New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8.2 Content Integrity Protection #494
Comments
It is unclear to me how using a JWT to sign a property whose value is a URL, guarantees the integrity of the content located at that URL. Could you help me understand this? |
If this is a JWT and what is pointed to via URL is a JWT you have integrity protection |
Ah, thank you. So as long as the URLs are "JWTS all the way down" there isn't a problem with content integrity. I think the content integrity protection section should probably be updated to point out that fact. |
This is not quite the case, though, which is what I think what @brentzundel's concern was. JWTs provide integrity protection of their payload, but not of the binding between a URL and the contents of a particular document. The latter type of binding requires a separate mechanism such as Hashlinks. |
@dmitrizagidulin I don't see the requirement for this linkage for integrity protection in the specification at all |
WG resolution: https://www.w3.org/2019/04/02-vcwg-minutes.html#resolution05 Will close 7 days from today if no additional concerns or evidence are raised by then in this issue. |
@stonematt So when using just JWT as claims your statement is false as it provides content integrity, so my concerns remain |
@nadalin could you help me understand the mechanism by which JWTs provide content integrity protection for the content of outgoing links? |
@brentzundel Not all claims will have out going links, the links are protected by JWS but not the contents of the links |
Okay, I think we've been talking past each other. There is no question in the WG that JWTs provide integrity protection for the contents of the VCs that are serialized as JWTs. This section specifically addresses the fact that content integrity protection may be necessary for the contents of links and makes some non-normative statements about that. |
I believe this issue has been resolved with the additional explanation provided by @brentzundel , and no further comments have come in over the past 19 days. Closing. |
This is another reason to no make the @context mandatory, this is not needed when using JWT/CWT.
The text was updated successfully, but these errors were encountered: