This specification defines new proof format for use with Verifiable Credentials

In addition to meeting the requirements defined in [[RFC8152]]. We introduce some additional constraints to eliminate optionality and improve interoperability between implementations.

Introduction

Verifiable Credentials defines a JSON Web Token (JWT) proof format which requires the issuer and verifier to map JWT Registered Claim Names and the Verifiable Credentials Terminology.

This mapping process can be complex, and requires problematic operations such as type conversions for datetime fields. As a result of this complexity, this mapping can be implemented differently by issuers and verifiers which often leads to cases where to interoperability is not present, or unexpected security issues are introduced.

This specification introduces a (Content Type) Header Parameter that is used to define the content type for Verifiable Credentials that utilize CBOR Object Signing to provide signing and verification in a Verifiable Credential.

This approach, of utilizing to a (Content Type) Header Parameter to specify a discrete set of mappings and expected behaviors in translation between formats or representations of data is used commonly in other groups to secure arbitrary content using COSE and other document and data encoding formats. This approach is extensible to other data encodings and may be extended to provide a mechanism for use of CBOR encodings for Verifiable Credentials.

Producing

This specification uses normal approaches to the production and consumption of a COSE_Sign1. For additional details, please see the full breakdown of the process in Signing Objects.

Specifically related to use of COSE_Sign1 with VCs the following normative requirements MUST be considered in production of a COSE_Sign1 object.

Consuming

This specification uses normal approaches to the consumption of a COSE_Sign1. For additional details, please see the full breakdown of the process in Signing Objects.

As a part of ensuring interoperability with VCs secured in the manner described in this specification, resolution of public key material must be considered, as a verifier may not have access to the public key.

In order to verify a Verifiable Credential using a COSE_Sign1 proof, the public key associated with the signature needs to be obtained. If the verifier does not already have the public key, it can be obtained through the following process:

Example

This is required for specifications that contain normative material.