Do we need an SD-JWT profile for W3C VCs?

[David-Chadwick]

Apologies if this topic has already been discussed in the VC WG and I missed it.

The current work on SD-JWT is being carried out in the IETF. A profile of SD-JWT is also being created for "verifiable credentials" but this draft contains the following note "This specification does not utilize the W3C's Verifiable Credentials Data Model v1.0, v1.1, or v2.0."

This poses the following questions. Q1. Does this working group think that there should be a specification of how to use SD-JWT to create W3C VCDM conformant VCs? If the answer to Q1 is yes, then Q2. Is it within the scope of the current WG to create a profile of SD-JWT that does utilise the W3C VCDM? Q3. If not, does W3C have any other mechanism for creating such a profile?

[galund]

For what it's worth, I think this would be useful. This is not an official position etc :)

[OR13]

This issue should be closed, this is covered in vc-jose-cose

[iherman]

The issue was discussed in a meeting on 2023-12-06

• no resolutions were taken

View the transcript

#### 2.4. Do we need an SD-JWT profile for W3C VCs? (issue vc-jose-cose#191) _See github issue [vc-jose-cose#191](https://github.com/w3c/vc-jose-cose/issues/191)._ **Brent Zundel:** I do believe that VC JOSE/COSE is the closest thing that this group will be able to produce in order to address this issue. I'm not sure what else this issue is asking for. We probably wouldn't have the capacity to create a new document to address this use-case. **David Chadwick:** It's really a hot topic at the moment. It will be implemented in the EU Digital Identity Wallet. It will be demonstrated in the GAIN hot group. … We don't have any guidelines at the moment about how this would be used. > *Orie Steele:* David, please read: [https://w3c.github.io/vc-jose-cose/#securing-json-ld-verifiable-credentials-with-jose](https://w3c.github.io/vc-jose-cose/#securing-json-ld-verifiable-credentials-with-jose). **DavidD:** It specifically says that SD-JWT aren't W3C Verifiable Credentials, which isn't a good situation. > *Brent Zundel:* [https://w3c.github.io/vc-jose-cose/#with-jose](https://w3c.github.io/vc-jose-cose/#with-jose). > *Orie Steele:* David: [https://w3c.github.io/vc-jose-cose/#securing-json-ld-verifiable-presentations-with-jose](https://w3c.github.io/vc-jose-cose/#securing-json-ld-verifiable-presentations-with-jose). **David Chadwick:** There is an example for SD-JWTs in VCs, but not in VPs. > *Orie Steele:* please file issues, or PRs if you want the text to change. **Brent Zundel:** It may be that a full specification would be the best option, but we don't have the capacity to do that at this stage in our Working Group. > *Orie Steele:* If your customer wants help, feel free to put me in touch. **Manu Sporny:** VC-JOSE-COSE is the document that expresses this. I spoke with a customer who was very confused about IETF defining how to make credentials. I agree therefore that there's confusion. I think we should make sure that they also know there is confusion, and there is an opportunity to clarify things in the IETF specications. > *Orie Steele:* I would in general, not assume that IETF documents are "done" until they are RFCs. **David Chadwick:** Would the editors of the VC-JOSE-COSE be happy to add more description in the specification? … I think that would be appreciated. **Brent Zundel:** Should we move the issue to vc-jose-cose repository? > *Manu Sporny:* +1 to move to vc-jose-cose. **Orie Steele:** Yes, you can do that. **Brent Zundel:** I see support in the IRC, so that's what I'll do.

[David-Chadwick]

This issue should remain open until the following issues are fixed

1. This spec is now based on SD-JWT, whereas the first draft was not. Consequently the title of the spec should be changed to indicate that selective disclosure is supported. (Otherwise how will people intuitively know that it is for SW-JWT and not plain JWT). I suggest something like "Securing Verifiable Credentials and supporting selective disclosure using JOSE and COSE"
2. [SD-JWT-VC] is in the list of references but is not referenced in the body of the document.
3. The examples are not as clear as those in the SD-JWT specification. For example, no disclosures are shown unencoded

[selfissued]

Thanks for your comments, @David-Chadwick . Here are my thoughts:

1. I am against making the title longer. Just like VCDM supports selective disclosure but doesn't say so in the title, it's fine to likewise not say so in the title.
2. Where in the body of the spec do you suggest referencing [SD-JWT-VC]?
3. Where would you like to see an enhanced example?

[David-Chadwick]

1. But the SD-JWT-VC IETF draft does specify selective disclosure in its title, even though it does not support W3C VCs. So by looking at the titles of both specs, readers will falsely think that the IETF draft is the only spec that supports W3C VCs and selective disclosure, and that our spec does not support it. This is obviously wrong, so we should try to help new readers who are presented with a list of titles to choose the correct standard.
2. Sorry for the confusion, I am suggesting that the reference should be removed, not that we add text to reference it.
3. Example 1 would be a good start. Perhaps a tab can be added to show the disclosures, or text could be added below the example to enumerate the disclosures.

[selfissued]

Per 2, [SD-JWT-VC] was actually referenced several places, but using the wrong Markdown syntax. https://github.com/w3c/vc-jose-cose/pull/198 fixes this.

Per discussion on the 20-Dec-23 working group call, I don't think there's consensus to do 1.

We can take up 3 after CR, but given it doesn't change the meaning of the spec, it's not critical to go to CR.

[David-Chadwick]

Please re-open this issue as it has not been completed yet. It can be marked post-CR if you like, but until point 3 has a PR prepared for it, then this issue should not be closed.

[decentralgabe]

@David-Chadwick I opened a separate issue to track this https://github.com/w3c/vc-jose-cose/issues/199

[David-Chadwick]

I have raised PR#212 to address the title issue. This does not make the title any longer, and furthermore it accurately reflects what the spec is about. Furthermore it is consistent with the Introduction section of the specification, which the original title no longer is