This document describes the Security Vocabulary, i.e., the vocabulary used to ensure the authenticity and integrity of Verifiable Credentials and similar types of constrained digital documents using cryptography, especially through the use of digital signatures and related mathematical proofs .

Alternate versions of the vocabulary definition exist in Turtle and JSON-LD.

- Published:
- Version Info:
- 2.0
- See Also: https://www.w3.org/TR/vc-data-integrity/

Comments regarding this document are welcome. Please file issues directly on GitHub, or send them to public-vc-comments@w3.org (subscribe, archives).

In general, the terms — i.e., the properties and classes — used in the VCDM are formally specified in Recommendation Track documents published by the W3C Verifiable Credentials Working Group or, for some deprecated or reserved terms, in Reports published by the W3C Credentials Community Group. In each case of such external definition, the term's description in this document contains a link to the relevant specification. Additionally, the `rdfs:definedBy` property in the RDFS representation(s) refers to the formal specification.

In some cases, a local explanation is necessary to complement, or to replace, the definition found in an external specification. For instance, this is so when the term is needed to provide a consistent structure to the RDFS vocabulary, such as when the term defines a common supertype for class instances that are used as objects of specific properties, or when RDF Graphs are involved. For such cases, the extra definition is included in the current document (and the `rdfs:comment` property is used to include them in the RDFS representations).

This specification makes use of the following namespaces:

`sec`

`https://w3id.org/security#`

`cred`

`https://www.w3.org/2018/credentials#`

`dc`

`http://purl.org/dc/terms/`

`owl`

`http://www.w3.org/2002/07/owl#`

`rdf`

`http://www.w3.org/1999/02/22-rdf-syntax-ns#`

`rdfs`

`http://www.w3.org/2000/01/rdf-schema#`

`xsd`

`http://www.w3.org/2001/XMLSchema#`

`vs`

`http://www.w3.org/2003/06/sw-vocab-status/ns#`

`schema`

`http://schema.org/`

`jsonld`

`http://www.w3.org/ns/json-ld#`

`@context`

filesThe following `@context`

files make use of the terms defined in this specification:

The following are property definitions in the `sec`

namespace.

`verificationMethod`

*Verification method*

See the formal definition of the term.

- See also:
- Decentralized Identifiers (DIDs) v1.0

- Range:
`VerificationMethod`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

`controller`

*Controller*

See the formal definition of the term.

The property's value should be a URL, i.e., not a literal.

- Domain:
`VerificationMethod`

- Relevant
`@contexts`

: `https://w3id.org/security/multikey/v1`

,`https://w3id.org/security/jwk/v1`

,`https://www.w3.org/ns/did/v1`

`proof`

*Proof sets*

See the formal definition of the term.

- Range:
`ProofGraph`

- Relevant
`@contexts`

: `https://www.w3.org/ns/credentials/v2`

,`https://w3id.org/security/data-integrity/v2`

`domain`

*Domain of a proof*

See the formal definition of the term.

- Range:
`xsd:string`

- Domain:
`Proof`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

`challenge`

*Challenge of a proof*

See the formal definition of the term.

- Range:
`xsd:string`

- Domain:
`Proof`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

`previousProof`

*Previous proof*

See the formal definition of the term.

- Range:
`Proof`

- Domain:
`Proof`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

`proofPurpose`

*Proof purpose*

See the formal definition of the term.

- Range:
`VerificationRelationship`

- Domain:
`Proof`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

`proofValue`

*Proof value*

See the formal definition of the term.

- Range:
`multibase`

- Domain:
`Proof`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

`created`

*Proof creation time*

See the formal definition of the term.

- Range:
`xsd:dateTime`

- Domain:
`Proof`

- Relevant
`@context`

: `https://w3id.org/security/data-integrity/v2`

`expiration`

*Expiration time for a proof or verification method*

See the formal definition of the term.

Historically, this property has often been expressed using `expires` as a shortened term in JSON-LD. Since this shortened term and its mapping to this property are in significant use in the ecosystem, the inconsistency between the short term name (`expires`) and the property identifier (`...#expiration`) is expected and should not trigger an error.

- Range:
`xsd:dateTime`

- Domain:
- Union of:
`Proof`

`VerificationMethod`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

`nonce`

*Nonce supplied by proof creator*

See the formal definition of the term.

- Range:
`xsd:string`

- Domain:
`Proof`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

`authentication`

*Authentication method*

See the formal definition of the term.

- Type
`VerificationRelationship`

- Range:
`VerificationMethod`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

,`https://www.w3.org/ns/did/v1`

`assertionMethod`

*Assertion method*

See the formal definition of the term.

- Type
`VerificationRelationship`

- Range:
`VerificationMethod`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

,`https://www.w3.org/ns/did/v1`

`capabilityDelegationMethod`

*Capability delegation method*

See the formal definition of the term.

Historically, this property has often been expressed using `capabilityDelegation` as a shortened term in JSON-LD. Since this shortened term and its mapping to this property are in significant use in the ecosystem, the inconsistency between the short term name (`capabilityDelegation`) and the property identifier (`...#capabilityDelegationMethod`) is expected and should not trigger an error.

