-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add JwtProof2020 to the charter #84
Comments
where in the charter would you like to see? As in input document to the data integrity deliverable? |
@Sakurann I gave 3 options, which one would you prefer? |
Am I right that this new format is neither a conformant VC nor a conformant JWT? If so, I'm pretty skeptical of trying to inject it into the set of VC-like data formats that we already have. I can't see interoperability among implementations being improved by doing so. |
It isn't clear to me what changes should be made to the charter text to resolve this issue |
I'm not sure I agree that any of the 3 items are valuable outcomes. We already have VC-JWT and JsonWebSignature2020 -- why do we need yet another JOSE format? Going through the options:
All three feel like disadvantages if standardized, with 1 being the most benign one. |
AFAIK Verite isn't intending to pass this off as a VC: see |
@OR13 to write a PR for this once we have enough feedback in this issue. |
Specifically, the charter should include language that allows us to describe |
The issue was discussed in a meeting on 2022-03-02
View the transcript5.3. Add JwtProof2020 to the charter (issue vc-wg-charter#84)See github issue vc-wg-charter#84. Brent Zundel: next up #84. Orie Steele: There is an implementation of jwt-vc at DIF that is really an "internal" format, but it looks like an external one.. Manu Sporny: A couple ways to address Orie's issues. If folks want to talk about storage, maybe that can be done in the VC-JWT spec.
Orie Steele: you got part of it right, but one of the suggestions is the JWT part of the spec could comment on this to make it intelligible..
Orie Steele: So maybe we talk about this as an implementation guide. That kind of comment, clarifying how not to do what the DIF spec is interpreted as.. Orie Steele: the best thing we could do is to comment on this format in a way that instructs and encourages contribution and removes security risks. Brent Zundel: I appreciate the conversation. My read of the charter doesn't prohibit what has been proposed, so are we asking for changes to the charter, or just anchoring future discussions.. Manu Sporny: I won't be opposed to a sentence in the charter saying that we are going to talk about storage formats..
Michael Prorock: Adding an explicit sentence just to clarify... maybe not "storage formats" per se, but we do need to clarify how JWTs and VCs relate and the implications of that.
Orie Steele: what Mike said that I think is the important highlight for interoperability, there's the credential and there is a verifiable credential..
Orie Steele: in some ways this could be solved by the VC-JWT clarifying its credential format is different from VCs.. Brent Zundel: would you be willing to raise a PR so we can continue the conversation more concretely.. Orie Steele: I would if we have engagement on the issue itself. Once we get that, i'll draft a PR. |
Per the call today, the WG will address these concerns in the VCDM2.o VC-JWT Specification. |
The issue was discussed in a meeting on 2022-03-23
View the transcript2.1. Add JwtProof2020 to the charter (issue vc-wg-charter#84)See github issue vc-wg-charter#84. Brent Zundel: Is there anything that needs to be done to the charter to address #84?. Orie Steele: Resulting from conversation in CCG. Manu Sporny: It's a good point that Orie raises..
Manu Sporny: We have examples of VC-JWTs through the spec - both unencoded and encoded. Brent Zundel: I don't think the charter needs to be changed for this to happen.
Brent Zundel: People can raise issues to ensure this is tracked..
Orie Steele: I closed the issue and left a comment on it.. |
See circlefin/verite#373
I think there are 3 potentially valuable outcomes with respect to this item.
This would be adding a section to the VC-JWT item, where we define the need to "query over claims", and describe a "decoded representation" that supports this objective, while clearly distinguishing it from the normatively defined comact JWT form of VC-JWT.
This would define a verification and signature process that combined aspects of VC-JWT with aspects of Linked Data Integrity Proofs... And most importantly, would address the security issues associated with "JwtProof2020" JSON members vs JWT claims.... since thee JSON Members are not integrity protected, a linked data suite would need to be defined to protect them.
cc @bumblefudge @mprorock @awoie @msporny
The text was updated successfully, but these errors were encountered: