search

w3c / vc-data-model

W3C Verifiable Credentials Working Group — VC Data Model and Representations specification
https://w3c.github.io/vc-data-model/
Other
281 stars 97 forks source link

Suggest to make explicit reference to the JADES standard #1481

Closed anthonycamilleri closed 1 week ago

anthonycamilleri commented 2 months ago

Digital Signatures in Europe are regulated by the eIDAS directive, which sets mandatory technical specifications for legally admissible digital signatures in Europe. There are a range of different signature options, covering enveloped, enveloping and detached signatures, with different 'baselines' which essentially add signed timestamps to a file for long-term preservation.

An example of a JADES-LTA signed credential is attached to this issue - this one contains the highest level of assurance, with extendable long-term archiving timestamps - as produced by the DSS libraries (reference libraries for implementing the JADES standards, distributed by the European Commission to all member states).

Given the geographic scope of JADES (27 countries adopting this standard through legislation),and the sheer number of users that will be covered by the implementation, I would suggest that at minimum the standard would recognise the existence of the JADES standard, and that JADES standards can be used with verifiable credentials, and are RECOMMENDED for users based in the EU.

The appropriate reference would be to (TS 119 182-1 - V1.1.1 - Electronic Signatures and Infrastructures (ESI); JAdES digital signatures; Part 1: Building blocks and JAdES baseline signatures (etsi.org)).

brentzundel commented 2 months ago

I'm not opposed to seeing an example in the spec that has been secured using JAdES, but the WG will need to come to consensus on that.

Has it been listed in the VC Specifications Directory as a viable securing mechanism? That should be the first step regardless.

anthonycamilleri commented 2 months ago

@brentzundel added as https://github.com/w3c/vc-specs-dir/pull/36

msporny commented 1 month ago

@anthonycamilleri wrote:

@brentzundel added as w3c/vc-specs-dir#36

This has been merged and included in the VC Specs Directory.

I'll note that the example linked to above is really big and verbose. Do you think you could add a JADES extension to respec-vc? That is what we use to generate the digitally signed examples. We could include JADES as another tab in some of the examples if you did so.

TallTed commented 3 weeks ago

In any case, we should capitalize JAdES (the "JSON format for AdES Signatures") correctly, painful though it may be...

iherman commented 3 weeks ago

The issue was discussed in a meeting on 2024-06-05

View the transcript #### 6.1. Suggest to make explicit reference to the JADES standard (issue vc-data-model#1481) _See github issue [vc-data-model#1481](https://github.com/w3c/vc-data-model/issues/1481)._ **Brent Zundel:** suggestion to make explicit reference to JADES standard. … request is to have an example in our spec of how to do this. **Manu Sporny:** I prefer not to include a big example, things signed with JADES are like 100KB blobs, adding an example would not demonstrate anything. > *Dmitri Zagidulin:* can we /link/ to a JADES example? **Manu Sporny:** request to normatively say it is totally fine to use JADES, we shouldn't do that either. … we do in the spec mention a variety of other securing formats, we mention JWT, CWT, mDL, Gordian Envelopes, etc, can add JADES to list. > *Brent Zundel:* +1 to adding to that list. **Brent Zundel:** proposal is to link to JADES as we have linked to other securing mechanisms. > *Phillip Long:* +1 to that. **Brent Zundel:** if you are opposed jump into the issue and tell us, otherwise that is what we will do. … thanks to all for being here. > *Ivan Herman:* +1 for me as well. ---
msporny commented 3 weeks ago

PR #1501 has been raised to address this issue. This issue will be closed once PR #1501 has been merged.

iherman commented 2 weeks ago

The issue was discussed in a meeting on 2024-06-12

View the transcript #### 2.2. Add reference to JAdES standard in Ecosystem Compatability. (pr vc-data-model#1501) _See github pull request [vc-data-model#1501](https://github.com/w3c/vc-data-model/pull/1501)._ _See github issue [vc-data-model#1481](https://github.com/w3c/vc-data-model/issues/1481)._ **Brent Zundel:** pull request 1501. the related issue is 1481. 1481 says -- we have a JADES impl of securing a VC, and think the spec should note that. this PR adds a link to JADES for ecosystem compatibility -- already has anoncreds, ACDC, many other 'vc-like' things that should be compatible with this spec. … want to give folks a chance to look at it if they have not yet. it will be merged.
msporny commented 1 week ago

PR #1501 has been merged, closing.