This specification defines a new PGP based proof format for use with Verifiable Credentials
In addition to meeting the requirements defined in [[RFC4880]], We introduce some additional constraints to eliminate optionality and improve interoperability and development experience with similar proof formats:
This specification introduces a simple solution for securing Verifiable Credentials that utilize PGP Authentication via Digital Signature to provide signing and verification in a Verifiable Credential.
For additional details, please see the full breakdown of the process in Producing and Consuming PGP Signatures.
Specifically related to use of PGP with Verifiable Credentials the following normative requirements MUST be considered in production of a JWS.
A proof property MUST be present in the credential JSON.
proof.type MUST be present and MUST be an PGPSignature.
proof.created MUST be present and MUST be an XMLDateTime.
proof.proofPurpose MUST be present and MUST be one of authentication, or assertionMethod.
The value of proof.verificationMethod MUST be
MUST be present, and structured as follows:
An absolute DID URL that
dereferences to a
verification method
with public key material in publicKeyPgp.
The publicKeyPgp is expected to verify the PGP Signature.
For additional details, please see the full breakdown of the process in Producing and Consuming PGP Signatures.
As a part of ensuring interoperability with Verifiable Credentials secured in the manner described in this specification, resolution of public key material MUST succeed, as a verifier might not have access to the public key.
In order to verify a Verifiable Credential using a PGP proof, the public key associated with the signature needs to be obtained. If the verifier does not already have the public key, it can be obtained through the following process:
verificationMethod
property which MUST be an absolute DID URL.
publicKeyPgp.
application/credential+json Media Type
This specification registers the application/credential+json MIME Media Type specifically for identifying documents
conforming to the Verifiable Credentials format.
| Type name: | application |
| Subtype name: | credential+json |
| Required parameters: | None |
| Optional parameters: |
profile: The profile parameter for the application/credential+json
media type allows one or more profile URIs to be specified. These
profile URIs have the identifier semantics defined in [[!RFC6906]].
The "profile" media type parameter MUST be quoted. It contains a
non-empty list of space-separated URIs (the profile URIs).
profile-param = "profile=" profile-value profile-value = <"> profile-URI 0*( 1*SP profile-URI ) <"> profile-URI = URIThe "URI" in the above grammar refers to the "URI" as defined in Section 3 of [[!RFC3986]]. |
| Encoding considerations: |
Resources that use the "application/credential+json"
Media Type are required to conform to all of the requirements
for the "application/json" Media Type and are
therefore subject to the same encoding considerations specified
in Section 11 of [[!RFC7159]].
|
| Security considerations: | As defined in this specification. |
| Contact: | Orie Steele <orie@transmute.industries> |
Note that while the Verifiable Credentials format uses JSON-LD conventions, there are a number of constraints and additional requirements for Verifiable Credential implementations that justify the use of a specific media type.
Because Verifiable Credentials can be considered a restricted profile of JSON-LD, Implementations SHOULD consider the `application/ld+json; profile="https://www.w3.org/ns/credentials"` media type as being equivalent to `application/credential+json`.
This is required for specifications that contain normative material.