdfs:range xsd:string ; + rdfs:label "Signature value" ; + rdfs:comment """The signature value is used to express the output of the signature algorithm expressed in base-64 format."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:signatureAlgorithm a rdfs:Property, owl:ObjectProperty ; + rdfs:domain sec:Signature ; + rdfs:range ; + rdfs:label "Signature algorithm" ; + rdfs:comment """The signature algorithm is used to specify the cryptographic signature function to use when digitally signing the digest data. Typically, text to be signed goes through three steps: 1) canonicalization, 2) digest, and 3) signature. This property is used to specify the algorithm that should be used for step #3. A signature class typically specifies a default signature algorithm, so this property rarely needs to be used in practice when specifying digital signatures."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:service a rdfs:Property, owl:ObjectProperty ; + rdfs:domain sec:Signature ; + rdfs:range ; + rdfs:label "Service" ; + rdfs:comment """Examples of specific services include discovery services, social networks, file storage services, and verifiable claim repository services."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:serviceEndpoint a rdfs:Property, owl:ObjectProperty ; + rdfs:domain sec:Signature ; + rdfs:range ; + rdfs:label "Service endpoint" ; + rdfs:comment """A network address at which a service operates on behalf of a controller. Examples of specific services include discovery services, social networks, file storage services, and verifiable claim repository services. Service endpoints might also be provided by a generalized data interchange protocol, such as extensible data interchange."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:x509CertificateChain a rdfs:Property ; + rdfs:domain sec:Signature ; + rdfs:range sec:Signature ; + rdfs:label "X509 Certificate chain" ; + rdfs:comment """The x509CertificateChain property is used to associate a chain of X.509 Certificates with a proof. The value of this property is an ordered list where each value in the list is an X.509 Certificate expressed as a DER PKIX format, that is encoded with multibase using the base64pad variant. The certificate directly associated to the verification method used to verify the proof MUST be the first element in the list. Subsequent certificates in the list MAY be included where each one MUST certify the previous one."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso , ; +. + +sec:x509CertificateFingerprint a rdfs:Property ; + rdfs:domain sec:Signature ; + rdfs:range sec:Signature ; + rdfs:label "X509 Certificate fingerprint" ; + rdfs:comment """The x509CertificateFingerprint property is used to associate an X.509 Certificate with a proof via its fingerprint. The value is a multihash encoded then multibase encoded value using the base64pad variant. It is RECOMMENDED that the fingerprint value be the SHA-256 hash of the X.509 Certificate."""@en ; + rdfs:isDefinedBy cred: ; + rdfs:seeAlso , ; +. + +sec:allowedAction a rdfs:Property ; + rdfs:label "Allowed action" ; + rdfs:comment """T.B.D."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:capability a rdfs:Property ; + rdfs:label "Capability" ; + rdfs:comment """T.B.D."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:capabilityChain a rdfs:Property ; + rdfs:label "Capability chain" ; + rdfs:comment """T.B.D."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:capabilityAction a rdfs:Property ; + rdfs:label "Capability action" ; + rdfs:comment """T.B.D."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:caveat a rdfs:Property ; + rdfs:label "Caveat" ; + rdfs:comment """T.B.D."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:delegator a rdfs:Property ; + rdfs:label "Delegator" ; + rdfs:comment """T.B.D."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:invocationTarget a rdfs:Property ; + rdfs:label "Invocation target" ; + rdfs:comment """T.B.D."""@en ; + rdfs:isDefinedBy cred: ; +. + +sec:invoker a rdfs:Property ; + rdfs:label "Invoker" ; + rdfs:comment """T.B.D."""@en ; + rdfs:isDefinedBy cred: ; +. +