8.2 Content Integrity Protection

[nadalin]

This is another reason to no make the @context mandatory, this is not needed when using JWT/CWT.

[brentzundel]

It is unclear to me how using a JWT to sign a property whose value is a URL, guarantees the integrity of the content located at that URL. Could you help me understand this?

[nadalin]

If this is a JWT and what is pointed to via URL is a JWT you have integrity protection

[brentzundel]

Ah, thank you. So as long as the URLs are "JWTS all the way down" there isn't a problem with content integrity. I think the content integrity protection section should probably be updated to point out that fact.

[dmitrizagidulin]

@nadalin

If this is a JWT and what is pointed to via URL is a JWT you have integrity protection

This is not quite the case, though, which is what I think what @brentzundel's concern was. JWTs provide integrity protection of their payload, but not of the binding between a URL and the contents of a particular document.

The latter type of binding requires a separate mechanism such as Hashlinks.

[brentzundel]

@nadalin, do you have a specific recommendation regarding a change you would like to see made to section 8.2?

If not, perhaps this would be better as a comment on issue #483, rather than as an issue in its own right.

[nadalin]

@dmitrizagidulin I don't see the requirement for this linkage for integrity protection in the specification at all

[stonematt]

WG resolution: https://www.w3.org/2019/04/02-vcwg-minutes.html#resolution05
RESOLUTION: The content-integrity section of the specification describes how outgoing links from a document may be protected. Issue #494 asserts that JWTs provide content-integrity protection for outgoing links, which is false.The VCWG is also supportive of the use of @context as a core part of the data model. Issue #494 should be closed with no changes to the specification.

Will close 7 days from today if no additional concerns or evidence are raised by then in this issue.

[nadalin]

@stonematt So when using just JWT as claims your statement is false as it provides content integrity, so my concerns remain

[brentzundel]

@nadalin could you help me understand the mechanism by which JWTs provide content integrity protection for the content of outgoing links?

[nadalin]

@brentzundel Not all claims will have out going links, the links are protected by JWS but not the contents of the links

[brentzundel]

Okay, I think we've been talking past each other.

There is no question in the WG that JWTs provide integrity protection for the contents of the VCs that are serialized as JWTs.

This section specifically addresses the fact that content integrity protection may be necessary for the contents of links and makes some non-normative statements about that.

[burnburn]

I believe this issue has been resolved with the additional explanation provided by @brentzundel , and no further comments have come in over the past 19 days. Closing.