This document describes a hypothetical alternative encoding of W3C Verifiable Credentials using JOSE.
This is an experimental specification and is undergoing regular revisions. It is not fit for production deployment.
This document does not reflect working group consensus, and its filled with flawed langauge and half baked arguments.
[[VC-DATA-MODEL]] describes a JSON-LD representation for structured claims that an issuer can make about a subject, such that interested parties may be assured of semantic precision, integrity and authenticity.
There are 3 categories of information in a Verifiable Credential:
In v1.1 we rely on JWT encodings for these categories of information which yielded a number of limitations.
In v2 we should address the requirements of the core data model in a more generic way.
We should avoid overloading terminology or conflating semantic or structured data attributes / statments/ claims with security terminology and standard properties of security serialization formats.
We should design with the the intention of supporting a wider family of structured data representations including compact binary forms in the future.
We should design with an open mind towards security work happening at IETF on the following lists:
We should leverage IANA registries for terms critical for interoperability:
[[VC-DATA-MODEL]] describes 3 primary roles an entity can play: issuer, holder, verifier. An actor is an entity that acts in at least 1 of the roles.
credential -> header, payload (credential), signing capability -> verifiable credential
This section describes the action an issuer
performs when
acting in that role.
An issuer first obtains all statements they wish to make.
Next the issuer groups these statements into attributes, and at their discretion marks them as metadata or claims.
Next the issuer determins the cryptographic material they intend to use to secure these attributes with a proof.
The issuer might choose to register verification material prior to issuance or after the fact.
The issuer determins which attributes MUST be understood by a verifier.
The issuer formats their credential as a payload, constructs a security header and using a private key or signing capability constructs a verifiable credential using a software library.
The issuer might optionally verify the newly minted credential after creating it, to ensure that 3rd parties will be able to perform the verififcation process successfully.
The issuer might optionally present the newly minted credential to a first holder, or communicate a capability to this holder using some established protocol for offering credentials.
<- nonce, aud credentials, metadata -> presentation presentation -> header, payload (presentation), signing capability -> verifiable presentation
This section describes the action a holder
performs when
acting in that role.
The holder first determins any required or optional credentials and metadata that a verifier accepts. It is possible the verifier advertises this according to some established protocol for requesting information.
Next the holder prepares their presentation, including any credentials and metadata they wish to disclose or prove to the verifier.
In the case that the verifier requires a fresh proof, or replay attack
mitigation, the holder must obtain a required
nonce
value from the verifier. An optional
aud
value might also be chosen by the holder. A verifier
might offer suggested nonce and aud values via a well known location,
or might accept other credentials or tokens from some issuer trusted
by the verifier to facilitate proof freshness.
The holder might choose to register verification material prior to presenting or after the fact (presentations might not be processed immediatly).
Next the holder crafts their presentation as a payload and secures it using a protected header header and private key or signing capability. Using a software library the holder produces a verifiable presentation.
The holder might optionally verify the newly minted presentation after creating it, to ensure that 3rd parties will be able to perform the verififcation process successfully.
The holder might optionally transmit the verifiable presentation over a network, or to an internal software system or to a harware device via a transport protocol.
verifiable credential -> header, payload, signature, public key -> verified: true | false, details: [] verifiable presentation -> header, payload, signature, public key -> verified: true | false, credential details: []
This section describes the action an verifier
performs
when acting in that role.
The verifier first obtains any required or optional credentials and presentations. Its possible the verifier advertises this according to some established protocol for requesting information.
The verifier first obtains the holder's registered verification material and validates proof associated with the presentation.
Next the verifier checks all the required to be understood attributes.
Next the verifier might at their discretion reject presentations or mark them as invalid based on their own understanding of attributes.
Next the verifier checks each credential presented.
Next the verifier obtains the verification material for each credential issuer, and uses a software library to check the credential proof.
Next the verifier might at their discretion reject credentials or mark them as invalid based on their own understanding of attributes.
The verifier might store the presentation, credentials or just the claims and associated metadata.
The verifier might acknowledge receipt or acceptance / rejection of the presentation as a whole or in parts to the holder.
[[VC-DATA-MODEL]] describes claims and metadata. An attribute is a claim, and/or metadata.
Header and payload and signature are produced by the issuer, or prover.
Values for attributes in the header are more authoritative than those present in payloads.
