index.html

<!DOCTYPE html>
<html>
<head>
    <title>Controller Documents 1.0</title>
    <meta http-equiv='Content-Type' content='text/html;charset=utf-8'/>
    <!--
      === NOTA BENE ===
      For the three scripts below, if your spec resides on dev.w3 you can check them
      out in the same tree and use relative links so that they'll work offline,
     -->
    <script src='//www.w3.org/Tools/respec/respec-w3c' class='remove'></script>
    <script class='remove' src="./common.js"></script>
    <script class="remove"
      src="https://cdn.jsdelivr.net/gh/digitalbazaar/respec-vc@3.1.0/dist/main.js"></script>

    <script type="text/javascript" class="remove">
      var respecConfig = {
          // specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
          specStatus:           "ED",

          // the specification's short name, as in http://www.w3.org/TR/short-name/
          shortName:            "controller-document",

          // subtitle
          //subtitle: "Controller Documents",

          // if you wish the publication date to be other than today, set this
          //publishDate:  "2024-05-23",

          // if there is a previously published draft, uncomment this and set its YYYY-MM-DD date
          // and its maturity status
          // previousPublishDate:  "1977-03-15",
          // previousMaturity:  "WD",

          // if there a publicly available Editor's Draft, this is the link
          edDraftURI:           "https://w3c.github.io/controller-document/",

          // if this is a LCWD, uncomment and set the end of its review period
          //implementationReportURI: "https://w3c.github.io/vc-data-integrity/implementations/",
          //crEnd: "2024-01-07",

          // if you want to have extra CSS, append them to this list
          // it is recommended that the respec.css stylesheet be kept
          //extraCSS:             ["spec.css", "prettify.css"],

          // editors, add as many as you like
          // only "name" is required
          editors: [{
            name: "Manu Sporny", url: "https://digitalbazaar.com/",
            company: "Digital Bazaar", companyURL: "http://digitalbazaar.com/",
            w3cid: 41758
          }, { name: "Michael B. Jones", url: "https://self-issued.info/",
            company: "independent",
            w3cid: 38745}],

          // authors, add as many as you like.
          // This is optional, uncomment if you have authors as well as editors.
          // only "name" is required. Same format as editors.

          authors: [
            {
              name: "Dave Longley",
              url: "http://digitalbazaar.com/",
              company: "Digital Bazaar",
              companyURL: "http://digitalbazaar.com/"
            },
            {
              name: "Manu Sporny",
              url: "http://digitalbazaar.com/",
              company: "Digital Bazaar",
              companyURL: "http://digitalbazaar.com/"
            },
            {
              name: "Markus Sabadello",
              url: "https://www.linkedin.com/in/markus-sabadello-353a0821",
              company: "Danube Tech",
              companyURL: "https://danubetech.com/",
              w3cid: 46729
            },
            {
              name: "Drummond Reed",
              url: "https://www.linkedin.com/in/drummondreed/",
              company: "Evernym/Avast",
              companyURL: "https://www.evernym.com/",
              w3cid: 3096
            },
            {
              name: "Orie Steele",
              url: "https://www.linkedin.com/in/or13b/",
              company: "Transmute",
              companyURL: "https://transmute.industries/"
            },
            {
              name: "Christopher Allen",
              url: "https://www.linkedin.com/in/christophera",
              company: "Blockchain Commons",
              companyURL: "https://www.BlockchainCommons.com",
              w3cid: 85560
            }
          ],

          // extend the bibliography entries
          //localBiblio: webpayments.localBiblio,

          // name of the WG
          group:           "vc",

          // name (with the @w3c.org) of the public mailing to which comments are due
          wgPublicList: "public-vc-wg",

          github: "w3c/controller-document",

          // URI of the patent status for this WG, for Rec-track documents
          // !!!! IMPORTANT !!!!
          // This is important for Rec-track documents, do not copy a patent URI from a random
          // document unless you know what you're doing. If in doubt ask your friendly neighbourhood
          // Team Contact.
          //wgPatentURI:  "",
          xref: ["URL", "I18N-GLOSSARY", "INFRA", "VC-DATA-MODEL-2.0"],
          maxTocLevel: 3,
          /*preProcess: [ ],
          alternateFormats: [ {uri: "diff-20111214.html", label: "diff to previous version"} ],
          */
          localBiblio:  {
            "DI-EDDSA": {
              title:    "The Edwards Digital Signature Algorithm Cryptosuites v1.0",
              href:     "https://www.w3.org/TR/vc-di-eddsa/",
              authors:  ["David Longley", "Manu Sporny", "Dmitri Zagidulin"],
              status:   "WD",
              publisher:  "W3C Verifiable Credentials Working Group"
            },
            "DI-ECDSA": {
              title:    "The Elliptic Curve Digital Signature Algorithm Cryptosuites v1.0",
              href:     "https://www.w3.org/TR/vc-di-ecdsa/",
              authors:  ["David Longley", "Manu Sporny", "Marty Reed"],
              status:   "WD",
              publisher:  "W3C Verifiable Credentials Working Group"
            },
            "DI-BBSDSA": {
              title:    "The BBS Digital Signature Algorithm Cryptosuites v1.0",
              href:     "https://www.w3.org/TR/vc-di-bbs/",
              authors:  ["Tobias Looker", "Orie Steele"],
              status:   "WD",
              publisher:  "W3C Verifiable Credentials Working Group"
            },
            "JOSE-REGISTRIES": {
              title:    "The JSON Object Signing and Encryption (JOSE) Registries",
              href:     "https://www.iana.org/assignments/jose",
              authors:  ["The Internet Assigned Numbers Authority"],
              status:   "REC",
              publisher:  "The Internet Assigned Numbers Authority"
            },
            "SECURITY-VOCABULARY": {
              title:    "The Security Vocabulary",
              href:     "https://w3id.org/security",
              authors:  ["Ivan Herman", "Manu Sporny","David Longley"],
              status:   "ED",
              publisher:  "Verifiable Credentials Working Group"
            },
            "ZCAP": {
              title:    "Authorization Capabilities for Linked Data",
              href:     "https://w3c-ccg.github.io/zcap-spec/",
              status:   "CGDRAFT",
              publisher:  "Credentials Community Group"
            },
            "MULTIBASE": {
              title: "The Multibase Data Format",
              date: "February 2023",
              href: "https://datatracker.ietf.org/doc/draft-multiformats-multibase",
              authors: [
                "Juan Benet",
                "Manu Sporny"
              ],
              status: "Internet-Draft",
              publisher: "IETF"
            },
            "MULTIHASH": {
              title: "The Multihash Data Format",
              date: "February 2023",
              href: "https://datatracker.ietf.org/doc/draft-multiformats-multihash",
              authors: [
                "Juan Benet",
                "Manu Sporny"
              ],
              status: "Internet-Draft",
              publisher: "IETF"
            },
            "MULTICODEC": {
              title: "The Multi Codec Encoding Scheme",
              date: "February 2022",
              href: "https://github.com/multiformats/multicodec/blob/master/table.csv",
              authors: [
                "The Multiformats Community"
              ],
              status: "Internet-Draft",
              publisher: "IETF"
            },
            "VC-SPECS": {
              title: "Verifiable Credential Specifications Directory",
              href: "https://w3c.github.io/vc-specs-dir/",
              authors: [
                "Manu Sporny"
              ],
              status: "ED",
              publisher: "W3C Verifiable Credentials Working Group"
            },
            "DID-KEY": {
              title: "The did:key Method",
              href: "https://w3c-ccg.github.io/did-method-key/",
              authors: [
                "Manu Sporny",
                "Dmitri Zagidulin",
                "Dave Longley",
                "Orie Steele"
              ],
              status: "CG-DRAFT",
              publisher: "W3C Credentials Community Group"
            },
            "SHA3": {
              title: "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions",
              href: "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf",
              authors: [
                "National Institute of Standards and Technology",
              ],
              status: "National Standard",
              publisher: "U.S. Department of Commerce"
            },
            "SD-JWT": {
              title:    "Selective Disclosure for JWTs (SD-JWT)",
              href:     "https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/",
              authors: [
                "Daniel Fett",
                "Kristina Yasuda",
                "Brian Campbell"
              ],
              status:   "I-D",
              publisher:  "The IETF OAuth Working Group"
            },
            "PRIVACY-BY-DESIGN": {
              title: "Privacy by Design",
              href: "https://iapp.org/media/pdf/resource_center/pbd_implement_7found_principles.pdf",
              authors: [
                "Ann Cavoukian"
              ],
              date: "2011",
              publisher: "Information and Privacy Commissioner"
            },
          },
          postProcess: [window.respecVc.createVcExamples],
          otherLinks: [{
            key: "Related Specifications",
            data: [{
              value: "Decentralized Identifiers v1.0",
              href: "https://www.w3.org/TR/did-core/"
            }, {
              value: "The Verifiable Credentials Data Model v2.0",
              href: "https://www.w3.org/TR/vc-data-model-2.0/"
            }, {
              value: "Data Integrity v1.0",
              href: "https://www.w3.org/TR/vc-data-integrity/"
            }, {
              value: "Securing Verifiable Credentials using JOSE and COSE",
              href: "https://www.w3.org/TR/vc-jose-cose/"
            }]
          }]
      };
    </script>
    <style>
code {
  color: rgb(199, 73, 0);
  font-weight: bold;
}
pre.nohighlight {
  overflow-x: auto;
  white-space: pre-wrap;
}
ol.algorithm { counter-reset:numsection; list-style-type: none; }
ol.algorithm li { margin: 0.5em 0; }
ol.algorithm li:before { font-weight: bold; counter-increment: numsection; content: counters(numsection, ".") ") "; }
table.simple {
    border-collapse: collapse;
    margin: 25px 0;
    min-width: 400px;
    border: 1px solid #dddddd;
}
table.simple thead tr {
    background-color: #005a9c;
    color: #ffffff;
    text-align: left;
}
table.simple th,
table.simple td {
    padding: 12px 15px;
    vertical-align: top;
    text-align: left;
}
table.simple tbody tr {
    border-bottom: 1px solid #dddddd;
}
table.simple tbody tr:nth-of-type(even) {
    background-color: #00000008;
}
table.simple tbody tr:last-of-type {
    border-bottom: 2px solid #005a9c;
}
    </style>
</head>
<body>
    <section id='abstract'>
      <p>
A [=controller document=] is a set of data that specifies one or more
relationships between a [=controller=] and a set of data, such as a set of
public cryptographic keys.
      </p>
    </section>

    <section id='sotd'>

    </section>

    <section class="informative">
      <h2>Introduction</h2>
      <p>
A [=controller document=] is a set of data that specifies one or more
relationships between a [=controller=] and a set of data, such as a set of
public cryptographic keys. The [=controller document=] SHOULD
contain [=verification relationships=] that explicitly permit the use of
certain [=verification methods=] for specific purposes.
      </p>
      <p>
It is expected that other specifications using this specification
will profile the features that it defines,
requiring and/or recommending the use of some and
prohibiting and/or deprecating the use of others.
      </p>

      <section id="conformance">
        <p>
A <dfn>conforming controller document</dfn> is any concrete expression of the
data model that follows the relevant normative requirements in Sections
[[[#data-model]]] and [[[#contexts-and-vocabularies]]].
        </p>

        <p>
A <dfn>conforming verification method</dfn> is any concrete expression of the
data model that follows the relevant normative requirements in Sections
[[[#verification-methods]]] and
[[[#contexts-and-vocabularies]]].
        </p>

        <p>
A <dfn class="lint-ignore">conforming document</dfn> is either a
[=conforming controller document=], or a
[=conforming verification method=].
        </p>

        <p>
A <dfn class="lint-ignore">conforming processor</dfn> is any algorithm realized
as software and/or hardware that generates and/or consumes a
[=conforming document=] according to the relevant normative statements in
Section [[[#algorithms]]]. Conforming processors MUST produce errors
when non-conforming documents are consumed.
        </p>

      </section>

      <section class="informative">
        <h3>Terminology</h3>

        <p>
This section defines the terms used in this specification. A link to the relevant
definition is included whenever one of these terms appears in this specification.
        </p>

        <dl class="termlist definitions" data-sort="ascending">

          <dt><dfn>public key</dfn></dt>
          <dd>
Cryptographic material that can be used to verify digital proofs created with a
corresponding [=private key=].
          </dd>

          <dt><dfn>private key</dfn></dt>
          <dd>
Cryptographic material that can be used to generate digital proofs.
          </dd>

          <dt><dfn data-lt="authenticated|authenticate">authentication</dfn></dt>
          <dd>
A process by which an entity can prove to a verifier that it has a specific
attribute or controls a specific secret.
          </dd>

          <dt><dfn class="export" data-lt="cryptosuite">cryptographic suite</dfn></dt>
          <dd>
A specification defining how to use specific cryptographic primitives
to achieve a particular security goal. These documents are often used
to specify [=verification methods=], digital signature types,
their identifiers, and other related properties.<!--  See Section -->
<!-- [[[#cryptographic-suites]]] for further detail. -->
          </dd>

          <dt><dfn class="export" data-lt="controller(s)|Controllers">controller</dfn></dt>
          <dd>
An entity that has the capability to make changes to a
[=controller document=].
          </dd>

          <dt><dfn class="export">controller document</dfn></dt>
          <dd>
A set of data that specifies one or more relationships between a
[=controller=] and a set of data, such as a set of public cryptographic keys.
          </dd>

          <dt><dfn data-lt="subjects">subject</dfn></dt>
          <dd>
The entity identified by the `id` property in a [=controller document=].
Anything can be a subject: person, group, organization, physical thing, digital
thing, logical thing, etc.
          </dd>

          <dt><dfn class="export">verification method</dfn></dt>
          <dd>
            <p>
A set of parameters that can be used together with a process to independently
verify a proof. For example, a cryptographic public key can be used as a
verification method with respect to a digital signature; in such use, it
verifies that the signer possessed the associated cryptographic private key.
            </p>
            <p>
"Verification" and "proof" in this definition are intended to apply broadly. For
example, a cryptographic public key might be used during Diffie-Hellman key
exchange to negotiate a shared symmetric key for encryption. This guarantees the
integrity of the key agreement process. It is thus another type of verification
method, even though descriptions of the process might not use the words
"verification" or "proof."
            </p>
          </dd>

          <dt><dfn class="export">verification relationship</dfn></dt>
          <dd>
            <p>
An expression of the relationship between a [=subject=] and a
[=verification method=]. One example of a verification relationship is
[[[#authentication]]].
            </p>
          </dd>

        </dl>

      </section>
    </section>

      <section>
        <h3>Data Model</h3>

        <p>
A [=controller document=] is a set of data that specifies one or more
relationships between a [=controller=] and a set of data, such as a set of
public cryptographic keys. The [=controller document=] SHOULD
contain [=verification relationships=] that explicitly permit the use of
certain [=verification methods=] for specific purposes.
        </p>

        <div class="issue">
Add examples of common Controller documents.
        </div>

        <p class="note"
           title="Property names used in map of different types">
The property names `id`, `type`, and `controller` can be present in map of
different types with possible differences in constraints.
        </p>

        <section>
          <h2>Controller Documents</h2>

          <p>
The following sections define the properties in a [=controller document=],
including whether these properties are required or optional. These properties
describe relationships between the [=subject=] and the value of the
property.
          </p>

          <p>
The following tables contain informative references for the core properties
defined by this specification, with expected values, and whether or not they are
required. The property names in the tables are linked to the normative
definitions and more detailed descriptions of each property.
          </p>

          <table class="simple">
            <thead>
              <tr>
                <th>Property</th>
                <th>Required?</th>
                <th>Value constraints</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td>`id`</td>
                <td>yes</td>
                <td>
A <a data-cite="INFRA#string">string</a> that conforms to the URL syntax
defined in Section [[[#subjects]]].
                </td>
              </tr>
              <tr>
                <td>`alsoKnownAs`</td>
                <td>no</td>
                <td>
A <a data-cite="INFRA#ordered-set">set</a> of
<a data-cite="INFRA#string">strings</a> that conform to the rules of
[[RFC3986]] for URIs as defined in Section [[[#also-known-as]]].
                </td>
              </tr>
              <tr>
                <td>`controller`</td>
                <td>no</td>
                <td>
A <a data-cite="INFRA#string">string</a> or a
<a data-cite="INFRA#ordered-set">set</a> of
<a data-cite="INFRA#string">strings</a>, each of which conforms to the URL syntax
defined in the [[[URL]]] as defined in Section [[[#controllers]]].
                </td>
              </tr>
              <tr>
                <td>`verificationMethod`</td>
                <td>no</td>
                <td>
A <a data-cite="INFRA#ordered-set">set</a> of
[=verification method=] <a data-cite="INFRA#ordered-map">maps</a>
that conform to the rules in Section [[[#verification-methods]]].
                </td>
              </tr>
              <tr>
                <td>`authentication`</td>
                <td>no</td>
                <td>
A <a data-cite="INFRA#ordered-set">set</a> of
[=verification method=] <a data-cite="INFRA#ordered-map">maps</a>
that conform to the rules in Section [[[#authentication]]]; or a
a <a data-cite="INFRA#ordered-set">set</a> of
<a data-cite="INFRA#string">strings</a>, each of which conforms to the URL syntax
defined in the [[[URL]]].
                </td>
              </tr>
              <tr>
                <td>`assertionMethod`</td>
                <td>no</td>
                <td>
A <a data-cite="INFRA#ordered-set">set</a> of
[=verification method=] <a data-cite="INFRA#ordered-map">maps</a>
that conform to the rules in Section [[[#assertion]]]; or a
a <a data-cite="INFRA#ordered-set">set</a> of
<a data-cite="INFRA#string">strings</a>, each of which conforms to the URL syntax
defined in the [[[URL]]].
                </td>
              </tr>
              <tr>
                <td>`keyAgreement`</td>
                <td>no</td>
                <td>
A <a data-cite="INFRA#ordered-set">set</a> of
[=verification method=] <a data-cite="INFRA#ordered-map">maps</a>
that conform to the rules in Section [[[#key-agreement]]]; or a
a <a data-cite="INFRA#ordered-set">set</a> of
<a data-cite="INFRA#string">strings</a>, each of which conforms to the URL syntax
defined in the [[[URL]]].
                </td>
              </tr>
              <tr>
                <td>`capabilityInvocation`</td>
                <td>no</td>
                <td>
A <a data-cite="INFRA#ordered-set">set</a> of
[=verification method=] <a data-cite="INFRA#ordered-map">maps</a>
that conform to the rules in Section [[[#capability-invocation]]]; or a
a <a data-cite="INFRA#ordered-set">set</a> of
<a data-cite="INFRA#string">strings</a>, each of which conforms to the URL syntax
defined in the [[[URL]]].
                </td>
              </tr>
              <tr>
                <td>`capabilityDelegation`</td>
                <td>no</td>
                <td>
A <a data-cite="INFRA#ordered-set">set</a> of
[=verification method=] <a data-cite="INFRA#ordered-map">maps</a>
that conform to the rules in Section [[[#capability-delegation]]]; or a
a <a data-cite="INFRA#ordered-set">set</a> of
<a data-cite="INFRA#string">strings</a>, each of which conforms to the URL syntax
defined in the [[[URL]]].
                </td>
              </tr>
            </tbody>
          </table>

          <section>
            <h3>Subjects</h3>
            <p>
The identifier for a particular [=subject=] is expressed using the
`id` property in the [=controller document=].
            </p>

            <dl>
              <dt>id</dt>
              <dd>
The value of `id` MUST be a <a data-cite="INFRA#string">string</a>
that conforms to the rules in the [[[URL]]].
              </dd>
            </dl>

            <p>
A [=controller document=] MUST contain an `id` value in the
root <a data-cite="INFRA#ordered-map">map</a>.
            </p>

            <pre class="example nohighlight">
{
  "id": "https://controller.example/123"
}
            </pre>

            <p>
The `id` property only denotes the identifier of the [=subject=] when it is
present in the <em>topmost</em>
<a data-cite="INFRA#ordered-map">map</a> of the [=controller document=].
            </p>

          </section>

          <section>
            <h3>Controllers</h3>

            <p>
A [=controller=] is an entity that is authorized to make changes to a
[=controller document=].
            </p>

            <dl>
              <dt>controller</dt>
              <dd>
The `controller` property is OPTIONAL. If present, its value MUST
be a <a data-cite="INFRA#string">string</a> or a <a
data-cite="INFRA#ordered-set">set</a> of <a
data-cite="INFRA#string">strings</a>, each of which conforms to the rules in
the [[[URL]]]. The corresponding [=controller document=](s) SHOULD
contain [=verification relationships=] that explicitly permit the use of
certain [=verification methods=] for specific purposes. If the `controller`
property is not present, the value expressed by the `id` property MUST be
treated as if it were also set as the value of the `controller` property.
              </dd>
            </dl>

            <p>
When a `controller` property is present in a [=controller document=], its
value expresses one or more identifiers. Any [=verification methods=] contained
in the [=controller documents=] for those identifiers SHOULD
be accepted as authoritative, such that proofs that satisfy those
[=verification methods=] are considered equivalent to proofs provided
by the [=subject=].
            </p>

            <pre class="example nohighlight"
              title="Controller document with a controller property">
{
  "@context": "https://www.w3.org/ns/controller/v1",
  "id": "https://controller1.example/123",
  "controller": "https://controllerB.example/abc",
}
            </pre>

            <p class="note" title="Authorization vs authentication">
Note that authorization provided by the value of `controller` is
separate from authentication as described in Section [[[#authentication]]].
This is particularly important for key recovery in the cases of cryptographic key
loss, where the [=subject=] no longer has access to their keys, or cryptographic
key compromise, where the [=controller=]'s trusted third parties need to
override malicious activity by an attacker. See [[[#security-considerations]]]
for information related to threat models and attack vectors.
            </p>
          </section>

          <section>
            <h3>Also Known As</h3>

            <p>
A [=subject=] can have multiple identifiers that are used for different purposes
or at different times. The assertion that two or more identifiers (or other types
of URI) refer to the same [=subject=] can be made using the
`alsoKnownAs` property.
            </p>

            <dl>
              <dt>alsoKnownAs</dt>
              <dd>
The `alsoKnownAs` property is OPTIONAL. If present, its value MUST
be a <a data-cite="INFRA#ordered-set">set</a> where each item in the
set is a URI conforming to [[RFC3986]].
              </dd>
              <dd>
This relationship is a statement that the subject of this identifier is
also identified by one or more other identifiers.
              </dd>
            </dl>

            <div class="note" title="Equivalence and alsoKnownAs">
              <p>
Applications might choose to consider two identifiers related by `alsoKnownAs`
to be equivalent <em>if</em> the `alsoKnownAs` relationship expressed in the
controller document of one [=subject=] is also expressed in the reverse direction
(i.e., reciprocated) in the controller document of the other [=subject=]. It is
best practice <em>not</em> to consider them
equivalent in the absence of this reciprocating relationship. In other words,
the presence of an `alsoKnownAs` assertion does not prove that this assertion
is true. Therefore, it is strongly advised that a requesting party obtain
independent verification of an `alsoKnownAs` assertion.
              </p>
              <p>
Given that the [=subject=] might use different identifiers for different
purposes, such as enhanced privacy protection, an expectation of strong
equivalence between the two identifiers, or taking action to
merge the information from the two corresponding [=controller documents=], is
not necessarily appropriate, <em>even with</em> a reciprocal relationship.
              </p>
            </div>

          </section>

        </section>

        <section>
          <h2>Verification Methods</h2>
          <p>
A [=controller document=] can express [=verification methods=], such as
cryptographic [=public keys=], which can be used to [=authenticate=] or
authorize interactions with the [=controller=] or associated parties. For
example, a cryptographic [=public key=] can be used as a <a>verification
method</a> with respect to a digital signature; in such use, it verifies that
the signer could use the associated cryptographic private key. <a>Verification
methods</a> might take many parameters. An example of this is a set of five
cryptographic keys from which any three are required to contribute to a
cryptographic threshold signature.
          </p>

          <dl>
            <dt><dfn class="lint-ignore">verificationMethod</dfn></dt>
            <dd>
              <p>
The `verificationMethod` property is OPTIONAL. If present, the value
MUST be a <a data-cite="INFRA#ordered-set">set</a> of <a>verification
methods</a>, where each [=verification method=] is expressed using a <a
data-cite="INFRA#ordered-map">map</a>. The [=verification method=] <a
data-cite="INFRA#ordered-map">map</a> MUST include the `id`,
`type`, `controller`, and specific verification material
properties that are determined by the value of `type` and are defined
in [[[#verification-material]]]. A [=verification method=] MAY
include additional properties.
<!-- VC-DATA-INTEGRITY-SPECIFIC:
[=Verification methods=] SHOULD be registered
in the Data Integrity Specification Registries [TBD - DIS-REGISTRIES].
-->
              </p>

              <dl>
                <dt>id</dt>
                <dd>
                  <p>
The value of the `id` property for a [=verification method=]
MUST be a <a data-cite="INFRA#string">string</a> that
conforms to the [[URL]] syntax.
                  </p>
                </dd>
                <dt>type</dt>
                <dd>
The value of the `type` property MUST be a <a
data-cite="INFRA#string">string</a> that references exactly one <a>verification
method</a> type.
<!-- VC-DATA-INTEGRITY-SPECIFIC:
In order to maximize global interoperability, the
[=verification method=] type SHOULD be registered in the Data Integrity Specification
Registries [TBD -- DIS-REGISTRIES].
-->
<!-- VC-JOSE-COSE-SPECIFIC:
To maximize interoperability, the
[=verification method=] type SHOULD be `JsonWebKey`.
-->
                </dd>
                <dt><span id="defn-controller">controller</span></dt>
                <dd>
The value of the `controller` property MUST be a <a
data-cite="INFRA#string">string</a> that conforms to the [[URL]] syntax.
                </dd>
<!-- VC-DATA-INTEGRITY-SPECIFIC:
                <dt id="defn-vm-expires">expires</dt>
                <dd>
The `expires` property is OPTIONAL. It is set, in advance, by the
[=controller=] of a  [=verification method=] to signal when that method
can no longer be used for verification purposes. If provided, it MUST be an
[[XMLSCHEMA11-2]] `dateTimeStamp` string specifying when the
[=verification method=] SHOULD cease to be used. Once the value is set, it is
not expected to be updated, and systems depending on the value are expected to
not verify any proofs associated with the [=verification method=] at or after
the time of expiration.
                </dd>
-->
                <dt><dfn class="lint-ignore">revoked</dfn></dt>
                <dd>
The `revoked` property is OPTIONAL.
<!-- VC-DATA-INTEGRITY-SPECIFIC:
It is set by the [=controller=] of a
[=verification method=] to signal when that method is to no longer to be used
for verification purposes, such as after a security compromise of the
[=verification method=].
-->
If present, it MUST be an [[XMLSCHEMA11-2]]
`dateTimeStamp` string specifying when the [=verification method=]
SHOULD cease to be used. Once the value is set, it is not expected to be
updated, and systems depending on the value are expected to not verify any
proofs associated with the [=verification method=] at or after the time of
revocation.
                </dd>
              </dl>
            </dd>
          </dl>

