Closed OR13 closed 11 months ago
+1, this feels like a useful thing to do.
I have since changed my mind based on the conversations at W3C TPAC; -1, new feature, not clear what the use case is.
+1 excellent idea.
I am of course fine with adding this property, which is indeed missing. But there is more, see below
Here is what I think must be done (see also https://github.com/w3c/vc-data-model/issues/1263#issuecomment-1704206033):
<dfn>
statement for the term, which is the proper anchor for the property to refer to from the vocabulary. I would think that, at least, the first occurrence of <code>relatedResource</code>
should be enclosed in a <dfn>
tag.issuer
, as described in my comment elsewhere, there is nothing in the text that would allow me to also add a verifiable presentation to the domain. I understand this is part of the current issue; what I am saying that this statement must be part of the VCDM spec for this to be added to the vocabulary.However, it turns out that the VCDM spec includes two more properties:
digestSRI
's domain is any Resource (but not a BNode), range is, at first approximation, xsd:string
(ideally, a datatype that describes exactly what the value looks like).mediaType
's domain is any Resource (but not a BNode), range is, at first approximation, xsd:string
(ideally, a datatype that describes exactly the media type string).These two properties are not only missing from the vocabulary, but also missing from the context!
Note that, for the mediaType
, an alternative would be to use the term encodingFormat
instead, referring to http://schema.org/encodingFormat. Do not reinvent the wheel, and all that... That would mean just add an entry to the context file, and this property is oblivious to the vocabulary.
I am happy to create a PR with all these changes, if we have an agreement.
@dlongley @msporny
This feels like a new feature. Am I missing something?
I think one question raised during TPAC WG mtg was "what use-cases relatedResource in presentations are not addressed by relatedResouce in credentials"
To validate that a resource referenced by a verifiable credential is the same at verification time as it is at issuing time, an implementer MAY include a property named relatedResource that stores an array of objects that describe additional integrity metadata about each resource referenced by the verifiable credential. If relatedResource is present, there MUST be an object in the array for each remote resource for each context used in the verifiable credential.
The issue was discussed in a meeting on 2023-09-14
I think it's likely a mistake to add arbitrary resources to a presentation. If the verifier didn't request it, it's going to be weird.
If the verifier did request it, I think the likely path is as a VC, e.g., requesting a VC with a photo of the user and getting that VC is much more appropriate than arbitrarily shoving an image in the presentation. And how do request protocols handle requests for arbitrary data?
Doing it outside the VC flow raises questions. How does the verifier ask for the right asset? What happens if you don't have it? These augmentations are potentially interesting, but right now, we haven't explored how we support it.
I think this is too much of a new feature that isn't just a replication of what happens with VCs, it creates new questions and problems that need additional analysis and consideration.
As also agreed at TPAC, I will submit soonish a PR taking care of https://github.com/w3c/vc-data-model/issues/1265#issuecomment-1705009825. Reading through the comments, I do not think there is a consensus on adding VP as a possible domain for related resource, so I propose to keep it for VC only for now. (It is easy to change that later if we decide to do so.)
@jandrieu,
I think it's likely a mistake to add arbitrary resources to a presentation. If the verifier didn't request it, it's going to be weird.
If the verifier did request it, I think the likely path is as a VC, e.g., requesting a VC with a photo of the user and getting that VC is much more appropriate than arbitrarily shoving an image in the presentation. And how do request protocols handle requests for arbitrary data?
I think you may have missed some of the other discussions around this. The verifiableCredential
property (of VPs) only supports values that are isolated graphs of information (to separate them cleanly from the VP) expressed using the VCDM as JSON-LD. VCs that are secured using VC-JOSE-COSE do not work -- as they add an envelope around the VCDM and change the data format from the VCDM / JSON-LD to instead be a base64-encoded-dot-delimited string. We need a place for people to express these different data structures in VPs and relatedResource
was what we turned to.
So the expectation is that protocols such as OID4VP will be expected to request VCs that are secured using VC-JOSE-COSE to be presented as values in the relatedResource
property. IOW, it should not be weird for those verifiers, but expected.
Removing ready for PR
as it doesn't seem like there is consensus on adding the feature.
suggest closing and tacking no action
The issue was discussed in a meeting on 2023-11-15
I have since changed my mind based on the conversations at W3C TPAC; -1, new feature, not clear what the use case is.
After some debate with @dlongley, I've changed my mind (yet again) on this issue and propose a concrete use case for this feature:
That is, the argument for this feature is the same as for including it in verifiableCredential
.
To be clear, I don't think that relatedResource
should be used to "embed externally secured VCs", that should be done via the proposal in issue #1352.
I remain dubious to the use of relatedResource
. The feature is so general that implementations are going to end up implementing custom logic that processes special things in the field, and developers are going to start using it as a dumping ground for cryptographic hashing of anything they deem important (and implementations are going to ignore throwing errors if hashes don't match). I remain a -1 on relatedResource
in general, but will not formally object if it remains in the specification. The strongest reason I'm not suggesting a FO is because there seemed to be threats of formal objections if we didn't include the feature from the JOSE/COSE folks.
I expect that @jandrieu will object to this proposal because of what he said above, and will suggest we provide something like a securedContext
or integrityProtectedContext
property that looks exactly like relatedResource
but is fit for purpose. digestMultibase
or digestSRI
(and mediatType
) can be used for everything else, but I defer to him on the details (or, maybe my read on his statements during the last meeting were wrong). :)
To summarize:
Define relatedResource
on VerifiablePresentation
for the purposes of securing JSON-LD context files.
Define digestSRI
/digestMultibase
and define mediaType
for general use in any object w/ an id
property and rename relatedResource
to contextSecurity
(or some other bikesheded term). Allow contextSecurity
on any object that can expresses a @context
value, including VerifiableCredential
and VerifiablePresentation
. This approach still enables all of the use cases provided by the relatedResource
property in the spec today, but is more targeted about context security.
@msporny, just a technical comment:
Define digestSRI/digestMultibase and define mediaType for general use in any object w/ an id property and rename
The term definition in the spec as well as the vocabulary item have been defined without any domain statement. I think that was intentional to make them usable on any object. I.e., this wish in option B has already been fulfilled 😀
@iherman wrote:
I think that was intentional to make them usable on any object. I.e., this wish in option B has already been fulfilled 😀
Not quite... :) more below.
Define digestSRI/digestMultibase and define mediaType for general use in any object w/ an id property and rename
We don't have mediaType
defined generally, which can only be used on relatedResource
, and would need to be usable on any resource (and the definition in the spec is a bit dodgy as well).
Hrm, looks like we also don't have digestMultibase
defined at all in the v2 context; we need define this in order to see which form implementers implement, to match the statements in the spec, (DB plans to implement digestMultibase
, btw), otherwise we bias heavily towards digestSRI
.
Yeah, I am very narrow-minded, and was looking at the vocabulary only. The JSON context is your baby :-)
During the 2023-11-15 meeting (see above), the group requested that this issue be closed, and the discussion to be continued in two separate issues (extracted from this one). These issues have now been created:
So presumably this issue can be marked 'pending closed'.
@dmitrizagidulin the issue has been marked as Pending Close last week. I would not consider Thanksgiving week as 'complete', so I would think the required pause should end next week, at which time @brentzundel can close the issue.
Closing this issue in preference of #1352 and #1360
Originally discussed in:
This would allow a VerifiablePresentation or VerifiableCredential to point to "other graph nodes by id", instead of pointing to "VerifiableCredentialGraph" containers.
See also the discussion on the different between the two here:
https://github.com/w3c/vc-data-model/issues/1240