Issuers and provers MUST NOT create contradictng metadata or claims associated with the header values, in the payload.
A verifiable credential is produced when a credential
is
used as a JWS Payload and secured with a protected header and
signature.
A verifier MUST process the header and understand all critical values in it.
Metadata associated with the security of the payload is exclusive to the header.
Values for attributes in the header are more authoritative than those present in payloads.
Once a credential or presenation has been verified, the header can be ignored and the payload becomes the source of truth for claims made by the issuer.
A credential is consumed when a verifiable credential
,
represented as a header, payload and signature is verified using a
public key trusted by the verifier.
Headers MAY contain attributes.
Actors MUST understand all attributes marked critical via the header.
The header is in a sense a collection of metadata about the "statements" or "claims" the issuer is making about the payload and its security properties.
The security of the serialization scheme comes exclusively from
processing the header, payload and signature using the verification
material. The header and payload must be treated as opaque until this
process has suceeded or failed. Leveraging of iss
and
kid
as a hint to obtain the verification material is the
only exception to this rule.
did:example:123 https://government.example https://organization.example https://person.example https://device.example
did:example:123#key-0 https://government.example/path/bar?query=foo#fragment-baz
#key-0 /path/bar?query=foo#fragment-baz
_Qq0UL2Fq651Q0Fjd6TvnYE-faHiOpRlPVQcY_-tA4A
using hints: The "kid" (key ID) Header Parameter is a hint indicating which key was used to secure the JWS.
[[RFC3986]] MUST be used for interpertation and resolution of URIs, and defines the rules for relative URIs.
In the case that a kid
is some form of absolute IRI,
the issuer is assumed to be optional, and MUST NOT be used to obtain
verification material.
In the case that a kid
is some form of relative IRI,
the iss
MUST be present, and MUST be used to obtain
verification material.
In the case that a kid
is not an IRI, it is assumed to
be a sufficient hint for a verifier to verification material.
ES256 EdDSA
allow unregistered algorithms "alg" values should either be registered in the IANA "JSON Web Signature and Encryption Algorithms" registry established by [JWA] or be a value that contains a Collision-Resistant Name.
application/vc+json application/vc+ld+json
See omit media type prefix: To keep messages compact in common situations, it is RECOMMENDED that producers omit an "application/" prefix of a media type value in a "cty" Header Parameter when no other '/' appears in the media type value. A recipient using the media type value MUST treat it as if "application/" were prepended to any "cty" value not containing a '/'. For instance, a "cty" value of "example" SHOULD be used to represent the "application/example" media type, whereas the media type "application/example;part="1/2"" cannot be shortened to "example;part="1/2"".
We should use crit
to require verifiable credentials
encoded using JOSE to be distinguishable
and
consistently processed relative to existing token formats, such as
id_token
, access_token
or other JWTs.
See extensions that MUST be understood: The "crit" (critical) Header Parameter indicates that extensions to this specification and/or [JWA] are being used that MUST be understood and processed. Its value is an array listing the Header Parameter names present in the JOSE Header that use those extensions. If any of the listed extension Header Parameters are not understood and supported by the recipient, then the JWS is invalid. Producers MUST NOT include Header Parameter names defined by this specification or [JWA] for use with JWS, duplicate names, or names that do not occur as Header Parameter names within the JOSE Header in the "crit" list. Producers MUST NOT use the empty list "[]" as the "crit" value. Recipients MAY consider the JWS to be invalid if the critical list contains any Header Parameter names defined by this specification or [JWA] for use with JWS or if any other constraints on its use are violated. When used, this Header Parameter MUST be integrity protected; therefore, it MUST occur only within the JWS Protected Header. Use of this Header Parameter is OPTIONAL. This Header Parameter MUST be understood and processed by implementations.
Explain how payload is activated as distinct from how claims in payload are interpretted.
Explain how payload is expired as distinct from how claims in payload are interpretted.
Seems relevant to verifiable presentations and NOT relevant to verifiable credentials.
The "jti" claim MAY be used to prevent the JWT from being replayed.
The "jti" (JWT ID) claim provides a unique identifier for the JWT.
X.509 certificate chain: The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [[RFC5280]].
X.509 URL: The "x5u" (X.509 URL) parameter is a URI [[RFC3986]] that refers to a resource for an X.509 public key certificate or certificate chain [[RFC5280]].