          <pre class="example nohighlight"
            title="Example verification method structure">
    {
      "@context": [
        "https://www.w3.org/ns/controller/v1",
        "https://www.w3.org/ns/credentials/v2",
        "https://w3id.org/security/jwk/v1",
        "https://w3id.org/security/data-integrity/v2"
      ]
      "id": "https://controller.example/123456789abcdefghi",
      <span class="comment">...</span>
      "verificationMethod": [{
        "id": <span class="comment">...</span>,
        "type": <span class="comment">...</span>,
        "controller": <span class="comment">...</span>,
        "publicKeyJwk": <span class="comment">...</span>
      }, {
        "id": <span class="comment">...</span>,
        "type": <span class="comment">...</span>,
        "controller": <span class="comment">...</span>,
        "publicKeyMultibase": <span class="comment">...</span>
      }]
    }
          </pre>

          <p class="note"
            title="Verification method controller(s) and controller(s)">
The semantics of the `controller` property are the same when the
subject of the relationship is the [=controller document=] as when the subject of
the relationship is a [=verification method=], such as a cryptographic public
key. Since a key can't control itself, and the key controller cannot be inferred
from the [=controller document=], it is necessary to explicitly express the identity
of the controller of the key. The difference is that the value of
`controller` for a [=verification method=] is <em>not</em>
necessarily a [=controller=]. [=Controllers=] are expressed
using the `controller` property at the highest level of the
[=controller document=].
          </p>

          <section>
            <h3>Verification Material</h3>

            <p>
Verification material is any information that is used by a process that applies
a [=verification method=]. The `type` of a [=verification method=] is
expected to be used to determine its compatibility with such processes. Examples
of verification methods include `JsonWebKey` and `Multikey`.
A [=cryptographic suite=] specification is responsible for specifying the
[=verification method=] `type` and its associated verification material
format. For examples, see
<a href="https://www.w3.org/TR/vc-jose-cose/">Securing Verifiable Credentials using JOSE and COSE</a>,
<a href="https://www.w3.org/TR/vc-di-ecdsa/">the Data Integrity ECDSA
Cryptosuites</a> and <a href="https://w3c-ccg.github.io/lds-ed25519-2020/">
the Data Integrity EdDSA Cryptosuites</a>.
<!-- VC-DATA-INTEGRITY-SPECIFIC:
For a list of <a>verification
method</a> types, please see the [[?SECURITY-VOCABULARY]].
-->
            </p>

            <p>
To increase the likelihood of interoperable implementations, this specification
limits the number of formats for expressing verification material in a
[=controller document=]. The fewer formats that implementers have to
implement, the more likely it will be that they will support all of them. This
approach attempts to strike a delicate balance between easing implementation
and providing support for formats that have historically had broad deployment.
            </p>

            <p>
A [=verification method=] MUST NOT contain multiple verification material
properties for the same material. For example, expressing key material in a
[=verification method=] using both `publicKeyJwk` and
`publicKeyMultibase` at the same time is prohibited.
            </p>

            <p>
Implementations MAY convert keys between formats as desired for operational purposes or
to interface with cryptographic libraries. As an internal implementation detail, such
conversion MUST NOT affect the external representation of key material.
            </p>

            <p>
An example of a [=controller document=] containing <a>verification
methods</a> using both properties above is shown below.
            </p>

            <pre id="example-various-verification-method-types"
              class="example nohighlight"
              title="Verification methods using publicKeyJwk and publicKeyMultibase">
    {
      "@context": [
        "https://www.w3.org/ns/controller/v1",
        "https://www.w3.org/ns/credentials/v2",
        "https://w3id.org/security/jwk/v1",
        "https://w3id.org/security/multikey/v1"
      ]
      "id": "https://controller.example/123456789abcdefghi",
      <span class="comment">...</span>
      "verificationMethod": [{
        "id": "https://controller.example/123#_Qq0UL2Fq651Q0Fjd6TvnYE-faHiOpRlPVQcY_-tA4A",
        "type": "JsonWebKey", <span class="comment">// external (property value)</span>
        "controller": "https://controller.example/123",
        "publicKeyJwk": {
          "crv": "Ed25519", <span class="comment">// external (property name)</span>
          "x": "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ", <span class="comment">// external (property name)</span>
          "kty": "OKP", <span class="comment">// external (property name)</span>
          "kid": "_Qq0UL2Fq651Q0Fjd6TvnYE-faHiOpRlPVQcY_-tA4A" <span class="comment">// external (property name)</span>
        }
      }, {
        "id": "https://controller.example/123456789abcdefghi#keys-1",
        "type": "Multikey", <span class="comment">// external (property value)</span>
        "controller": "did:example:pqrstuvwxyz0987654321",
        "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
      }],
      <span class="comment">...</span>
    }
            </pre>
          </section>

          <section>
            <h3>Multikey</h3>
            <p>
The Multikey data model is a specific type of [=verification method=] that
encodes key types into a single binary stream that is then encoded as a
Multibase value as described in Section [[[#multibase-0]]].
            </p>

            <p>
When specifying a `Multikey`, the object takes the following form:
            </p>

            <dl>
              <dt>type</dt>
              <dd>
The value of the `type` property MUST contain the string `Multikey`.
              </dd>
              <dt><dfn class="lint-ignore">publicKeyMultibase</dfn></dt>
              <dd>
The `publicKeyMultibase` property is OPTIONAL. If present, its value MUST be a
Multibase encoded value as described in Section [[[#multibase-0]]].
              </dd>
              <dt><dfn class="lint-ignore">secretKeyMultibase</dfn></dt>
              <dd>
The `secretKeyMultibase` property is OPTIONAL. If present, its value MUST be a
Multibase encoded value as described in Section [[[#multibase-0]]].
              </dd>
            </dl>

            <p>
The example below expresses an Ed25519 public key using the format defined
above:
            </p>

            <pre class="example nohighlight"
              title="Multikey encoding of a Ed25519 public key">
{
  "@context": ["https://w3id.org/security/multikey/v1"],
  "id": "https://controller.example/123456789abcdefghi#keys-1",
  "type": "Multikey",
  "controller": "https://controller.example/123456789abcdefghi",
  "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
}
            </pre>

            <p>
The public key values are expressed using the rules in the table below:
            </p>

            <table class="simple">
              <thead>
                <th>Key type</th>
                <th>Description</th>
              </thead>
              <tbody>
                <tr>
                  <td>ECDSA 256-bit public key</td>
                  <td>
The Multikey encoding of a P-256 public key MUST start with the two-byte prefix
`0x8024` (the varint expression of `0x1200`) followed by the 33-byte compressed
public key data. The resulting 35-byte value MUST then be encoded using the
base-58-btc alphabet, according to Section [[[#multibase-0]]], and then
prepended with the base-58-btc Multibase header (`z`).
                  </td>
                </tr>
                <tr>
                  <td>ECDSA 384-bit public key</td>
                  <td>
The encoding of a P-384 public key MUST start with the two-byte prefix `0x8124`
(the varint expression of `0x1201`) followed by the 49-byte compressed public
key data. The resulting 51-byte value is then encoded using the base-58-btc
alphabet, according to Section [[[#multibase-0]]], and then prepended with the
base-58-btc Multibase header (`z`).
                  </td>
                </tr>
                <tr>
                  <td>Ed25519 256-bit public key</td>
                  <td>
The encoding of an Ed25519 public key MUST start with the two-byte prefix
`0xed01` (the varint expression of `0xed`), followed by the 32-byte public key
data. The resulting 34-byte value MUST then be encoded using the base-58-btc
alphabet, according to Section [[[#multibase-0]]], and then prepended with the
base-58-btc Multibase header (`z`).
                  </td>
                </tr>
                <tr>
                  <td>BLS12-381 381-bit public key</td>
                  <td>
The encoding of an BLS12-381 public key in the G2 group MUST start with
the two-byte prefix `0xeb01` (the varint expression of `0xeb`), followed
by the 96-byte compressed public key data. The resulting 98-byte value MUST
then be encoded using the base-58-btc alphabet, according to Section
[[[#multibase-0]]], and then prepended with the base-58-btc Multibase header
(`z`).
                  </td>
                </tr>
              </tbody>
            </table>

            <p>
The secret key values are expressed using the rules in the table below:
            </p>

            <table class="simple">
              <thead>
                <th>Key type</th>
                <th>Description</th>
              </thead>
              <tbody>
                <tr>
                  <td>ECDSA 256-bit secret key</td>
                  <td>
The Multikey encoding of a P-256 secret key MUST start with the two-byte prefix
`0x8626` (the varint expression of `0x1306`) followed by the 32-byte
secret key data. The resulting 34-byte value MUST then be encoded using the
base-58-btc alphabet, according to Section [[[#multibase-0]]], and then
prepended with the base-58-btc Multibase header (`z`).
                  </td>
                </tr>
                <tr>
                  <td>ECDSA 384-bit secret key</td>
                  <td>
The encoding of a P-384 secret key MUST start with the two-byte prefix `0x8726`
(the varint expression of `0x1307`) followed by the 48-byte secret
key data. The resulting 50-byte value is then encoded using the base-58-btc
alphabet, according to Section [[[#multibase-0]]], and then prepended with the
base-58-btc Multibase header (`z`).
                  </td>
                </tr>
                <tr>
                  <td>Ed25519 256-bit secret key</td>
                  <td>
The encoding of an Ed25519 secret key MUST start with the two-byte prefix
`0x8026` (the varint expression of `0x1300`), followed by the 32-byte secret key
data. The resulting 34-byte value MUST then be encoded using the base-58-btc
alphabet, according to Section [[[#multibase-0]]], and then prepended with the
base-58-btc Multibase header (`z`).
                  </td>
                </tr>
                <tr>
                  <td>BLS12-381 381-bit secret key</td>
                  <td>
The encoding of an BLS12-381 secret key in the G2 group MUST start with
the two-byte prefix `0x8030` (the varint expression of `0x130a`), followed
by the 96-byte compressed public key data. The resulting 98-byte value MUST
then be encoded using the base-58-btc alphabet, according to Section
[[[#multibase-0]]], and then prepended with the base-58-btc Multibase header
(`z`).
                  </td>
                </tr>
              </tbody>

            </table>

            <p class="advisement">
Developers are advised to not accidentally publish a representation of a secret
key. Implementations that adhere to this specification will raise errors in the
event of a Multikey header value that is not in the public key header table
above, or when reading a Multikey value that is expected to be a public key,
such as one published in a controller document, that does not start with a known
public key header.
            </p>

            <p>
When defining values for use with `publicKeyMultibase` and `secretKeyMultibase`,
specification authors MAY define additional header values for other key types in
other specifications and MUST NOT define alternate encodings for key types
already defined by this specification.
            </p>

          </section>

          <section>
            <h3>JsonWebKey</h3>
            <p>
The JSON Web Key (JWK) data model is a specific type of [=verification method=]
that uses the JWK specification [[RFC7517]] to encode key types into a
set of parameters.
            </p>

            <p>
When specifing a `JsonWebKey`, the object takes the following form:
            </p>

            <dl>
              <dt>type</dt>
              <dd>
The value of the `type` property MUST contain the string `JsonWebKey`.
              </dd>
              <dt><dfn class="lint-ignore">publicKeyJwk</dfn></dt>
              <dd>
                <p>
The `publicKeyJwk` property is OPTIONAL. If present, its value MUST
be a <a data-cite="INFRA#ordered-map">map</a> representing a JSON Web Key that
conforms to [[RFC7517]]. The <a data-cite="INFRA#ordered-map">map</a> MUST NOT
include any members of the private information class, such as `d`, as described
in the <a href="https://datatracker.ietf.org/doc/html/rfc7517#section-8.1.1">JWK
Registration Template</a>. It is RECOMMENDED that verification methods that use
JWKs [[RFC7517]] to represent their [=public keys=] use the value of `kid` as
their fragment identifier. It is RECOMMENDED that JWK `kid` values are set to
the public key fingerprint [[RFC7638]]. See the first key in
[[[#example-various-verification-method-types]]] for an example of a
public key with a compound key identifier.
                </p>
                <p>
As specified in <a data-cite="RFC7517#section-4.4">Section 4.4 of the JWK specification</a>,
the OPTIONAL `alg` property identifies the algorithm intended for use with the public key,
and SHOULD be included to prevent security issues that can arise when using the same
key with multiple algorithms. As specified in <a data-cite="RFC7518#section-6.2.1.1">
Section 6.2.1.1 of the JWA specification</a>, describing a key using an elliptic curve,
the REQUIRED `crv` property is used to identify the particular curve type of the public key.
As specified in <a data-cite="RFC7515#section-4.1.4">Section 4.1.4 of the JWS specification</a>,
the OPTIONAL `kid` property is a hint used to help discover the key; if present, the `kid` value SHOULD
match, or be included in, the `id` property of the encapsulating `JsonWebKey` object,
as part of the path, query, or fragment of the URL.
                </p>

              </dd>
              <dt><dfn class="lint-ignore">secretKeyJwk</dfn></dt>
              <dd>
The `secretKeyJwk` property is OPTIONAL. If present, its value MUST be a <a
data-cite="INFRA#ordered-map">map</a> representing a JSON Web Key that conforms
to [[RFC7517]].
It MUST NOT be used if the data structure containing it is public or may be revealed to parties other than the legitimate holders of the secret key.
              </dd>
            </dl>

            <p>
An example of an object that conforms to `JsonWebKey` is provided below:
            </p>

