VC "knows" template

[ChristopherA]

One of our goals for this hackathon was to have everyone create a BTCR DID and have simple web of trust "know" claims between all of us (knows being available in https://w3id.org/identity/v1)

@mattcollier could you help us get a valid VC template (for your -cli tool) that expresses a simple knows claim? Maybe a couple of others that use other non-personal data items from https://w3id.org/identity/v1 ?

The best example we have is from @dlongley last year: https://github.com/w3c/vc-data-model/issues/32#issuecomment-273218981 but there is more debate on what these should look like in that issue:

// This credential states that Alice knows Bob, and Bob has a public key X
{
"@context": [ "https://w3id.org/identity/v1" ],
"id": "did::Alice#CREDENTIAL1",  // this credential lives in the DDO (although, this is not necessary)
"type": ["Credential", "WoTRelationshipCredential"],
"issuer": "did::Alice",
"issuanceDate": "2010-01-01T19:23:24Z",
"credentialSubject": {
  "id": "did::Alice",  
  "knows": {
    "id": "did::Bob" // Alice is claiming that she knows Bob
    "publicKey": {
      "type": "EcdsaKoblitzPublicKey",
      // Alice is claiming that Bob's public key  SHA-256 fingerprint is this
      "sha256Fingerprint": "25FE3932D9...8B9316" 
    }
  }
},
"proof": {
    "type": "EcdsaSecp256k1Signature2019",
    "created": "2019-08-08T15:10:01Z",
    "jws": "eyJhbGciOiJFUzI1NksiLCJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdfQ..MEUCIQCGMSkRuXUe-1mgj2WCR_bcfAXeAmb3rGoszNDgqy-ecQIgBdvJaYj4cprhpF892dcZ-7q3J54GrIhWNGin3bIzh18",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "did::Alice#key-1"
  }
}

[ChristopherA]

In addition to "know", there are some other items in the Identity Schema (and as it inherits both thing and Person), so there is also these that might be useful for pseudonymous claims:

"group" and "memberOf" of this hackathon or W3C-CCG or RWOT9.

"alternateName" for a psuedonym

"email" to claim an email address

"sameAs" to claim a URL (say to a github account, twitter, handle).

"knowsAbout" things like C++, Java, etc.

"Description" a english language claim

-- Christopher Allen

[ChristopherA]

We also need to add an "evidence" that is Bob's key was verified cryptographically by Alice.

See https://www.w3.org/TR/vc-data-model/#example-22-usage-of-the-evidence-property

[ChristopherA]

What I want to represent (in English):

Alice knows Bob, that Bob has proven to Alice control over Bob's public key, and how Alice knows that how (the auth ceremony used: a cryptographically verified possession, not F2F).

[ChristopherA]

@dlongley Can you look look at how we refer to public key in the above? Should it refer to a DID#key-1 instead.

[dlongley]

I would not use https://w3id.org/identity/v1 -- it's very dated and perhaps even in conflict with the latest VC work. There's a section in the VC implementation guide that explains how to create your own new VC types:

https://w3c.github.io/vc-imp-guide/#creating-new-credential-types

(Note that the context URL has a typo in that guide and there's a PR to fix it.)

A new WoT context should be published somewhere or hard coded to a URN if need be. For this example, I'll say that the URN urn:web-of-trust:context refers to the context below and that its vocabulary's base URI is the URN urn:web-of-trust:vocab:. But it may makes sense to make something more reusable ... or pick a more narrow name if this is a one-off.

Here's a new context and VC template for representing that Alice knows Bob and that Bob has some public key.

The context:

{
  "@context": {
    "@version": 1.1,
    "id": "@id",
    "type": "@type",
    "WoTRelationshipCredential": "urn:web-of-trust:vocab:WoTRelationshipCredential",
    "knows": {"@id": "urn:web-of-trust:vocab:knows", "@type": "@id"},
    "EcdsaSecp256k1VerificationKey2019": "https://w3id.org/security#EcdsaSecp256k1VerificationKey2019",
    "publicKey": {"@id": "https://w3id.org/security#publicKey", "@type": "@id"},
    "publicKeyBase58": "https://w3id.org/security#publicKeyBase58"
  }
}

The VC template using it:

{
  "@context": [
    "https://www.w3.org/credentials/v1",
    "urn:web-of-trust:context"
  ],
  "id": "<some identifier for the credential like urn:uuid:<uuid> or a URL>",
  "type": ["Credential", "WoTRelationshipCredential"],
  "issuer": "did:<method>:Alice",
  "issuanceDate": "2010-01-01T19:23:24Z",
  "credentialSubject": {
    "id": "did:<method>:Alice",
    // Alice is claiming that she knows Bob
    "knows": {
      "id": "did:<method>:Bob"
      // Alice is claiming that Bob has this public key
      "publicKey": {
        "id": "did:<method>:Bob#24fd3..332f23f",
        "type": "EcdsaSecp256k1VerificationKey2019",
        "publicKeyBase58": "zsf3w23f...32f2f23"
      }
    }
  },
  "proof": {
    "type": "EcdsaSecp256k1Signature2019",
    "created": "2019-08-08T15:10:01Z",
    "jws": "eyJhbGciOiJFUzI1NksiLCJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdfQ..MEUCIQCGMSkRuXUe-1mgj2WCR_bcfAXeAmb3rGoszNDgqy-ecQIgBdvJaYj4cprhpF892dcZ-7q3J54GrIhWNGin3bIzh18",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "did::Alice#key-1"
  }
}