Payloads MAY contain attributes.
allowed payload types: The JWS Payload used in this example is the octets of the UTF-8 representation of the JSON object below. (Note that the payload can be any base64url-encoded octet sequence and need not be a base64url- encoded JSON object.)
The "JWS Payload" MUST be of a content type defined by the [[VC-DATA-MODEL]].
TODO: Point to core data model definition of credential
.
TODO: Provide guidance regarding handling embedded
proof
property. (ignore by default.)
Payloads of this type MUST conform to [[RFC8259]].
Payloads of this type MUST be a JSON-LD Document as described in JSON-LD
TODO: Point to core data model definition of
presentation
.
TODO: Provide guidance regarding handling embedded
proof
property. (ignore by default.)
Payloads of this type MUST conform to [[RFC8259]].
{ "header": { "iss": "https://government.example", "kid": "/issuers/42#key-1337", "alg": "ES256", "cty": "application/vc+ld+json", "nbf": 1575375592000, "exp": 1890994792000, "crit": ["cty", "nbf", "exp"] }, "payload": { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://w3id.org/citizenship/v1" ], "id": "urn:uuid:e42a1c3c-3cbf-4834-9430-dc2376b8ef0c", "type": ["VerifiableCredential", "PermanentResidentCard"], "issuer": "https://government.example", "identifier": "e42a1c3c-3cbf-4834-9430-dc2376b8ef0c", "name": "Permanent Resident Card", "description": "Government of Example Permanent Resident Card.", "issuanceDate": "2019-12-03T12:19:52Z", "expirationDate": "2029-12-03T12:19:52Z", "credentialSubject": { "id": "did:example:b34ca6cd37bbf23", "type": ["PermanentResident", "Person"], "givenName": "JOHN", "familyName": "SMITH", "gender": "Male", "image": "data:image/png;base64,iVBORw0KGgo...kJggg==", "residentSince": "2015-01-01", "lprCategory": "C09", "lprNumber": "999-999-999", "commuterClassification": "C1", "birthCountry": "Bahamas", "birthDate": "1958-07-17" } }, "signature": "ZW5jb2RpbmctaXMtbm90LWVuY3J5cHRpb24h" }
{ "header": { "iss": "https://logistics.example", "kid": "/issuers/32#deadbeef", "alg": "EdDSA", "cty": "application/vc+ld+json", "nbf": 1576036255000, "crit": ["cty", "nbf"] }, "payload": { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://w3id.org/traceability/v1" ], "id": "https://logistics.example/credential/123", "type": ["VerifiableCredential", "BillOfLadingCertificate"], "name": "Bill Of Lading Certificate", "description": "This document includes recommended bill of lading fields.", "issuanceDate": "2019-12-11T03:50:55Z", "issuer": { "id": "https://logistics.example", "type": "Organization", "name": "Hauck Group", "description": "Focused secondary synergy", "address": { "type": "PostalAddress", "streetAddress": "3198 O'Kon Wall", "addressLocality": "North Adolphchester", "addressRegion": "Nevada", "postalCode": "50788", "addressCountry": "Cote d'Ivoire" }, "email": "Bernita.Quitzon98@example.com", "phoneNumber": "555-171-4411", "faxNumber": "+1-555-758-9761" }, "credentialSubject": { "type": ["BillOfLading"], "billOfLadingNumber": "991205182A", "bookingNumber": "991205182", "scac": "NISC", "carrier": { "type": ["Organization"], "name": "Carrior Goods And More", "email": "Adaline29@example.com", "phoneNumber": "+1 555-234-9983" }, "consignor": { "type": ["Organization"], "name": "Consignor Is Us", "email": "Idella60@example.org", "phoneNumber": "+1-555-953-9479" }, "consignee": { "type": ["Organization"], "name": "Victorian Consignee", "email": "Victoria.Hane74@example.org", "phoneNumber": "+1-555-455-9053" }, "notify": { "type": ["Organization"], "name": "Florida Contact Org", "email": "Florida91@example.net", "phoneNumber": "+1-555-104-1126" }, "freight": { "type": ["ParcelDelivery"], "deliveryAddress": { "type": ["Place"], "geo": { "type": ["GeoCoordinates"], "latitude": "-20.840731978309044", "longitude": "-159.78393883134225" }, "address": { "type": ["PostalAddress"], "organizationName": "Hahn LLC", "streetAddress": "786 Pfeffer Plains", "addressLocality": "West Ottilie", "addressRegion": "Nebraska", "postalCode": "50878-0870", "addressCountry": "Cook Islands" } }, "originAddress": { "type": ["Place"], "geo": { "type": ["GeoCoordinates"], "latitude": "-23.25979250428427", "longitude": "-58.36431415044023" }, "address": { "type": ["PostalAddress"], "organizationName": "Rosenbaum, Hills and Pagac", "streetAddress": "71834 Zelma Trail", "addressLocality": "West Gerhardview", "addressRegion": "North Carolina", "postalCode": "78251-3640", "addressCountry": "Paraguay" } }, "deliveryMethod": "Ocean transport", "trackingNumber": "178380801954" }, "portOfLoading": { "type": ["Place"], "unLocode": "USMOB" }, "portOfDischarge": { "type": ["Place"], "unLocode": "MXATM" } } }, "signature": "ZW5jb2RpbmctaXMtbm90LWVuY3J5cHRpb24h" }
These examples are framed in language that is meant to be understandable by the general public, these examples are not reflective of suggested use for the specification.