            <pre class="example nohighlight" title="JSON Web Key encoding of a secp384r1 (P-384) public key">
{
  "id": "https://controller.example/123456789abcdefghi#key-1",
  "type": "JsonWebKey",
  "controller": "https://controller.example/123456789abcdefghi",
  "publicKeyJwk": {
      "kid": "key-1",
      "kty": "EC",
      "crv": "P-384",
      "alg": "ES384",
      "x": "1F14JSzKbwxO-Heqew5HzEt-0NZXAjCu8w-RiuV8_9tMiXrSZdjsWqi4y86OFb5d",
      "y": "dnd8yoq-NOJcBuEYgdVVMmSxonXg-DU90d7C4uPWb_Lkd4WIQQEH0DyeC2KUDMIU"
    }
}
            </pre>

            <p>
In the example above, the `publicKeyJwk` value contains the JSON Web Key.
The `kty` property encodes the key type of "OKP", which means
"Octet string key pairs". The `alg` property identifies the algorithm intended
for use with the public key, which in this case is `ES384`. The `crv` property identifies
the particular curve type of the public key, `P-384`. The `x` property specifies
the point on the P-384 curve that is associated with the public key.
            </p>

            <p>
The `publicKeyJwk` property MUST NOT contain any property marked as
"Private" or "Secret" in any registry contained in the JOSE Registries [[JOSE-REGISTRIES]], including "d".
            </p>

            <p>
The JSON Web Key data model is also capable of encoding <em>secret keys</em>, sometimes
referred to as <em>private keys</em>.
            </p>

            <pre class="example nohighlight"
              title="JSON Web Key encoding of a secp384r1 (P-384) secret key">
{
  "id": "https://controller.example/123456789abcdefghi#key-1",
  "type": "JsonWebKey",
  "controller": "https://controller.example/123456789abcdefghi",
  "secretKeyJwk": {
      "kty": "EC",
      "crv": "P-384",
      "alg": "ES384",
      "d": "fGwges0SX1mj4eZamUCL4qtZijy9uT15fI4gKTuRvre4Kkoju2SHM4rlFOeKVraH",
      "x": "1F14JSzKbwxO-Heqew5HzEt-0NZXAjCu8w-RiuV8_9tMiXrSZdjsWqi4y86OFb5d",
      "y": "dnd8yoq-NOJcBuEYgdVVMmSxonXg-DU90d7C4uPWb_Lkd4WIQQEH0DyeC2KUDMIU"
    }
}
            </pre>

            <p>
The private key example above is almost identical to the previous example of the
public key, except that the information is stored in the `secretKeyJwk` property
(rather than the `publicKeyJwk`), and the private key value is encoded in the `d`
property thereof (alongside the `x` property, which still specifies the point on
the Ed25519 curve that is associated with the public key).
            </p>

          </section>

          <section>
            <h3>Referring to Verification Methods</h3>
            <p>
[=Verification methods=] can be embedded in or referenced from properties
associated with various [=verification relationships=] as described in
[[[#verification-relationships]]]. Referencing [=verification methods=]
allows them to be used by more than one [=verification relationship=].
            </p>

            <p>
If the value of a [=verification method=] property is a <a
data-cite="INFRA#ordered-map">map</a>, the [=verification method=] has been
embedded and its properties can be accessed directly. However, if the value is a
URL <a data-cite="INFRA#string">string</a>, the [=verification method=] has
been included by reference and its properties will need to be retrieved from
elsewhere in the [=controller document=] or from another [=controller document=]. This
is done by dereferencing the URL and searching the resulting resource for a
[=verification method=] <a data-cite="INFRA#ordered-map">map</a> with an
`id` property whose value matches the URL.
            </p>

            <pre class="example nohighlight"
            title="Embedding and referencing verification methods">
    {
<span class="comment">...</span>

      "authentication": [
        <span class="comment">// this key is referenced and might be used by</span>
        <span class="comment">// more than one verification relationship</span>
        "https://controller.example/123456789abcdefghi#keys-1",
        <span class="comment">// this key is embedded and may *only* be used for authentication</span>
        {
          "id": "https://controller.example/123456789abcdefghi#keys-2",
          "type": "Multikey", <span class="comment">// external (property value)</span>
          "controller": "https://controller.example/123456789abcdefghi",
          "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
        }
      ],

<span class="comment">...</span>
    }
            </pre>
          </section>
        </section>

        <section>
          <h2>Verification Relationships</h2>

          <p>
A [=verification relationship=] expresses the relationship between the
[=controller=] and a [=verification method=].
          </p>
          <p>
Different [=verification relationships=] enable the associated
[=verification methods=] to be used for different purposes. It is up to a
<em>verifier</em> to ascertain the validity of a verification attempt by
checking that the [=verification method=] used is contained in the
appropriate [=verification relationship=] property of the
[=controller document=].
          </p>
          <p>
The [=verification relationship=] between the [=controller=] and the
[=verification method=] is explicit in the [=controller document=].
[=Verification methods=] that are not associated with a particular
[=verification relationship=] cannot be used for that [=verification
relationship=]. For example, a [=verification method=] in the value of
the `[=authentication=]` property cannot be used to engage in
key agreement protocols with the [=controller=] &mdash; the value of the
`<a href="#defn-keyAgreement">keyAgreement</a>` property needs to be used
for that.
          </p>
          <p>
The [=controller document=] does not express revoked keys using a <a>verification
relationship</a>. If a referenced verification method is not in the latest
[=controller document=] used to dereference it, then that verification method is
considered invalid or revoked.
          </p>
          <p>
The following sections define several useful [=verification relationships=].
A [=controller document=] MAY include any of these, or other properties, to
express a specific [=verification relationship=]. To maximize global
interoperability, any such properties used SHOULD be registered in the
<a href="https://w3c.github.io/vc-specs-dir/#securing-mechanisms">VC Specifications Directory</a>.
          </p>

          <section>
            <h2>Authentication</h2>

            <p>
The `authentication` [=verification relationship=] is used to
specify how the [=controller=] is expected to be [=authenticated=], for
purposes such as logging into a website or engaging in any sort of
challenge-response protocol.
            </p>

            <dl>
              <dt id="defn-authentication">authentication</dt>
              <dd>
The `authentication` property is OPTIONAL. If present, its
value MUST be a <a data-cite="INFRA#ordered-set">set</a> of one or more
[=verification methods=]. Each [=verification method=] MAY be embedded or
referenced.
              </dd>
            </dl>

            <pre class="example nohighlight" title="Authentication property
                          containing three verification methods">
    {
      "@context": [
        "https://www.w3.org/ns/controller/v1",
        "https://www.w3.org/ns/credentials/v2",
        "https://w3id.org/security/multikey/v1"
      ],
      "id": "https://controller.example/123456789abcdefghi",
      <span class="comment">...</span>
      "authentication": [
        <span class="comment">// this method can be used to authenticate as did:...fghi</span>
        "https://controller.example/123456789abcdefghi#keys-1",
        <span class="comment">// this method is *only* approved for authentication, it may not</span>
        <span class="comment">// be used for any other proof purpose, so its full description is</span>
        <span class="comment">// embedded here rather than using only a reference</span>
        {
          "id": "https://controller.example/123456789abcdefghi#keys-2",
          "type": "Multikey",
          "controller": "https://controller.example/123456789abcdefghi",
          "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
        }
      ],
      <span class="comment">...</span>
    }
            </pre>

            <p>
If authentication is established, it is up to the application to decide what to
do with that information.
            </p>
            <p>
This is useful to any <em>authentication verifier</em> that needs to check to
see if an entity that is attempting to [=authenticate=] is, in fact,
presenting a valid proof of authentication. When a <em>verifier</em> receives
some data (in some protocol-specific format) that contains a proof that was made
for the purpose of "authentication", and that says that an entity is identified
by the `id`, then that <em>verifier</em> checks to ensure that the proof can be
verified using a [=verification method=] (e.g., [=public key=]) listed
under `authentication` in the [=controller document=].
            </p>
            <p>
Note that the [=verification method=] indicated by the
`authentication` property of a [=controller document=] can
only be used to [=authenticate=] the [=controller=]. To
[=authenticate=] a different [=controller=], the entity associated with
the value of `controller` needs to [=authenticate=] with its
<em>own</em> [=controller document=] and associated
`authentication` [=verification relationship=].
            </p>
          </section>

          <section>
            <h2>Assertion</h2>

            <p>
The `assertionMethod` [=verification relationship=] is used to
specify how the [=controller=] is expected to express claims, such as for
the purposes of issuing a verifiable credential.
            </p>

            <dl>
              <dt id="defn-assertionMethod">assertionMethod</dt>
              <dd>
The `assertionMethod` property is OPTIONAL. If present, its associated
value MUST be a <a data-cite="INFRA#ordered-set">set</a> of one or
more [=verification methods=]. Each [=verification method=] MAY
be embedded or referenced.
              </dd>
            </dl>

            <p>
This property is useful, for example, during the processing of a
verifiable credential by a verifier.
<!-- VC-DATA-INTEGRITY-SPECIFIC:
During verification, a verifier checks to see if a
[=verifiable credential=] contains a proof created by the [=controller=]
by checking that the [=verification method=] used to assert the proof is
associated with the `assertionMethod` property in the
corresponding [=controller document=].
-->
            </p>

            <pre class="example nohighlight" title="Assertion method property
                        containing two verification methods">
    {
      "@context": [
        "https://www.w3.org/ns/controller/v1",
        "https://www.w3.org/ns/credentials/v2",
        "https://w3id.org/security/multikey/v1"
      ],
      "id": "https://controller.example/123456789abcdefghi",
      <span class="comment">...</span>
      "assertionMethod": [
        <span class="comment">// this method can be used to assert statements as did:...fghi</span>
        "https://controller.example/123456789abcdefghi#keys-1",
        <span class="comment">// this method is *only* approved for assertion of statements, it is not</span>
        <span class="comment">// used for any other verification relationship, so its full description is</span>
        <span class="comment">// embedded here rather than using a reference</span>
        {
          "id": "https://controller.example/123456789abcdefghi#keys-2",
          "type": "Multikey", <span class="comment">// external (property value)</span>
          "controller": "https://controller.example/123456789abcdefghi",
          "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
        }
      ],
      <span class="comment">...</span>
    }
            </pre>
          </section>

          <section>
            <h2>Key Agreement</h2>

            <p>
The `keyAgreement` [=verification relationship=] is used to
specify how an entity can generate encryption material in order to transmit
confidential information intended for the [=controller=], such as for
the purposes of establishing a secure communication channel with the recipient.
            </p>

            <dl>
              <dt><dfn id="defn-keyAgreement">keyAgreement</dfn></dt>
              <dd>
The `keyAgreement` property is OPTIONAL. If present, the associated
value MUST be a <a data-cite="INFRA#ordered-set">set</a> of one or more
[=verification methods=]. Each [=verification method=] MAY be embedded or
referenced.
              </dd>
            </dl>

            <p>
An example of when this property is useful is when encrypting a message intended
for the [=controller=]. In this case, the counterparty uses the
cryptographic [=public key=] information in the [=verification method=] to
wrap a decryption key for the recipient.
            </p>

            <pre class="example nohighlight" title="Key agreement property
                          containing two verification methods">
    {
      "@context": "https://www.w3.org/ns/did/v1",
      "id": "https://controller.example/123456789abcdefghi",
      <span class="comment">...</span>
      "keyAgreement": [
        <span class="comment">// this method can be used to perform key agreement as did:...fghi</span>
        "https://controller.example/123456789abcdefghi#keys-1",
        <span class="comment">// this method is *only* approved for key agreement usage, it will not</span>
        <span class="comment">// be used for any other verification relationship, so its full description is</span>
        <span class="comment">// embedded here rather than using only a reference</span>
        {
          "id": "https://controller.example/123#zC9ByQ8aJs8vrNXyDhPHHNNMSHPcaSgNpjjsBYpMMjsTdS",
          "type": "X25519KeyAgreementKey2019", <span class="comment">// external (property value)</span>
          "controller": "https://controller.example/123",
          "publicKeyMultibase": "z6LSn6p3HRxx1ZZk1dT9VwcfTBCYgtNWdzdDMKPZjShLNWG7"
        }
      ],
      <span class="comment">...</span>
    }
            </pre>
          </section>

          <section>
            <h2>Capability Invocation</h2>

            <p>
The `capabilityInvocation` [=verification relationship=] is used
to specify a [=verification method=] that might be used by the
[=controller=] to invoke a cryptographic capability, such as the
authorization to update the [=controller document=].
            </p>

            <dl>
              <dt id="defn-capabilityInvocation">capabilityInvocation</dt>
              <dd>
The `capabilityInvocation` property is OPTIONAL. If present, the
associated value MUST be a <a data-cite="INFRA#ordered-set">set</a> of
one or more [=verification methods=]. Each [=verification method=] MAY be
embedded or referenced.
              </dd>
            </dl>

            <p>
An example of when this property is useful is when a [=controller=] needs to
access a protected HTTP API that requires authorization in order to use it. In
order to authorize when using the HTTP API, the [=controller=]
uses a capability that is associated with a particular URL that is
exposed via the HTTP API. The invocation of the capability could be
expressed in a number of ways, e.g., as a digitally signed
message that is placed into the HTTP Headers.
            </p>
            <p>
The server providing the HTTP API is the <em>verifier</em> of the capability and
it would need to verify that the [=verification method=] referred to by the
invoked capability exists in the `capabilityInvocation`
property of the [=controller document=]. The verifier would also check to make sure
that the action being performed is valid and the capability is appropriate for
the resource being accessed. If the verification is successful, the server has
cryptographically determined that the invoker is authorized to access the
protected resource.
            </p>

