Skip to content

Add support for JWT presentations and credentials #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jceb opened this issue Dec 15, 2023 · 11 comments · Fixed by #40
Closed

Add support for JWT presentations and credentials #15

jceb opened this issue Dec 15, 2023 · 11 comments · Fixed by #40

Comments

@jceb
Copy link
Contributor

jceb commented Dec 15, 2023
edited
Loading

In addition to JSON-LD, this spec should incorporate support for JWT as the other big ecosystem of DIDs and credentials.
@jceb jceb mentioned this issue Dec 15, 2023
Closed
@jceb
Copy link
Contributor Author

jceb commented Dec 15, 2023
edited
Loading

My current understanding is that Verifiable Presentations can't be represented in the JWT format. The VC Data Model spec gives no JWT example for presentations (https://w3c.github.io/vc-data-model/#presentations-0). One VC that references just one subject can be represented as JWT as seen here, multiple subjects aren't supported either: https://w3c.github.io/vc-data-model/#credential-subject

The reason for this lack of support seems to be the 1:1 relationship between JWT's iss and VC's issuer properties and JWT's sub and VC's credentialSubject.id properties. When there are multiple issuers, e.g. a presentation with multiple VCs, or multiple subjects, e.g. a VC with multiple subjects, the 1:1 relationship can't be expressed unambiguously anymore. Therefore, the mechanisms for verifying JWTs won't work and my impression is that this is the reason for not supporting VPs and certain types of VCs.

Conclusion:

  • VPs can't be represented in JWT format. Plain JSON or JSON-LD are currently the only supported formats.
  • VCs in JWT format can be embedded in a VP. IMHO, this would be valid according to the spec. However, I'm not sure whether library authors will widely support this mix of formats. Here is an example of how it might look like: Add mechanism to embed externally secured VCs in a VP w3c/vc-data-model#1352 (comment)
  • Another option would be to support the linking of VCs, instead of VPs in the DID document. Then we'd be able to use VCs in JSON-LD and JWT format. However, this would remove the explicitness that comes from the compilation and signing of a presentation by a holder.

At the moment, I lean towards not supporting JWTs in this spec explicitly and sticking to JSON-LD-VPs. If the above mentioned example is added to the VC spec, VPs with JWT-VCs will become possible and hopefully supported by multiple libraries.

@brianorwhatever and @peacekeeper I'd very much appreciate your input on this topic.

@brianorwhatever
Copy link
Contributor

Here is the relevant section of VCDM 2.0 that was just merged https://www.w3.org/TR/vc-data-model-2.0/#enveloped-verifiable-credentials
And you can secure this VP using either Data Integrity or JWT

@jceb
Copy link
Contributor Author

jceb commented Dec 20, 2023

Okay, I think I'm gradually forming in my mind how it could work. The Verifiable Presentation as a JSON/JSON-LD document is embedded into the JWT via the reserved vp property (https://www.w3.org/TR/vc-jose-cose/#jose-header-parameters-and-jwt-claims). Credentials in the presentation are either standard JSON/JSON-LD documents with an attached data integrity LD-proof or they are JOSE/COSE secured credentials of type EnvelopedVerifiableCredential. This will also provide support for selective disclosure.

So full JWT support is possible alongside LD-proofs.

@OR13
Copy link

OR13 commented Dec 21, 2023

Don't use the vp property, and I would recommend not using data integrity proofs.

@jceb
Copy link
Contributor Author

jceb commented Dec 22, 2023
edited
Loading

@OR13 do I understand you correctly that instead of hiding the VP inside the vp property, I should

  • place the plain and unsigned JSON(-LD)-VP inside the JWT payload: {"@context": [..], "verifiableCredential": [..], "holder": .., "type": [..]}
  • add additional JWT properties like iss, sub, ... that are copies of the properties in the VP: {"@context": [..], "verifiableCredential": [..], "holder": .., "type": [..], "iss": .., "sub": ..}
  • and sign the JWT via JOSE

@OR13
Copy link

OR13 commented Dec 22, 2023

You don't need to add any additional properties, unless you want to use selective disclosure.

@brianorwhatever
Copy link
Contributor

This specification should not define anything at all it should allow any conformant Verifiable Presentation and refer to the VCDM spec(s) for that.

@jceb
Copy link
Contributor Author

jceb commented Jan 4, 2024

I'm fully with you. I want to make sure that the spec supports the various formats.

@jceb
Copy link
Contributor Author

jceb commented Feb 8, 2024

I updated the examples to include only JWT presentations and credentials. However, I don't yet understand whether it's a good idea to use the vp and vc properties in the payload. @OR13 says we shouldn't, however at least in the VC Data Model spec explicitly states the vc property, see https://w3c.github.io/vc-data-model/#credential-subject.

Not sure how to continue.

@OR13
Copy link

OR13 commented Feb 8, 2024

The examples you are looking at are from v1. Nobody has bothered to update them.

@jceb
Copy link
Contributor Author

jceb commented Feb 13, 2024

@OR13 thanks, that's helpful. I'll update the examples to v2.

@jceb jceb mentioned this issue Feb 26, 2024
Merged
@jceb jceb closed this as completed in #40 Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: issue v2 JWT VC and VP jceb/linked-vp
3 participants
@jceb @brianorwhatever @OR13