Some verifiers might require proof of age prior to the purchase of certain products.
{ "header": { "iss": "did:example:123", "kid": "#555", "alg": "ES256", "cty": "application/vp+ld+json", "aud": "drug-store.example", "nonce": "fe3b66da-6faa-4f48-9a28-3e66febc737b", "crit": ["cty", "aud", "nonce"] }, "payload": { "@context": ["https://www.w3.org/2018/credentials/v1"], "type": "VerifiablePresentation", "holder": "did:example:123", // encoded government id verifiable credential "verifiableCredential": ["ZW5jb2RpbmctaXMtbm90LWVuY3J5cHRpb24h..."] }, "signature": "ZW5jb2RpbmctaXMtbm90LWVuY3J5cHRpb24h" }
Some verifiers might require scientific tests or provenance assertions prior to allowing products to move into logistics infrastructure.
{ "header": { "iss": "did:example:123", "kid": "#555", "alg": "ES256", "cty": "application/vp+ld+json", "aud": "customs.example", "nonce": "fe3b66da-6faa-4f48-9a28-3e66febc737b", "crit": ["cty", "aud", "nonce"] }, "payload": { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://w3id.org/traceability/v1" ], "id": "urn:uuid:3978344f-8596-4c3a-a978-8fcaba3903c5", "type": ["VerifiablePresentation", "TraceablePresentation"], "workflow": { "definition": ["urn:uuid:n1552885-cc91-4bb3-91f1-5466a0be084e"], "instance": ["urn:uuid:f5fb6ce4-b0b1-41b8-89b0-331ni58b7ee0"] }, "holder": { "id": "did:example:456", "type": "Organization", "location": { "type": "Place", "geo": { "type": "GeoCoordinates", "latitude": "68.7083", "longitude": "4.6377" }, "address": { "type": "PostalAddress", "organizationName": "Ratke - Bergstrom", "streetAddress": "21851 Ima Heights", "addressLocality": "O'Connellborough", "addressRegion": "Missouri", "postalCode": "65587", "addressCountry": "Cyprus" } } }, // bill of ladding and certificate of origin for products // encoded as verifiable credentials "verifiableCredential": [ "ZW5jb2RpbmctaXMtbm90LWVuY3J5cHRpb24h...", "ZW5jb2RpbmctaXMtbm90LWVuY3J5cHRpb24h..." ] }, "signature": "ZW5jb2RpbmctaXMtbm90LWVuY3J5cHRpb24h" }
The verification material (public key or certificate) is the ultimate authority regarding the security of the serialization of the data model.
Hints used to obtain this material such as iss
, or
kid
ought to be helpful, but are not required to be.
For example:
{ "iss": "https://gov.example", "kid": "did:example:789#key-234", "alg": "ES256" }
A verifier might choose to hash this object and then lookup a certificate. If the verifier trusts the certificate, that is all they need to proceed to processing the associated payload.
Some actors might rely on defined protocols for obtaining keys or certificates based on hints.
A verifier is not required to disclose how they obtain the issuer's key material.
Issuers are not required to disclose attributes in plaintext.
This might result in awkwardness for the holder, as they cannot see what claims are in a given credential.