            <pre class="example nohighlight" title="Capability invocation property
                          containing two verification methods">
    {
      "@context": [
        "https://www.w3.org/ns/controller/v1",
        "https://w3id.org/security/multikey/v1"
      ],
      "id": "https://controller.example/123456789abcdefghi",
      <span class="comment">...</span>
      "capabilityInvocation": [
        <span class="comment">// this method can be used to invoke capabilities as https:...fghi</span>
        "https://controller.example/123456789abcdefghi#keys-1",
        <span class="comment">// this method is *only* approved for use in capability invocation; it will not</span>
        <span class="comment">// be used for any other verification relationship, so its full description is</span>
        <span class="comment">// embedded here rather than using only a reference</span>
        {
        "id": "https://controller.example/123456789abcdefghi#keys-2",
        "type": "Multikey", <span class="comment">// external (property value)</span>
        "controller": "https://controller.example/123456789abcdefghi",
        "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
        }
      ],
      <span class="comment">...</span>
    }
            </pre>
          </section>

          <section>
            <h2>Capability Delegation</h2>

            <p>
The `capabilityDelegation` [=verification relationship=] is used
to specify a mechanism that might be used by the [=controller=] to delegate
a cryptographic capability to another party, such as delegating the authority
to access a specific HTTP API to a subordinate.
            </p>

            <dl>
              <dt id="defn-capabilityDelegation">capabilityDelegation</dt>
              <dd>
The `capabilityDelegation` property is OPTIONAL. If present, the
associated value MUST be a <a data-cite="INFRA#ordered-set">set</a> of
one or more [=verification methods=]. Each [=verification method=] MAY be
embedded or referenced.
              </dd>
            </dl>

            <p>
An example of when this property is useful is when a [=controller=] chooses
to delegate their capability to access a protected HTTP API to a party other
than themselves. In order to delegate the capability, the [=controller=]
would use a [=verification method=] associated with the
`capabilityDelegation` [=verification relationship=] to
cryptographically sign the capability over to another [=controller=]. The
delegate would then use the capability in a manner that is similar to the
example described in [[[#capability-invocation]]].
            </p>

            <pre class="example nohighlight" title="Capability Delegation property
                          containing two verification methods">
    {
      "@context": [
        "https://www.w3.org/ns/controller/v1",
        "https://w3id.org/security/multikey/v1"
      ],
      "id": "https://controller.example/123456789abcdefghi",
      <span class="comment">...</span>
      "capabilityDelegation": [
        <span class="comment">// this method can be used to perform capability delegation as did:...fghi</span>
        "https://controller.example/123456789abcdefghi#keys-1",
        <span class="comment">// this method is *only* approved for granting capabilities; it will not</span>
        <span class="comment">// be used for any other verification relationship, so its full description is</span>
        <span class="comment">// embedded here rather than using only a reference</span>
        {
        "id": "https://controller.example/123456789abcdefghi#keys-2",
        "type": "Multikey", <span class="comment">// external (property value)</span>
        "controller": "https://controller.example/123456789abcdefghi",
        "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
        }
      ],
      <span class="comment">...</span>
    }
            </pre>
          </section>
        </section>

        <section>
          <h2>Multibase</h2>

          <p>
A Multibase string includes a single character header which identifies the
base and encoding alphabet used to encode a binary value, followed by the
encoded binary value (using that base and alphabet). The common Multibase
header values and their associated base encoding alphabets as provided below
are normative:
          </p>

          <table class="simple">
            <thead>
              <tr>
                <th>Multibase&nbsp;Header</th>
                <th>Description</th>
              </tr>
            </thead>

            <tbody>
              <tr>
                <td>`u`</td>
                <td>
The base-64-url-no-pad alphabet is used to encode the bytes. The base-alphabet
consists of the following characters, in order:
`ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_`
                </td>
              </tr>
              <tr>
                <td>`z`</td>
                <td>
The base-58-btc alphabet is used to encode the bytes. The base-alphabet consists
of the following characters, in order:
`123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz`
                </td>
              </tr>
            </tbody>
          </table>

          <p>
Other Multibase encoding values MAY be used, but interoperability is not
guaranteed between implementations using such values.
          </p>

          <p>
To base-encode a binary value into a Multibase string, an implementation MUST
apply the algorithm in Section [[[#base-encode]]] to the binary value,
with the desired base encoding and alphabet from the table above, ensuring to
prepend the associated Multibase header from the table above to the result.
Any algorithm with equivalent output MAY be used.
          </p>

          <p>
To base-decode a Multibase string, an implementation MUST apply the algorithm
in Section [[[#base-decode]]] to the string following the first
character (Multibase header), with the alphabet associated with the
Multibase header. Any algorithm with equivalent output MAY be used.
          </p>

        </section>

        <section>
          <h2>Multihash</h2>

          <p>
A Multihash value starts with a binary header, which includes 1) an identifier
for the specific cryptographic hash algorithm, 2) the length of the
cryptographic hash, and 3) the value of the cryptographic hash. The normative
Multihash header values defined by this specification, and their associated
output sizes and associated specifications, are provided below:
          </p>

          <table class="simple">
            <thead>
              <tr>
                <th>Multihash&nbsp;Identifier</th>
                <th>Multihash&nbsp;Header</th>
                <th>Description</th>
              </tr>
            </thead>

            <tbody>
              <tr>
                <td>`sha2-256`</td>
                <td>`0x12`</td>
                <td>
SHA-2 with 256 bits (32 bytes) of output, as defined by [[RFC6234]].
                </td>
              </tr>
              <tr>
                <td>`sha2-384`</td>
                <td>`0x20`</td>
                <td>
SHA-2 with 384 bits (48 bytes) of output, as defined by [[RFC6234]].
                </td>
              </tr>
              <tr>
                <td>`sha3-256`</td>
                <td>`0x16`</td>
                <td>
SHA-3 with 256 bits (32 bytes) of output, as defined by [[SHA3]].
                </td>
              </tr>
              <tr>
                <td>`sha3-384`</td>
                <td>`0x15`</td>
                <td>
SHA-3 with 384 bits (48 bytes) of output, as defined by [[SHA3]].
                </td>
              </tr>
            </tbody>
          </table>

          <p>
Other Multihash encoding values MAY be used, but interoperability is not
guaranteed between implementations.
          </p>

          <p>
To encode to a Multihash value, an implementation MUST concatenate the
associated Multihash header, the cryptographic hash length, and the
cryptographic hash value, in that order.
          </p>

          <p>
To decode a Multihash value, an implementation MUST 1) remove the prepended
Multihash header value, which identifies the type of cryptographic hashing
algorithm, 2) remove the output length, and 3) extract the raw cryptographic
hash value which MUST match the expected output length associated with the
Multihash header as well as the output length provided in the Multihash
value itself.
          </p>

        </section>

      </section>

    <section>
      <h2>Algorithms</h2>

      <p>
This section defines algorithms used by this specification including
instructions on how to base-encode and base-decode values, safely retrieve
verification methods, and produce processing errors over HTTP channels.
      </p>

      <section class="normative">
        <h2>Base Encode</h2>

        <p>
The following algorithm specifies how to encode an array of bytes, where each
byte represents a base-256 value, to a different base representation that uses a
particular base alphabet, such as base-64-url-no-pad or base-58-btc. The
required inputs are the <var>bytes</var>, <var>targetBase</var>, and
<var>baseAlphabet</var>. The output is a string that contains the base-encoded
value. All mathematical operations MUST be performed using integer arithmetic.
Alternatives to the algorithm provided below MAY be used as long as the
outputs of the alternative algorithm remain the same.
        </p>

        <ol class="algorithm">
          <li>
Initialize the following variables; <var>zeroes</var> to `0`, <var>length</var> to
`0`, <var>begin</var> to `0`, and <var>end</var> to the length of
<var>bytes</var>.
          </li>
          <li>
Set <var>begin</var> and <var>zeroes</var> to the number of leading `0` byte
values in <var>bytes</var>.
          </li>
          <li>
Set <var>baseValue</var> to an empty byte array that is the size of the final
base-expanded value. Calculate the final <var>size</var> of <var>baseValue</var>
by dividing log(256) by log(<var>targetBase</var>) and then multiplying the
length of <var>bytes</var> minus the leading <var>zeroes</var>. Add `1` to the
value of <var>size</var>.
          </li>
          <li>
Process each byte in <var>bytes</var> as <var>byte</var> starting at offset
<var>begin</var>:
            <ol class="algorithm">
              <li>
Set the <var>carry</var> value to <var>byte</var>.
              </li>
              <li>
Perform base-expansion by starting at the end of the <var>baseValue</var> array.
Initialize an iterator <var>i</var> to `0`. Set <var>basePosition</var> to
<var>size</var> minus `1`. Perform the following loop as long as <var>carry</var>
does not equal `0` or <var>i</var> is less than <var>length</var>, and
<var>basePosition</var> does not equal `-1`.
                <ol class="algorithm">
                  <li>
Multiply the value in <var>baseValue[basePosition]</var> by `256` and add
it to <var>carry</var>.
                  </li>
                  <li>
Set the value at <var>baseValue[basePosition]</var> to the remainder after
dividing <var>carry</var> by <var>targetBase</var>.
                  </li>
                  <li>
Set the value of <var>carry</var> to <var>carry</var> divided by
<var>targetBase</var> ensuring that integer division is used to perform the
division.
                  </li>
                  <li>
Decrement <var>basePosition</var> by `1` and increment <var>i</var> by `1`.
                  </li>
                </ol>
              </li>
              <li>
Set <var>length</var> to <var>i</var> and increment <var>begin</var> by `1`.
              </li>
            </ol>
          </li>
          <li>
Set the <var>baseEncodingPosition</var> to <var>size</var> minus <var>length</var>.
While the <var>baseEncodingPosition</var> does not equal <var>size</var> and the
<var>baseValue[baseEncodingPosition]</var> does not equal `0`, increment
<var>baseEncodingPosition</var>. This step skips the leading zeros in the
base-encoded result.
          </li>
          <li>
Initialize the <var>baseEncoding</var> by repeating the first entry in the
<var>baseAlphabet</var> by the value of <var>zeroes</var> (the number of leading
zeroes in <var>bytes</var>).
          </li>
          <li>
Convert the rest of the <var>baseValue</var> to the base-encoding. While the
<var>baseEncodingPosition</var> is less than <var>size</var>, increment the
<var>baseEncodingPosition</var>: Set <var>baseEncodedValue</var> to
<var>baseValue</var>[<var>baseEncodingPosition</var>]. Append
<var>baseAlphabet</var>[<var>baseEncodedValue</var>] to <var>baseEncoding</var>.
          </li>
          <li>
Return <var>baseEncoding</var> as the base-encoded value.
          </li>
        </ol>

        <pre class="example" title="An implementation of the general base-encoding algorithm above in Javascript">
function baseEncode(bytes, targetBase, baseAlphabet) {
  let zeroes = 0;
  let length = 0;
  let begin = 0;
  let end = bytes.length;

  // count the number of leading bytes that are zero
  while(begin !== end && bytes[begin] === 0) {
    begin++;
    zeroes++;
  }

  // allocate enough space to store the target base value
  const baseExpansionFactor = Math.log(256) / Math.log(targetBase);
  let size = Math.floor((end - begin) * baseExpansionFactor + 1);
  let baseValue = new Uint8Array(size);

  // process the entire input byte array
  while(begin !== end) {
    let carry = bytes[begin];

    // for each byte in the array, perform base-expansion
    let i = 0;
    for(let basePosition = size - 1;
        (carry !== 0 || i < length) && (basePosition !== -1);
        basePosition--, i++) {
      carry += Math.floor(256 * baseValue[basePosition]);
      baseValue[basePosition] = Math.floor(carry % targetBase);
      carry = Math.floor(carry / targetBase);
    }

    length = i;
    begin++;
  }

  // skip leading zeroes in base-encoded result
  let baseEncodingPosition = size - length;
  while(baseEncodingPosition !== size &&
        baseValue[baseEncodingPosition] === 0) {
    baseEncodingPosition++;
  }

  // convert the base value to the base encoding
  let baseEncoding = baseAlphabet.charAt(0).repeat(zeroes)
  for(; baseEncodingPosition < size; ++baseEncodingPosition) {
    baseEncoding += baseAlphabet.charAt(baseValue[baseEncodingPosition])
  }

  return baseEncoding;
}
        </pre>
      </section>

      <section class="normative">
        <h2>Base Decode</h2>

        <p>
The following algorithm specifies how to decode an array of bytes, where each
byte represents a base-encoded value, to a different base representation that
uses a particular base alphabet, such as base-64-url-no-pad or base-58-btc. The
required inputs are the <var>sourceEncoding</var>, <var>sourceBase</var>, and
<var>baseAlphabet</var>. The output is an array of bytes that contains the
base-decoded value. All mathematical operations MUST be performed using integer
arithmetic. Alternatives to the algorithm provided below MAY be used as long as
the outputs of the alternative algorithm remain the same.
        </p>