To sign or verify a VC using the above template using something like vc-js requires a documentLoader be passed that will resolve urn:web-of-trust:context to the above context document. The above wasn't tested at all ... so I hand it over as-is ... hopefully no typos. :)

[dlongley]

@ChristopherA,

Alice knows Bob, that Bob has proven to Alice control over Bob's public key, and how Alice knows that how (the auth ceremony used: a cryptographically verified possession, not F2F).

Do you want Alice to just assert that she knows Bob has that public key via some method ... or do you want something stronger like to include, for example, an embedded VerifiablePresentation from Bob with a DID-Auth signature on it as evidence? The former doesn't really sound like evidence, so I don't know that it makes sense to model it that way.

[ChristopherA]

ACTION: @ChristopherA gave @mattcollier & @AnthonyRonning the reference private WIF testnet key for sample implicit DID key did:btcr:xyv2-xzpq-q9wa-p7t#satoshi (see #4) so that they can create real BTCR-based VCs in their demo.

ACTION: @mattcollier will put a"WoT" context into each VC of this form, community will do URL based ones later. Some items in @dlongley's comment may be redundant.

ACTION: Ask @dlongley to look at what it would take to put the simplest possible VP into this WoT credential that verifies that Alice has confirmed that Bob has possession of private key. Simplest nonce confirmation is fine.

[ChristopherA]

Since we are going to be using a custom context, and adding simple DID Auth proof, we don't need to use the word "knows" from the old person schema context.

Maybe it should be:

• Alice ConfirmsPrivateKeyPossessionOf Bob

"credentialSubject": {
    "id": "did:btcr:xg35-jzrx-qtyt-jqr",
        // Alice's pseudonymous DID
    "ConfirmsPrivateKeyPossessionOf": {
      "id": "did:btcr:xxxx-xxxx-xxxx-xx"
            // Bob's pseudonymous DID
      "publicKey": {
        "id": "did:btcr:xxxx-xxxx-xxxx-xx#key#0",
            // Bob's pseudonymous DID's specific key
        "type": "EcdsaSecp256k1VerificationKey2019",
        "publicKeyBase58": "zsf3w23f...32f2f23"
      }
      "evidence" {
            // Some DID Auth VP?
    }
  }

@jandrieu what do you suggest?

-- Christopher Allen

[dlongley]

I don't really know the use case or any of the details or any potential attack vectors, etc. (I don't really have time to dive into it either at the moment), but here's the most minimal VP (with Bob authenticating to Alice) I could come up with to put into an evidence field on the VC:

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1"
  ],
  "type": "VerifiablePresentation",
  "proof": {
    "type": "EcdsaSecp256k1Signature2019",
    "created": "2019-08-08T15:10:01Z",
    "jws": "eyJhbGciOiJFUzI1NksiLCJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdfQ..MEUCIQCGMSkRuXUe-1mgj2WCR_bcfAXeAmb3rGoszNDgqy-ecQIgBdvJaYj4cprhpF892dcZ-7q3J54GrIhWNGin3bIzh18",
    "proofPurpose": "authentication",
    "verificationMethod": "did:<method>:Bob#24fd3..332f23f",
    "challenge": "3786dg3df1d...12d12d12",
    "domain": "did:<method>:Alice"
  }
}

[ChristopherA]

I don't really know the use case or any of the details or any potential attack vectors, etc. (I don't really have time to dive into it either at the moment), but here's the most minimal VP (with Bob authenticating to Alice) I could come up with to put into an evidence field on the VC.

@dlongley Do you have any more recent example of how I can include a cryptographic proof of control (or other cryptographic proof) as evidence in a VC? I'm making progress on BTCR-based LESS-less psuedoanonymous VCs, but I still have no idea how to do this. As it is the most fundamental thing that will make BTCR better than GPG, I need it soon. /cc @danpape @jandrieu @Ryan @OR13

-- Christopher Allen

[OR13]

@ChristopherA we use this approach for linking domains to DIDs... https://identity.foundation/.well-known/resources/did-configuration/#linked-data-proof-format

there is a proposal to include a bi-directional component in the service endpoint... but if we had sameAs... we wouldn't need that :)

the way this works is that a website admin has to put a credential signed by a did at a specific path... if they can do that... you believe that they are linked / the same.

... this is similar to how lets encrypt handles SSL certificate issuance....

https://www.frederikbanke.com/setting-up-https-on-nginx-using-lets-encrypt-2/