Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add w3c-di-attach #809

Merged
merged 10 commits into from
Mar 13, 2024
Merged

Conversation

TimoGlastra
Copy link
Member

Attachment based on the new Data Integrity Proof specification.

Some notable highlights:

  • supports both v1.1 and 2.0 of the specification
  • supports anoncreds offer/request metadata
  • supports did based holder binding using didcomm signed attachments

Signed-off-by: Timo Glastra <[email protected]>
@supersonicwisd1
Copy link

Tested the w3c credentials and presentation vectors from https://github.com/TimoGlastra/anoncreds-w3c-test-vectors/tree/main/test-vectors against the test suite from https://github.com/w3c/vc-data-model-2.0-test-suite and it looking good

Tests passed 8/8 100%
Tests failed 0/8 0%
Failures 0
Tests skipped 0
Total tests 8

Signed-off-by: Timo Glastra <[email protected]>
```jsonc
{
"anoncreds_link_secret": {
"entropy": "<random-entropy>",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think the cred_def_id is missing here aswell


## Motivation

The Issue Credential protocol needs an attachment format to be able to exchange W3C verifiable credentials. It is desirable to make use of specifications developed in an open standards body, such as the [Credential Manifest](https://identity.foundation/credential-manifest/) for which the attachment format is described in [RFC 0511: Credential-Manifest Attachment format](../0511-dif-cred-manifest-attach/README.md). However, the _Credential Manifest_ is not finished and ready yet, and therefore there is a need to bridge the gap between standards.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not crucial, but it seems odd to not mention the 0593 JSON-LD Attachment format in this section -- and that as it is defined it is insufficient for current needs, and the transition from Linked Data Proofs to Data Integrity proofs is also needed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, will add some extra wording

@swcurran
Copy link
Member

Looks good -- nice work! The pending implementations will allow us to learn about the formats and clarify/adjust this as needed -- either before or after merging.

@TelegramSam
Copy link
Contributor

WG 20240124. In implementation phase now in ACA-Py.

@swcurran
Copy link
Member

@TimoGlastra / @auer-martin -- the last commit you did had non-DCO content. Could you correct that? Thanks!

@TimoGlastra
Copy link
Member Author

Done

@swcurran
Copy link
Member

@TimoGlastra @auer-martin --- anything to add to this after implmenting the attachments? All good?

Thanks!

@auer-martin
Copy link
Contributor

I think everything should be fine.

Copy link
Contributor

@TelegramSam TelegramSam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed WG 20240313. Approved for merge.

@swcurran swcurran merged commit 6ab7e13 into hyperledger:main Mar 13, 2024
1 check passed

## Rationale and alternatives

[RFC 0593: JSON-LD Credential Attachment](https://github.com/hyperledger/aries-rfcs/blob/main/features/0593-json-ld-cred-attach/README.md), [W3C VC API](https://w3c-ccg.github.io/vc-api/) allows issuance of credentials using only linked data signatures, while [RFC 0592: Indy Attachment](https://github.com/hyperledger/aries-rfcs/blob/main/features/0592-indy-attachments/README.md) supports issuance of AnonCreds credentials. This attachment format aims to support issuance of both previous attachment formats (while for AnonCreds it now being in the W3C model), as well as supporting additional features such as issuance W3C JWT VCs, credentials with multiple proofs, and cryptographic binding of the credential to the holder.
Copy link

@msporny msporny Apr 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

allows issuance of credentials using only linked data signatures

The capabilities of the VC API are expanding. We wanted to start with a concrete end-to-end flow using a narrow profile (just Data Integrity Proofs and W3C VCDM), but given that the VCDM v2.0 now supports arbitrary credential formats, and given that those arbitrary credential formats can (theoretically) just slot into the VC API (the verifiableCredential and verifiablePresentation objects can contain arbitrary credential formats, it is (theoretically) possible to use the VC API to issue/verify/derive alternate credential formats.

We still need to do a lot of work to make that clear in the specification, and we're behind on the VC API because all of our effort is going into completing VCDM v2.0 and Data Integrity v1.0 now. Once that's done (in the next couple of months), we'll shift our focus into opening the aperature for the VC API. @PatStLouis is engaged over there and so I expect that we'll be able to align given his engagement in multiple groups.

I don't think this changes the very good work that each of you are doing... just signalling a direction if it helps to coordinate on this aspect.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The credential attachment outlined here is specific to didcomm issuance/requests. While the json-ld attachment was initially designed around the vc-api, this was back in 2019 and does not represent the current state of the specification. However, the vc-api will still have shortcomming when dealing with holder binding negotiations (such as requesting a holder link secret bind with the anoncreds-2023 crypto suite).

From what I see the attachment proposed removed the options field in favor of the following:

{
  "data_model_versions_supported": ["1.1", "2.0"],
  "binding_required": true,
  "binding_method": {
    "anoncreds_link_secret": {
      "nonce": "1234",
      "cred_def_id": "did:key:z6MkwXG2WjeQnNxSoynSGYU8V9j3QzP3JSqhdmkHc6SaVWoT/credential-definition",
      "key_correctness_proof": "<key_correctness_proof>"
    },
    "didcomm_signed_attachment": {
      "algs_supported": ["EdDSA"],
      "did_methods_supported": ["key", "web"],
      "nonce": "1234"
    }
  }
}

There is a lot of format negotiation included in the didcomm issuance rfc which is not really in line with the prescriptive approach of the vc-api model. This being said, these fields could be included as options in a vc-api workflow without issue.

The credential omissions in this rfc are in line with what is discussed during the vc api calls:

  • issuer
  • issuanceDate
  • credentialSubject.id
  • credentialStatus

afaik this is aligning nicely with the direction of the vc-api

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants