Confusing text about "If no JWS is present"

[selfissued]

I'm confused by what this text at https://w3c.github.io/vc-jwt/#jwt-and-jws-considerations means (emphasis mine):

If a JWS is present, the digital signature refers either to the issuer of the verifiable credential, or in the case of a verifiable presentation, to the holder of the verifiable credential. The JWS proves that the iss of the JWT signed the contained JWT payload and therefore, the proof property can be omitted. If no JWS is present, a proof property MUST be provided. The proof property can be used to represent a more complex proof, as may be necessary if the creator is different from the issuer, or a proof not based on digital signatures, such as Proof of Work. The issuer MAY include both a JWS and a proof property. For backward compatibility reasons, the issuer MUST use JWS to represent proofs based on a digital signature.

Given that the spec says that use of JWE is out of scope, when would there ever be a JWT that isn't a JWS? I believe that the second clause ("If no JWS is present") can never occur, and therefore should be deleted. Likewise, the first clause ("If a JWS is present") must always be true, and therefore the words "If a JWS is present" should be deleted.

Attn: @OR13

[OR13]

That quote is problematic on several layers, I am in favor of completely rewriting it.

The new text should address the following:

Is it legal or illegal to mix "embedded" and "external" proofs, provide examples for all legal cases.

I suggest removing any direct mention of "Proof Of Work".

[selfissued]

Would you be willing to write a PR to apply the proposed fix above, @OR13 ? Do you agree with the proposed resolution above, @Sakurann ?

[Sakurann]

I think a text saying something in the spirit of "there are ways of signing credentials/presentations other than JWS, if implementations received a credential not signed as JWS, and they support other signing methods, they should check for those, if they do not support any other signing methods other than JWS, they should throw and error".

if the suggested text feels a little like stepping on the protocol layer, something like "there are ways of signing credentials/presentations other than JWS" should be enough.

I am not in favor of defining what combination of signing VCs and VPs is illegal or legal.

[OR13]

Given that the spec says that use of JWE is out of scope, when would there ever be a JWT that isn't a JWS? I believe that the second clause ("If no JWS is present") can never occur, and therefore should be deleted.

I'm in favor of at least commenting on JWE as it applies to VPs... but I don't think we need this text at all to do that correctly.

My guess is this text is left over from when this section was in the core data model, and now that its not, the entire section might be best removed, rewritten for the context it is in.

[Sakurann]

Having one sentence saying that "since VC-JWT is a a JWS, and the rule is to sign, than encrypt, VC-JWT can be encrypted using JWE" should be sufficient.

It should also be added that encrypting using JWE without signing is out of scope.

[OR13]

I don't believe "encrypting JWE without signing is out of scope"...

Especially since the core data model defines presentations without signatures as "in scope"...

It's a natural use case the working group should discuss... and its relevant to the recent. NIST Identity Guidelines.

• https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf

Note the number of times the word "encrypted" is used.

Also note the use of encryption (HPKE) in MDoc Request API:

• https://developer.apple.com/documentation/passkit/wallet/verifying_wallet_identity_requests

Moving encryption out of scope would be a massive strategic mistake...

I'd like to see guidance on JWE (JWT (alg:none)) at a minimum, forbidding it.

[mprorock]

Moving encryption out of scope would be a massive strategic mistake...

I'd like to see guidance on JWE (JWT (alg:none)) at a minimum, forbidding it.

+1

[OR13]

I think this is stale, now and can be closed

[OR13]

Marked pending close over 1 week ago, closing.