        <ol class="algorithm">
          <li>
Initialize a <var>baseMap</var> mapping by associating each character
in <var>baseAlphabet</var> to its integer position in the
<var>baseAlphabet</var> string.
          </li>
          <li>
Initialize the following variables; <var>sourceOffset</var> to `0`,
<var>zeroes</var> to `0`, and <var>decodedLength</var> to `0`.
          </li>
          <li>
Set <var>zeroes</var> and <var>sourceOffset</var> to the number of leading
<var>baseAlphabet[0]</var> values in <var>sourceEncoding</var>.
          </li>
          <li>
Set <var>decodedBytes</var> to an empty byte array that is the size of the final
base-converted value. Calculate the size of <var>decodedBytes</var>
by dividing log(<var>sourceBase</var>) by log(`256`) and then multiplying by the
length of <var>sourceEncoding</var> minus the leading zeroes. Add 1 to the value
of size.
          </li>
          <li>
Process each character in <var>sourceEncoding</var> as <var>character</var>
starting at offset <var>sourceOffset</var>:
            <ol class="algorithm">
              <li>
Set the <var>carry</var> value to the integer value in the <var>baseMap</var>
that is associated with <var>character</var>.
              </li>
              <li>
Perform base-decoding by starting at the end of the <var>decodedBytes</var>
array. Initialize an iterator <var>i</var> to `0`. Set <var>byteOffset</var>
to <var>decodedSize</var> minus `1`. Perform the following loop as long as,
<var>carry</var> does not equal `0` or <var>i</var> is less than
<var>decodedLength</var>, and <var>byteOffset</var> does not equal `-1`:
                <ol class="algorithm">
                  <li>
Add the result of multiplying <var>sourceBase</var> by
<var>decodedBytes</var>[<var>byteOffset</var>] to <var>carry</var>.
                  </li>
                  <li>
Set <var>decodedBytes</var>[<var>byteOffset</var>] to the remainder of
dividing <var>carry</var> by `256`.
                  </li>
                  <li>
Set <var>carry</var> to <var>carry</var> divided by `256`, ensuring that integer
division is used to perform the division.
                  </li>
                  <li>
Decrement <var>byteOffset</var> by `1` and increment <var>i</var> by `1`.
                  </li>
                </ol>
                <li>
Set <var>decodedLength</var> to <var>i</var> and increment
<var>sourceOffset</var> by `1`.
                </li>
              </li>
            </ol>
          </li>
          <li>
Set the <var>decodedOffset</var> to <var>decodedSize</var> minus
<var>decodedLength</var>. While the <var>decodedOffset</var> does not equal
the <var>decodedSize</var> and
<var>decodedBytes</var>[<var>decodedOffset</var>] equals `0`, increment
<var>decodedOffset</var> by `1`. This step skips the leading zeros in the
final base-decoded byte array.
          </li>
          <li>
Set the size of the <var>finalBytes</var> array to <var>zeroes</var> plus,
<var>decodedSize</var> minus <var>decodedOffset</var>. Initialize the first
<var>zeroes</var> bytes in <var>finalBytes</var> to `0`.
          </li>
          <li>
Starting at an offset equal to the number of <var>zeroes</var> in
<var>finalBytes</var> plus `1`, copy all bytes in <var>decodedBytes</var>, up
to <var>decodedSize</var>, starting at offset <var>decodedOffset</var> to
<var>finalBytes</var>.
          </li>
        </ol>

        <pre class="example" title="An implementation of the general base-decoding algorithm above in Javascript">
function baseDecode(sourceEncoding, sourceBase, baseAlphabet) {
  // build the base-alphabet to integer value map
  baseMap = {};
  for(let i = 0; i < baseAlphabet.length; i++) {
    baseMap[baseAlphabet[i]] = i;
  }

  // skip and count zero-byte values in the sourceEncoding
  let sourceOffset = 0;
  let zeroes = 0;
  let decodedLength = 0;
  while(sourceEncoding[sourceOffset] === baseAlphabet[0]) {
    zeroes++;
    sourceOffset++;
  }

  // allocate the decoded byte array
  const baseContractionFactor = Math.log(sourceBase) / Math.log(256);
  let decodedSize = Math.floor((
    (sourceEncoding.length - sourceOffset) * baseContractionFactor) + 1);
  let decodedBytes = new Uint8Array(decodedSize);

  // perform base-conversion on the source encoding
  while(sourceEncoding[sourceOffset]) {
    // process each base-encoded number
    let carry = baseMap[sourceEncoding[sourceOffset]];

    // convert the base-encoded number by performing base-expansion
    let i = 0
    for(let byteOffset = decodedSize - 1;
      (carry !== 0 || i < decodedLength) && (byteOffset !== -1);
      byteOffset--, i++) {
      carry += Math.floor(sourceBase * decodedBytes[byteOffset]);
      decodedBytes[byteOffset] = Math.floor(carry % 256);
      carry = Math.floor(carry / 256);
    }

    decodedLength = i;
    sourceOffset++;
  }

  // skip leading zeros in the decoded byte array
  let decodedOffset = decodedSize - decodedLength;
  while(decodedOffset !== decodedSize && decodedBytes[decodedOffset] === 0) {
    decodedOffset++;
  }

  // create the final byte array that has been base-decoded
  let finalBytes = new Uint8Array(zeroes + (decodedSize - decodedOffset));
  let j = zeroes;
  while(decodedOffset !== decodedSize) {
    finalBytes[j++] = decodedBytes[decodedOffset++];
  }

  return finalBytes;
}
        </pre>

      </section>

      <section class="normative">
        <h3>Retrieve Verification Method</h3>

        <p>
The following algorithm specifies how to safely retrieve a verification method,
such as a cryptographic [=public key=], by using a [=verification method=]
identifier. Required inputs are a
<strong>[=verification method=]</strong> (<var>verificationMethod</var>),
a <strong>proof purpose</strong> (<var>proofPurpose</var>), and
a set of <strong>dereferencing options</strong> (<var>options</var>). A
<strong>verification method</strong> is produced as output.
        </p>

        <ol class="algorithm">
          <li>
Let <var>vmIdentifier</var> be set to <var>verificationMethod</var>.
          </li>
          <li>
Let <var>vmPurpose</var> be set to <var>proofPurpose</var>.
          </li>
          <li>
If <var>vmIdentifier</var> is not a valid URL, an error MUST be raised and SHOULD
convey an error type of
<a href="#INVALID_VERIFICATION_METHOD_URL">INVALID_VERIFICATION_METHOD_URL</a>.
          </li>
          <li>
Let <var>controllerDocumentUrl</var> be the result of parsing
<var>vmIdentifier</var> according to the rules of the URL scheme and extracting
the primary resource identifier (without the fragment identifier).
          </li>
          <li>
Let <var>vmFragment</var> be the result of parsing <var>vmIdentifier</var>
according to the rules of the URL scheme and extracting the secondary
resource identifier (the fragment identifier).
          </li>
          <li>
Let <var>controllerDocument</var> be the result of dereferencing
<var>controllerDocumentUrl</var>, according to the rules
of the URL scheme and using the supplied <var>options</var>.
          </li>
          <li>
If <var>controllerDocument</var>.<var>id</var> does not match the
<var>controllerDocumentUrl</var>, an error MUST be raised and SHOULD
convey an error type of
<a href="#INVALID_CONTROLLER_DOCUMENT_ID">INVALID_CONTROLLER_DOCUMENT_ID</a>.
          </li>
          <li>
If <var>controllerDocument</var> is not a valid [=controller document=],
an error MUST be raised and SHOULD
convey an error type of
<a href="#INVALID_CONTROLLER_DOCUMENT">INVALID_CONTROLLER_DOCUMENT</a>.
          </li>
          <li>
Let <var>verificationMethod</var> be the result of dereferencing the
<var>vmFragment</var> from the <var>controllerDocument</var> according to the
rules of the media type of the <var>controllerDocument</var>.
          </li>
          <li>
If <var>verificationMethod</var> is not a valid [=verification method=],
an error MUST be raised and SHOULD convey an error type of
<a href="#INVALID_VERIFICATION_METHOD">INVALID_VERIFICATION_METHOD</a>.
          </li>
          <li>
If <var>verificationMethod</var> is not associated with the array of
<var>vmPurposes</var> in the <var>controllerDocument</var>, either by reference
(URL) or by value (object), an error MUST be raised and SHOULD convey an error
type of <a href="#INVALID_PROOF_PURPOSE_FOR_VERIFICATION_METHOD">
INVALID_PROOF_PURPOSE_FOR_VERIFICATION_METHOD</a>.
          </li>
          <li>
Return <var>verificationMethod</var> as the
<strong>verification method</strong>.
          </li>
        </ol>

        <p>
The following example provides a minimum conformant
[=controller document=] containing a minimum conformant
[=verification method=] as required by the algorithm in this section:
        </p>

        <pre class="example" title="Minimum conformant controller document">
{
  "id": "https://controller.example/123",
  "verificationMethod": [{
    "id": "https://controller.example/123#key-456",
    "type": "ExampleVerificationMethodType",
    "controller": "https://controller.example/123",
    <span class="comment">// public cryptographic material goes here</span>
  }],
  "authentication": ["#key-456"]
}
        </pre>

      </section>

      <section class="normative">
        <h3>Processing Errors</h3>

        <p>
The algorithms described in this specification throw specific types of errors.
Implementers might find it useful to convey these errors to other libraries or
software systems. This section provides specific URLs, descriptions, and error
codes for the errors, such that an ecosystem implementing technologies described
by this specification might interoperate more effectively when errors occur.
        </p>

        <p>
When exposing these errors through an HTTP interface, implementers SHOULD use
[[RFC9457]] to encode the error data structure. If [[RFC9457]] is used:
        </p>

        <ul>
          <li>
The `type` value of the error object MUST be a URL that starts with the value
`https://w3id.org/security#` and ends with the value in the section listed
below.
          </li>
          <li>
The `code` value MUST be the integer code described in the table below
(in parentheses, beside the type name).
          </li>
          <li>
The `title` value SHOULD provide a short but specific human-readable string for
the error.
          </li>
          <li>
The `detail` value SHOULD provide a longer human-readable string for the error.
          </li>
        </ul>

        <dl>
          <dt id="INVALID_VERIFICATION_METHOD_URL">INVALID_VERIFICATION_METHOD_URL (-21)</dt>
          <dd>
The `verificationMethod` value in a proof was malformed. See Section
[[[#retrieve-verification-method]]].
          </dd>
          <dt id="INVALID_CONTROLLER_DOCUMENT_ID">INVALID_CONTROLLER_DOCUMENT_ID (-22)</dt>
          <dd>
The `id` value in a [=controller document=] was malformed. See Section
[[[#retrieve-verification-method]]].
          </dd>
          <dt id="INVALID_CONTROLLER_DOCUMENT">INVALID_CONTROLLER_DOCUMENT (-23)</dt>
          <dd>
The [=controller document=] was malformed. See Section
[[[#retrieve-verification-method]]].
          </dd>
          <dt id="INVALID_VERIFICATION_METHOD">INVALID_VERIFICATION_METHOD (-24)</dt>
          <dd>
The [=verification method=] in a [=controller document=] was malformed. See Section
[[[#retrieve-verification-method]]].
          </dd>
          <dt id="INVALID_PROOF_PURPOSE_FOR_VERIFICATION_METHOD">INVALID_PROOF_PURPOSE_FOR_VERIFICATION_METHOD (-25)</dt>
          <dd>
The [=verification method=] in a [=controller document=] was not
associated using the expected [=verification relationship=] as expressed in
the `proofPurpose` property in the proof. See Section
[[[#retrieve-verification-method]]].
          </dd>
        </dl>
      </section>
    </section>

    <section>
      <h2>Contexts and Vocabularies</h2>

      <p class="issue" title="(AT RISK) Hash values might change during Candidate Recommendation">
This section lists cryptographic hash values that might change during the
Candidate Recommendation phase based on implementer feedback that requires
the referenced files to be modified.
      </p>
      <p>
Implementations that perform JSON-LD processing MUST treat the following
JSON-LD context URLs as already resolved, where the resolved document matches
the corresponding hash values below:
      </p>

      <table class="simple">
        <thead>
          <tr>
            <th>URL, Media Type, and Content Digest</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td style="white-space: nowrap;">
<strong>URL:</strong>
https://w3id.org/security/data-integrity/v2 (application/ld+json)<br>
<strong>SHA2-256 Digest:</strong>
<code><span class="vc-hash"
data-hash-url="https://w3id.org/security/data-integrity/v2"
data-hash-format="openssl dgst -sha256" /></code>
            </td>
          </tr>
          <tr>
            <td style="white-space: nowrap;">
<strong>URL:</strong>
https://w3id.org/security/multikey/v1 (application/ld+json)<br>
<strong>SHA2-256 Digest:</strong>
<code><span class="vc-hash"
data-hash-url="https://w3id.org/security/multikey/v1"
data-hash-format="openssl dgst -sha256" /></code>
            </td>
          </tr>
          <tr>
            <td style="white-space: nowrap;">
<strong>URL:</strong>
https://w3id.org/security/jwk/v1 (application/ld+json)<br>
<strong>SHA2-256 Digest:</strong>
<code><span class="vc-hash"
data-hash-url="https://w3id.org/security/jwk/v1"
data-hash-format="openssl dgst -sha256" /></code>
            </td>
          </tr>
        </tbody>
      </table>

      <p>
The security vocabulary terms that the JSON-LD contexts listed above resolve
to are in the <a href="https://w3id.org/security">https://w3id.org/security#</a>
namespace. That is, all security terms in this vocabulary are of the form
`https://w3id.org/security#TERM`, where `TERM` is the name of a term.
      </p>

      <p>
Implementations that perform RDF processing MUST treat the following
JSON-LD vocabulary URL as already resolved, where the resolved document matches
the corresponding hash values below.
      </p>

      <p>
When dereferencing the
<a href="https://w3id.org/security">https://w3id.org/security#</a> URL,
the data returned depends on HTTP content negotiation. These are as follows:
      </p>

