Open mlagally opened 3 years ago
https://www.w3.org/TR/vc-data-model/ Verifiable Credentials Data Model 1.0 REC
The canonical representation as defined by https://tools.ietf.org/html/rfc8785 looks like a good start.
We shoud check if there are any requirements that require TD specific additional clarifications.
So another thing we should clarify in the TD spec are arrays-of-one-element being expressed as a single value. I think profiles currently require these to be expressed as arrays but this goes against certain things where we say otherwise, ie security (where the array form, ie with more than one element, is deprecated, since we want to remove the array completely in a future version...).
Edit: Other TD canonicalization topics discussed:
Note there are already two issues on this:
The one in security points at the TD issue and that's where I think this discussion belongs, as canonicalization requirements (and the scheme for embedding the signing information, eg an ld-proof block) should go into the TD spec, I feel (not profiles; signing should be a universal TD feature, IMO).
Arch call on 10.12.: We prefer shortness of a TD over verbosity:
We have to select a specific signing mechanism / algorithm, may need to update to a new version when an algorithm gets broken. There needs to be an extension of the TD data model to support https://tools.ietf.org/html/rfc7515.
As a strawman we agree to use JWE with a selected set of algorithms (t.b.d: select algorithms that have not been compromised yet and can be done on resource constrained devices)
See: https://datatracker.ietf.org/wg/jose/documents/
Review the algorithm choices done by CBOR (COSE) https://tools.ietf.org/html/rfc8152
We want to reference the corresponding TD chapter and provide required additional constraints, if necessary.
The above PR is ready for review, and should address this issue.
We need to review JSON signing mechanism wrt. canonicalisation requirements.
https://tools.ietf.org/html/rfc7515
Check for number representation formats, whitespace handling, sort order. we should however not duplicate requirements in the profile that are already covered by referenced material.