Securing Verifiable Credentials using JOSE and COSE

[awoie]

こんにちは TAG-さん!

As an editor of the W3C VCDM 2.0, I'm requesting a TAG review of Securing Verifiable Credentials using JOSE and COSE (which is another work item of the W3C VCWG).

The Securing Verifiable Credentials using JOSE and COSE specification describes how to secure media types expressing W3C Verifiable Credentials and Verifiable Presentations as described in the W3C VCDM 2.0, using approaches described by the OAuth, JOSE, and COSE working groups at IETF. This includes SD-JWT and COSE, and provides an approach using well-defined content types and structured suffixes to distinguish the data types of unsecured documents conforming to from the data types of secured documents conforming to, defined in this specification.

• Explainer¹ (minimally containing user needs and example code): Securing Verifiable Credentials using JOSE and COSE (VC-JOSE-COSE)
  • VC-JOSE-COSE: Introduction
• Specification URL: VC-JOSE-COSE: Latest published version, VC-JOSE-COSE: Latest editor's draft
• Tests: Test suites are under development
• User research: n/a
• Security and Privacy self-review²: Security/Privacy
• GitHub repo (if you prefer feedback filed there): VC-JOSE-COSE: Repo
• Primary contacts (and their relationship to the specification):
  • Orie Steele (@OR13), Editor, Transmute
  • Michael B. Jones (@selfissued), Editor, Independent
  • Michael Prorock (@mprorock), Editor, Mesur.io
• Organization(s)/project(s) driving the specification: W3C Verifiable Credentials Working Group
• Key pieces of existing multi-stakeholder review or discussion of this specification: TAG Review of VCDM 1.0
• External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): Issue Tracker

Further details:

• I have reviewed the TAG's Web Platform Design Principles
• Relevant time constraints or deadlines: The VCWG intends to advance this specification to the Candidate Recommendation stage in October 2023. It would greatly benefit our efforts if we could receive reviews prior to this timeframe, ideally by the end of September 2023. However, we understand that the end of September might not be feasible, given the short notice. We kindly request prioritization if possible. Your assistance in this matter would be greatly appreciated.
• The group where the work on this specification is currently being done: W3C Verifiable Credentials Working Group
• The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): n/a (same group as above)
• Major unresolved issues with or opposition to this specification:
  • adding controller documents
  • adding key discovery via “kid” JWT header, “iss” JWT claim
• This work is being funded by: The members of the W3C VCWG that are actively participating in the development of these specifications including funding from the US Federal Government, the European Commission, and the Canadian Federal Government.

You should also know that...

• This work relates heavily to the following specifications: Verifiable Credentials Data Model v2.0, which is also something that the TAG will be reviewing (see TAG review request here).
• Major changes since VCDM v1.1:
  1. securing mechanisms are now externalized in a new specification and no longer contained in the VCDM,
  2. besides JSON-LD and Data Integrity other representations are made possible by defining specific media types.
  3. VC-JOSE-COSE introduces breaking changes such as requiring VCDM 2.0 instead of VCDM 1.1 (or 1.0), and using the JWT representation defined in SD-JWT.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

☂️ open a single issue in our GitHub repo for the entire review