      <table class="simple">
        <thead>
          <tr>
            <th>URL, Media Type, and Content Digest</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td style="white-space: nowrap;">
<strong>URL:</strong>
https://w3id.org/security (application/ld+json)<br>
<strong>SHA2-256 Digest:</strong><code><span class="vc-hash"
data-hash-url="https://w3c.github.io/vc-data-integrity/vocab/security/vocabulary.jsonld"
data-hash-format="openssl dgst -sha256" /></code>
            </td>
          </tr>
          <tr>
            <td style="white-space: nowrap;">
<strong>URL:</strong>
https://w3id.org/security (text/turtle)<br>
<strong>SHA2-256 Digest:</strong><code><span class="vc-hash"
data-hash-url="https://w3c.github.io/vc-data-integrity/vocab/security/vocabulary.ttl"
data-hash-format="openssl dgst -sha256" /></code>
            </td>
          </tr>
          <tr>
            <td style="white-space: nowrap;">
<strong>URL:</strong>
https://w3id.org/security (text/html)<br>
<strong>SHA2-256 Digest:</strong>
<code><span class="vc-hash"
data-hash-url="https://w3c.github.io/vc-data-integrity/vocab/security/vocabulary.html"
data-hash-format="openssl dgst -sha256" /></code>
            </td>
          </tr>
        </tbody>
      </table>

      <p>
It is possible to confirm the digests listed above by running the following
command from a modern Unix command interface line:
`curl -sL -H "Accept: &lt;MEDIA_TYPE>" &lt;DOCUMENT_URL> | openssl dgst -sha256`.
      </p>

      <p>
Authors of application-specific vocabularies and specifications SHOULD ensure
that their JSON-LD context and vocabulary files are permanently cacheable
using the approaches to caching described above or a functionally equivalent
mechanism.
      </p>

      <p>
Implementations MAY load application-specific JSON-LD context files from the
network during development, but SHOULD permanently cache JSON-LD context files
used in [=conforming documents=] in production settings to increase their
security and privacy characteristics. Caching goals MAY be achieved through
approaches such as those described above or functionally equivalent mechanisms.
      </p>
      <p>
Some applications, such as digital wallets, that are capable of holding arbitrary
verifiable credentials or other data-integrity-protected documents, from
any issuer and using any contexts, might need to be able to load externally
linked resources, such as JSON-LD context files, in production settings. This is
expected to increase user choice, scalability, and decentralized upgrades in the
ecosystem over time. Authors of such applications are advised to read the
security and privacy sections of this document for further considerations.
      </p>

      <p>
For further information regarding processing of JSON-LD contexts and
vocabularies, see <a data-cite="?VC-DATA-MODEL-2.0#base-context">Verifiable
Credentials v2.0: Base Context</a> and <a data-cite="?VC-DATA-MODEL-2.0#vocabularies">
Verifiable Credentials v2.0: Vocabularies</a>.
      </p>

      <section>
        <h3>Context Injection</h3>

        <p>
The `@context` property is used to ensure that implementations are using the
same semantics when terms in this specification are processed. For example, this
can be important when properties like `type` are processed and its value, such
as `DataIntegrityProof`, are used.
        </p>

        <p>
If an `@context` property is not provided in a document that is being secured or
verified, or the Data Integrity terms used in the document are not mapped by
existing values in the `@context` property, implementations MUST inject or add
an `@context` property with a value of
`https://w3id.org/security/data-integrity/v2`.
        </p>

        <p>
Context injection is expected to be unnecessary sometimes, such as when the Verifiable
Credential Data Model v2.0 context (`https://www.w3.org/ns/credentials/v2`)
exists as a value in the `@context` property, as that context maps all of the
necessary Data Integrity terms that were previously mapped by
`https://w3id.org/security/data-integrity/v2`.
        </p>
      </section>

      <section>
        <h3>Datatypes</h3>

        <p>
This section defines datatypes that are used by this specification.
        </p>

      <section>
        <h4 id="multibase">The `multibase` Datatype</h3>

        <p>
<a href="#multibase">Multibase</a>-encoded strings are used to encode binary
data into ASCII-only formats, which are useful in environments that cannot
directly represent binary values. This specification makes use of this encoding.
In environments that support data types for string values, such as RDF
[[?RDF-CONCEPTS]], <a href="#multibase">Multibase</a>-encoded content is
indicated using a literal value whose datatype is set to
`https://w3id.org/security#multibase`.
        </p>

        <p>
The `multibase` datatype is defined as follows:
        </p>

        <dl>
          <dt>The URL denoting this datatype</dt>
          <dd>
`https://w3id.org/security#multibase`
          </dd>
          <dt>The lexical space</dt>
          <dd>
Any string that starts with a <a href="#multibase">Multibase</a> character and
the rest of the characters consist of allowable characters in the respective
base-encoding alphabet.
          </dd>
          <dt>The value space</dt>
          <dd>
The standard mathematical concept of all integer numbers.
          </dd>
          <dt>The lexical-to-value mapping</dt>
          <dd>
Any element of the lexical space is mapped to the value space by base-decoding
the value based on the base-decoding alphabet associated with the
first <a href="#multibase">Multibase</a> character in the lexical string.
          </dd>
          <dt>The canonical mapping</dt>
          <dd>
The canonical mapping consists of using the lexical-to-value mapping.
          </dd>
        </dl>
      </section>

    </section>

  </section>

  <section class="informative">
    <h1>Security Considerations</h1>

    <p>
This section contains a variety of security considerations that people using
this specification are advised to consider before deploying this
technology in a production setting. This technologies described in this
document are designed to operate under the threat model used by many IETF
standards and documented in [[?RFC3552]]. This section elaborates upon a number
of the considerations in [[?RFC3552]], as well as other considerations that are
unique to this specification.
    </p>

    <section>
      <h2>Proving Control and Binding</h2>

      <p>
Binding an entity in the digital world or the physical world to an identifier, to
a [=controller document=], or to cryptographic material requires, the use of
security protocols contemplated by this specification. The following sections
describe some possible scenarios and how an entity therein might prove control
over an identifier or a [=controller document=] for the purposes of authentication or
authorization.
      </p>

      <section class="notoc">
        <h3>Proving Control of an Identifier and/or Controller Document</h3>

        <p>
Proving control over an identifier and/or a [=controller document=] is useful
when accessing remote systems. Cryptographic digital signatures enable certain
security protocols related to [=controller documents=]
to be cryptographically verifiable. For these purposes, this specification
defines useful [=verification relationships=] in <a
href="#authentication"></a> and [[[#capability-invocation]]]. The
secret cryptographic material associated with the [=verification methods=]
can be used to generate a cryptographic digital signature as a part of an
authentication or authorization security protocol.
        </p>
      </section>

      <section class="notoc">
        <h3>Binding to Physical Identity</h3>

        <p>
An identifier or [=controller document=] do not inherently carry any
<a href="https://en.wikipedia.org/wiki/Personal_data">personal data</a> and
it is strongly advised that non-public entities do not publish personal data in
[=controller documents=].
        </p>

        <p>
It can be useful to express a binding of an identifier to a person's or
organization's physical identity in a way that is provably asserted by a
trusted authority, such as a government. This specification provides
the [[[#assertion]]] [=verification relationship=] for these
purposes. This feature can enable interactions that are private and can be
considered legally enforceable under one or more jurisdictions; establishing
such bindings has to be carefully balanced against privacy considerations (see
[[[#privacy-considerations]]]).
        </p>

        <p>
The process of binding an identifier to something in the physical world, such as
a person or an organization &mdash; for example, by using <a>verifiable
credentials</a> with the same subject as that identifier &mdash; is contemplated
by this specification and further defined in [[[?VC-DATA-MODEL-2.0]]].
        </p>
      </section>
    </section>

    <section>
      <h2>Key and Signature Expiration</h2>

      <p>
In a decentralized architecture, there might not be centralized authorities to
enforce cryptographic material or cryptographic digital signature expiration
policies. Therefore, it is with supporting software such as verification
libraries that requesting parties validate that cryptographic material were not
expired at the time they were used. Requesting parties might employ their own
expiration policies in addition to inputs into their verification processes. For
example, some requesting parties might accept authentications from five minutes
in the past, while others with access to high precision time sources might
require authentications to be time stamped within the last 500 milliseconds.
      </p>
      <p>
There are some requesting parties that have legitimate needs to extend the use
of already-expired cryptographic material, such as verifying legacy
cryptographic digital signatures. In these scenarios, a requesting party might
instruct their verification software to ignore cryptographic key material
expiration or determine if the cryptographic key material was expired at the
time it was used.
      </p>
    </section>

    <section>
      <h2>Verification Method Rotation</h2>

      <p>
Rotation is a management process that enables the secret cryptographic material
associated with an existing [=verification method=] to be deactivated or
destroyed once a new [=verification method=] has been added to the
[=controller document=]. Going forward, any new proofs that a
[=controller=] would have generated using the old secret cryptographic
material can now instead be generated using the new  cryptographic material and
can be verified using the new [=verification method=].
      </p>

      <p>
Rotation is a useful mechanism for protecting against verification method
compromise, since frequent rotation of a verification method by the controller
reduces the value of a single compromised verification method to an attacker.
Performing revocation immediately after rotation is useful for verification
methods that a controller designates for short-lived verifications, such as
those involved in encrypting messages and authentication.
      </p>

      <p>
The following considerations might be of use when contemplating the use of
[=verification method=] rotation:
      </p>

      <ul>
        <li>
[=Verification method=] rotation is a proactive security measure.
        </li>
        <li>
It is generally considered a best practice to perform [=verification method=]
rotation on a regular basis.
        </li>
        <li>
Higher security environments tend to employ more frequent verification method
rotation.
        </li>
        <li>
[=Verification method=] rotation manifests only as changes to the current or
latest version of a [=controller document=].
        </li>
        <li>
When a [=verification method=] has been active for a long time, or used for
many operations, a controller might wish to perform a rotation.
        </li>
        <li>
Frequent rotation of a [=verification method=] might be frustrating for
parties that are forced to continuously renew or refresh associated credentials.
        </li>
        <li>
Proofs or signatures that rely on [=verification methods=] that are not
present in the latest version of a [=controller document=] are not impacted by
rotation. In these cases, verification software might require additional
information, such as when a particular [=verification method=] was
expected to be valid as well as access to a verifiable data registry
containing a historical record, to determine the validity of the proof or
signature. This option might not be available in all systems.
        </li>
        <li>
A [=controller=] performs a rotation when they add a new <a>verification
method</a> that is meant to replace an existing [=verification method=] after
some time.
        </li>
      </ul>
    </section>

    <section>
      <h2>Verification Method Revocation</h2>

      <p>
Revocation is a management process that enables the secret cryptographic
material associated with an existing [=verification method=] to be
deactivated such that it ceases to be a valid form of creating new
proofs.
      </p>
      <p>
Revocation is a useful mechanism for reacting to a verification method
compromise. Performing revocation immediately after rotation is useful for
verification methods that a controller designates for short-lived verifications,
such as those involved in encrypting messages and authentication.
      </p>

      <p>
Compromise of the secrets associated with a [=verification method=] allows
the attacker to use them according to the [=verification relationship=]
expressed by [=controller=] in the [=controller document=], for example, for
authentication. The attacker's use of the secrets might be indistinguishable
from the legitimate [=controller=]'s use starting from
the time the [=verification method=] was registered, to the time it was
revoked.
      </p>


      <p>
The following considerations might be of use when contemplating the use of
[=verification method=] revocation:
      </p>

      <ul>
        <li>
[=Verification method=] revocation is a reactive security measure.
        </li>

        <li>
It is considered a best practice to support key revocation.
        </li>

        <li>
A [=controller=] is expected to immediately revoke any <a>verification
method</a> that is known to be compromised.
        </li>

        <li>
[=Verification method=] revocation can only be embodied in changes to
the latest version of a [=controller document=]; it cannot retroactively adjust
previous versions.
        </li>

        <li>
If a [=verification method=] is no longer exclusively accessible to the
[=controller=] or parties trusted to act on behalf of the [=controller=],
it is expected to be revoked immediately to reduce the risk of
compromises such as masquerading, theft, and fraud.
        </li>

        <li>
Revocation is expected to be understood as a [=controller=] expressing that
proofs or signatures associated with a revoked [=verification method=]
created after its revocation should be treated as invalid. It could also imply a
concern that existing proofs or signatures might have been created by an
attacker, but this is not necessarily the case. Verifiers, however, might still
choose to accept or reject any such proofs or signatures at their own
discretion.
        </li>

        <li>
Even if a [=verification method=] is present in a [=controller document=],
additional information, such as a public key revocation certificate, or an
external allow or deny list, could be used to determine whether a
[=verification method=] has been revoked.
        </li>

        <li>
The day-to-day operation of any software relying on a compromised
[=verification method=], such as an individual's operating system, antivirus,
or endpoint protection software, could be impacted when the <a>verification
method</a> is publicly revoked.
        </li>
      </ul>

      <section class="notoc">
        <h3>Revocation Semantics</h3>

        <p>
Although verifiers might choose not to accept proofs or signatures from a
revoked verification method, knowing whether a verification was made with a
revoked [=verification method=] is trickier than it might seem. Some auditing
systems provide the ability to look back at the state of an identifier at a
point in time, or at a particular version of the [=controller document=].
When such a feature is combined with a reliable way to determine the time or
identifier version that existed when a cryptographically verifiable statement
was made, then revocation does not undo that statement. This can be the basis
for using digital signatures to make binding commitments; for example, to sign
a mortgage.
        </p>
        <p>
If these conditions are met, revocation is not retroactive; it only nullifies
future use of the method.
        </p>
        <p>
However, in order for such semantics to be safe, the second condition &mdash; an
ability to know what the state of the [=controller document=] was at the time
the assertion was made &mdash; is expected to apply. Without that guarantee,
someone could discover a revoked key and use it to make cryptographically
verifiable statements with a simulated date in the past.
        </p>
        <p>
Some auditing systems only allow the retrieval of the current state of a
identifier. When this is true, or when the state of an identifier at the time of
a cryptographically verifiable statement cannot be reliably determined, then the
only safe course is to disallow any consideration of state with respect to time,
except the present moment. Identifier ecosystems that take this approach
essentially provide cryptographically verifiable statements as ephemeral tokens
that can be invalidated at any time by the [=controller=].
        </p>
      </section>
    </section>

