Closed arcalinea closed 2 years ago
I'll give a quick overview of the JOSE standards, and then where JSON Web Proofs fit in. I'm sure we're all familiar with JWTs, but maybe not with the whole family of JOSE specs. Prepare yourself for a hoard of "JW_" acronyms.
So JOSE (Javascript Object Signing & Encryption) is a standard for, well.... signing & encryption JSON. It includes several specs:
okay phew
Now a bit more background: Verifiable Credentials (VCs) are an emerging standard in the dweb space & a recent W3C spec. They are essentially signed attestations about a user from a trusted source that the user can then send around to other services to prove some piece of information about them (age, a certificate, etc). JWTs are commonly used for VCs. Here's a good article on them.
However, one downside of VCs in this format is that they are not terribly privacy preserving. VCs can often be linked together. Or require disclosure of multiple claims in order to validate just one.
JSON Web Proofs (JWP) are an extension of the JOSE spec that focuses on privacy preserving proofs.
A few more acronyms:
JWS requires two functions: sign & verify. JWP requires two extra functions (for a total of four): sign, verify, prove, & verify proof
A few example algorithms are given for JWPs:
JWPs seem to really shine in the use case of VCs.
Comparison to UCANs JWPs and UCANs both build on top of and extend the JWT spec. However, JWPs are solving a different problem from UCANs. UCANs are authorization tokens that prove ability to do something and can be attenuated to delegate permissions to another actor. JWPs are a container to prove & selectively disclose some facts about a user.
JWPs don't have any semantics for attenuation of authorization. Their main use case seems to be proving some fact about a user (such as a VC).
For authorization, I still think UCANs are the tool that maps most nicely to what we want. But JWPs are certainly a powerful primitive to have at our disposal.
The Fission team has talked about shortening UCAN chains by compressing them into a ZKP in the proof (prf
) field. Their might be a situation where we use JWP semantics to structure the presentation of this ZKP.
However, ZKPs are still a little ways off. The technology is still progressing (quickly!), and even the JWP docs suggest that ZKPs are the goal while punting on the actual implementation details for the time being.
Move to Notion^^
Thought it would be worth noting some detractors to JOSE:
Evaluate in comparison with UCANs https://github.com/json-web-proofs/json-web-proofs#user-content-fn-JWS-66165f84d74d387b4cbbf94b42d9a297
And think through what a demo might entail