    <section>
      <h2>Encrypted Data in Controller Documents</h2>
      <p>
Encryption algorithms have been known to fail due to advances in cryptography
and computing power. Implementers are advised to assume that any encrypted data
placed in a [=controller document=] might eventually be made available in clear text
to the same audience to which the encrypted data is available. This is
particularly pertinent if the [=controller document=] is public.
      </p>
      <p>
Encrypting all or parts of a [=controller document=] is <em>not</em> an appropriate
means to protect data in the long term. Similarly, placing encrypted data in
a [=controller document=] is not an appropriate means to protect personal data.
      </p>
      <p>
Given the caveats above, if encrypted data is included in a [=controller document=],
implementers are advised to not associate any correlatable information
that could be used to infer a relationship between the encrypted data
and an associated party. Examples of correlatable information include
public keys of a receiving party, identifiers to digital assets known to be
under the control of a receiving party, or human readable descriptions of a
receiving party.
      </p>

    </section>

    <section>
      <h2>Content Integrity Protection</h2>
      <p>
[=Controller documents=] which include links to external machine-readable
content such as images, web pages, or schemas are vulnerable to tampering. It is
strongly advised that external links are integrity protected using mechanisms to
secure related resources such as those described in the [[[?VC-DATA-MODEL-2.0]]]
specification. External links are to be avoided if they cannot be integrity
protected and the [=controller document=]'s integrity is dependent on the
external link.
      </p>
      <p>
One example of an external link where the integrity of the <a>controller
document</a> itself could be affected is the JSON-LD Context [[JSON-LD11]]. To protect
against compromise, [=controller document=] consumers are advised to cache
local static copies of JSON-LD contexts and/or verify the integrity of external
contexts against a cryptographic hash that is known to be associated with a safe
version of the external JSON-LD Context.
      </p>
    </section>

    <section>
      <h2>Level of Assurance</h2>

      <p>
Additional information about the security context of authentication events is
often required for compliance reasons, especially in regulated areas such as the
financial and public sectors. This information is often referred to as a Level
of Assurance (LOA). Examples include the protection of secret cryptographic
material, the identity proofing process, and the form-factor of the
authenticator.
      </p>

      <p>
<a target="_blank"
href="https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en">
Payment services (PSD 2)</a> and <a target="_blank"
href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG">
eIDAS</a> introduce such requirements to the security context. Level of
assurance frameworks are classified and defined by regulations and
standards such as <a
target="_blank"
href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG">
eIDAS</a>, <a target="_blank"
href="https://pages.nist.gov/800-63-3/sp800-63-3.html"> NIST 800-63-3</a> and <a
target="_blank" href="https://www.iso.org/standard/45138.html"> ISO/IEC
29115:2013</a>, including their requirements for the security context, and
making recommendations on how to achieve them. This might include strong user
authentication where <a target="_blank"
href="https://fidoalliance.org/fido2/">FIDO2</a>/<a target="_blank"
href="https://www.w3.org/TR/webauthn-2/">WebAuthn</a> can fulfill the
requirement.
      </p>

      <p>
Some regulated scenarios require the implementation of a specific level of
assurance. Since [=verification relationships=] used to perform
<a href="#assertion">assertion</a> and [=authentication=] might be
used in some of these situations, information about the applied security context
might need to be expressed and provided to a <em>verifier</em>. Whether and how
to encode this information in the [=controller document=] data model is out
of scope for this specification. Interested readers might note that 1) the
information could be transmitted using Verifiable Credentials
[[?VC-DATA-MODEL-2.0]], and 2) the [=controller document=] data model can be
extended to incorporate this information.
      </p>
    </section>
  </section>

  <section class="informative">
    <h1>Privacy Considerations</h1>

    <p>
Since [=controller documents=] are designed to be administered directly by
the [=controller=], it is critically important to apply the principles of
Privacy by Design [[PRIVACY-BY-DESIGN]] to all aspects of the
[=controller document=]. All seven of these principles have been applied
throughout the development of this specification. The design used in this
specification does not assume that there is a registrar, hosting company, nor
other intermediate service provider to recommend or apply additional privacy
safeguards. Privacy in this specification is preventive, not remedial, and is an
embedded default. The following sections cover privacy considerations that
implementers might find useful when building systems that utilize <a>controller
documents</a>.
    </p>

    <section>
      <h2>Keep Personal Data Private</h2>

      <p>
If a [=controller document=] is about a specific individual and is
public-facing, it is <em>critical</em> that the [=controller documents=]
contain no personal data. Personal data can instead be transmitted through other
means such as 1) verifiable credentials [[?VC-DATA-MODEL-2.0]], or 2)
other private communication channels.
      </p>
    </section>

    <section>
      <h2>Identifier Correlation Risks</h2>

      <p>
Globally unambiguous identifiers can be used for the purpose of correlation.
[=Controllers=] can mitigate this privacy risk by using pairwise identifiers
that are unique to each relationship; in effect, each identifier acts as a
pseudonym. A pairwise identifier need only be shared with more than one party
when correlation is explicitly desired. If pairwise identifiers are the default,
then the only need to publish an identifier openly, or to share it with multiple
parties, is when the [=controllers=] and/or [=subjects=] explicitly
desire public identification and correlation.
      </p>
    </section>

    <section>
      <h2>Controller Document Correlation Risks</h2>

      <p>
The anti-correlation protections of pairwise identifiers are easily defeated if
the data in the corresponding [=controller documents=] can be correlated. For
example, using identical [=verification methods=] in multiple <a>controller
documents</a> can provide as much correlation information as using the same
identifier. Therefore, the [=controller document=] for a pairwise identifier
also needs to use pairwise unique information, such as ensuring that
[=verification methods=] are unique to the pairwise relationship.
      </p>

    </section>

    <section>
      <h2>Subject Classification</h2>
      <p>
It is dangerous to add properties to the [=controller document=] that can be
used to indicate, explicitly or through inference, what <em>type</em> or nature
of thing the [=subject=] is, particularly if the [=subject=] is a person.
      </p>
      <p>
Not only do such properties potentially result in personal data (see
[[[#keep-personal-data-private]]]) or correlatable data (see <a
href="#identifier-correlation-risks"> </a> and
[[[#controller-document-correlation-risks]]]) being present in
the [=controller document=], but they can be used for grouping particular
identifiers in such a way that they are included in or excluded from certain
operations or functionalities.
      </p>
      <p>
Including <em>type</em> information in a [=controller document=] can result
in personal privacy harms even for [=subjects=] that are non-person entities,
such as IoT devices. The aggregation of such information around a
[=controller=] could serve as a form of digital fingerprint and this is best
avoided.
      </p>
      <p>
To minimize these risks, all properties in a [=controller document=] ought to
be for expressing [=verification methods=] and <a>verification
relationships</a> related to using the identifier.
      </p>

    </section>
    </section>

    <section>
      <h2>Accessibility Considerations</h2>
      <p>
The following section describes accessibility considerations that developers
implementing this specification are urged to consider in order to ensure that
their software is usable by people with different cognitive, motor, and visual
needs. As a general rule, this specification is used by system software and does
not directly expose individuals to information subject to accessibility
considerations. However, there are instances where individuals might be
indirectly exposed to information expressed by this specification and thus the
guidance below is provided for those situations.
      </p>

      <section>
        <h2>Presenting Time Values</h2>
        <p>
This specification enables the expression of dates and times related to the
validity period of cryptographic proofs. This information might be indirectly
exposed to an individual if a proof is processed and is detected to be outside
an allowable time range. When exposing these dates and times to an individual,
implementers are urged to take into account
<a data-cite="?VC-DATA-MODEL-2.0#representing-time">cultural normas and locales
when representing dates and times</a> in display software. In addition to these
considerations, presenting time values in a way that eases the cognitive burden
on the individual receiving the information is a suggested best practice.
        </p>
        <p>
For example, when conveying the expiration date for a particular set of
digitally signed information, implementers are urged to present the time of
expiration using language that is easier to understand rather than language that
optimizes for accuracy. Presenting the expiration time as "This ticket expired
three days ago." is preferred over a phrase such as "This ticket expired on July
25th 2023 at 3:43 PM." The former provides a relative time that is easier to
comprehend than the latter time, which requires the individual to do the
calculation in their head and presumes that they are capable of doing such a
calculation.
        </p>
      </section>

    </section>

    <section class="appendix informative">
      <h2>Examples</h2>

      <p>
This section contains more detailed examples of the concepts introduced in
the specification.
      </p>
      <section class="informative">
        <h2>Multikey Examples</h2>

        <p>
This section contains various Multikey examples that might be useful for
developers seeking test values.
        </p>

          <pre class="example nohighlight"
            title="A P-256 public key encoded as a Multikey">
{
  "id": "https://multikey.example/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://multikey.example/issuer/123",
  "publicKeyMultibase": "zDnaerx9CtbPJ1q36T5Ln5wYt3MQYeGRG5ehnPAmxcf5mDZpv"
}
          </pre>

          <pre class="example nohighlight"
            title="A P-384 public key encoded as a Multikey">
{
  "id": "https://multikey.example/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://multikey.example/issuer/123",
  "publicKeyMultibase": "z82LkvCwHNreneWpsgPEbV3gu1C6NFJEBg4srfJ5gdxEsMGRJ
    Uz2sG9FE42shbn2xkZJh54"
}
          </pre>

          <pre class="example nohighlight"
            title="An Ed25519 public key encoded as a Multikey">
{
  "id": "https://multikey.example/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://multikey.example/issuer/123",
  "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP"
}
          </pre>

          <pre class="example nohighlight"
            title="A BLS12-381 G2 group public key, encoded as a Multikey">
{
  "id": "https://multikey.example/issuer/123#key-0",
  "type": "Multikey",
  "controller": "https://multikey.example/issuer/123",
  "publicKeyMultibase": "zUC7EK3ZakmukHhuncwkbySmomv3FmrkmS36E4Ks5rsb6VQSRpoCrx6
  Hb8e2Nk6UvJFSdyw9NK1scFXJp21gNNYFjVWNgaqyGnkyhtagagCpQb5B7tagJu3HDbjQ8h
  5ypoHjwBb"
}
          </pre>

          <pre class="example nohighlight"
               title="Multiple public keys encoded as Multikeys in a controller document">
{
  "@context": "https://www.w3.org/ns/controller/v1",
  "id": "https://controller.example/123",
  "verificationMethod": [{
    "id": "https://multikey.example/issuer/123#key-1",
    "type": "Multikey",
    "controller": "https://multikey.example/issuer/123",
    "publicKeyMultibase": "zDnaerx9CtbPJ1q36T5Ln5wYt3MQYeGRG5ehnPAmxcf5mDZpv"
  }, {
    "id": "https://multikey.example/issuer/123#key-2",
    "type": "Multikey",
    "controller": "https://multikey.example/issuer/123",
    "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP"
  }, {
    "id": "https://multikey.example/issuer/123#key-3",
    "type": "Multikey",
    "controller": "https://multikey.example/issuer/123",
    "publicKeyMultibase": "zUC7EK3ZakmukHhuncwkbySmomv3FmrkmS36E4Ks5rsb6VQSRpoCrx6
    Hb8e2Nk6UvJFSdyw9NK1scFXJp21gNNYFjVWNgaqyGnkyhtagagCpQb5B7tagJu3HDbjQ8h
    5ypoHjwBb"
  }],
  "authentication": [
    "https://controller.example/123#key-1"
  ],
  "assertionMethod": [
    "https://controller.example/123#key-2"
    "https://controller.example/123#key-3"
  ],
  "capabilityDelegation": [
    "https://controller.example/123#key-2"
  ],
  "capabilityInvocation": [
    "https://controller.example/123#key-2"
  ]
}
          </pre>
        </section>
      </section>

    </section>

    <section class="appendix informative">
      <h2>Revision History</h2>

      <p>
This section contains the substantive changes that have been made to this
specification over time.
      </p>

      <ul>
        <li>
Populated Terminology section.
        </li>
        <li>
Apply wording updates from VC-JOSE-COSE spec.
        </li>
      </ul>

    </section>

    <section class="appendix informative">
      <h2>Acknowledgements</h2>

      <p>
The specification authors would like to thank the contributors to the
<a href="https://www.w3.org/TR/2022/REC-did-core-20220719/">W3C Decentralized Identifiers (DIDs) v1.0</a>,
<a href="https://www.w3.org/TR/2024/CRD-vc-data-integrity-20240609/">W3C Verifiable Credential Data Integrity 1.0</a>, and
<a href="https://www.w3.org/TR/2024/CRD-vc-jose-cose-20240521/">W3C Securing Verifiable Credentials using JOSE and COSE</a> specifications
upon which this work is based.
      </p>

      <p>
we would also like to thank the base-x software library contributors and the
Bitcoin Core developers who wrote the original code, shared under an MIT
License, found in Section [[[#base-encode]]] and Section [[[#base-decode]]].
      </p>
    </section>

  </body>
</html>