- Type
`VerificationRelationship`

- Range:
`VerificationMethod`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

,`https://www.w3.org/ns/did/v1`

`capabilityInvocationMethod`

*Capability invocation method*

See the formal definition of the term.

Historically, this property has often been expressed using `capabilityInvocation` as a shortened term in JSON-LD. Since this shortened term and its mapping to this property are in significant use in the ecosystem, the inconsistency between the short term name (`capabilityInvocation`) and the property identifier (`...#capabilityInvocationMethod`) is expected and should not trigger an error.

- Type
`VerificationRelationship`

- Range:
`VerificationMethod`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

,`https://www.w3.org/ns/did/v1`

`keyAgreementMethod`

*Key agreement protocols*

See the formal definition of the term.

Historically, this property has often been expressed using `keyAgreement` as a shortened term in JSON-LD. Since this shortened term and its mapping to this property are in significant use in the ecosystem, the inconsistency between the short term name (`keyAgreement`) and the property identifier (`...#keyAgreementMethod`) is expected and should not trigger an error.

- Type
`VerificationRelationship`

- Range:
`VerificationMethod`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

,`https://www.w3.org/ns/did/v1`

`cryptosuite`

*Cryptographic suite*

See the formal definition of the term.

- Range:
`cryptosuiteString`

- Domain:
`DataIntegrityProof`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

`publicKeyMultibase`

*Public key multibase*

See the formal definition of the term.

- See also:
- multibase

multicodec

- Range:
`multibase`

- Domain:
`Multikey`

- Relevant
`@context`

: `https://w3id.org/security/multikey/v1`

`secretKeyMultibase`

*Secret key multibase*

See the formal definition of the term.

- See also:
- multibase format

multicodec format

- Range:
`multibase`

- Domain:
`Multikey`

- Relevant
`@context`

: `https://w3id.org/security/multikey/v1`

`publicKeyJwk`

*Public key JWK*

See the formal definition of the term.

- See also:
- IANA JOSE

RFC 7517

- Range:
`rdf:JSON`

- Domain:
`JsonWebKey`

- Relevant
`@context`

: `https://w3id.org/security/jwk/v1`

`secretKeyJwk`

*Secret key JWK*

See the formal definition of the term.

- See also:
- IANA JOSE

RFC 7517

- Range:
`rdf:JSON`

- Domain:
`JsonWebKey`

- Relevant
`@context`

: `https://w3id.org/security/jwk/v1`

`revoked`

*Revocation time*

See the formal definition of the term.

- Range:
`xsd:dateTime`

- Domain:
`VerificationMethod`

- Relevant
`@context`

: `https://w3id.org/security/jwk/v1`

`digestMultibase`

*Digest multibase*

See the formal definition of the term.

- Range:
`multibase`

- Relevant
`@context`

: `https://www.w3.org/ns/credentials/v2`

The following are class definitions in the `sec`

namespace.

`Proof`

*Digital proof*

See the formal definition of the term.

This class represents a digital proof on serialized data.

- Range of:
`previousProof`

- Domain of:
`domain`

,`challenge`

,`previousProof`

,`proofPurpose`

,`proofValue`

,`created`

,`nonce`

- In the domain of:
`expiration`

- Relevant
`@context`

: `https://w3id.org/security/data-integrity/v2`

`ProofGraph`

*An RDF Graph for a digital proof*

Instances of this class are RDF Graphs [[RDF12-CONCEPTS]], where each of these graphs must include exactly one Proof instance.

- Range of:
`proof`

`VerificationMethod`

*Verification method*

See the formal definition of the term.

- Range of:
`verificationMethod`

,`authentication`

,`assertionMethod`

,`capabilityDelegationMethod`

,`capabilityInvocationMethod`

,`keyAgreementMethod`

- Domain of:
`controller`

,`revoked`

- In the domain of:
`expiration`

- Relevant
`@context`

: `https://w3id.org/security/data-integrity/v2`

`VerificationRelationship`

*Verification relationship*

See the formal definition of the term.

Instances of this class are verification relationships like, for example, authentication or assertionMethod. These resources can also appear as values of the proofPurpose property.

- Subclass of:
`rdf:Property`

- Range of:
`proofPurpose`

`DataIntegrityProof`

*A Data Integrity Proof*

See the formal definition of the term.

- Subclass of:
`Proof`

- Domain of:
`cryptosuite`

- Relevant
`@contexts`

: `https://w3id.org/security/data-integrity/v2`

,`https://www.w3.org/ns/credentials/v2`

`Multikey`

*Multikey Verification Method*

See the formal definition of the term.

- See also:
- EdDSA Cryptosuites

ECDSA Cryptosuites

BBS Cryptosuites

- Subclass of:
`VerificationMethod`

- Domain of:
`publicKeyMultibase`

,`secretKeyMultibase`

- Relevant
`@context`

: `https://w3id.org/security/multikey/v1`

`JsonWebKey`

*JSON Web Key Verification Method*

See the formal definition of the term.

- Subclass of:
`VerificationMethod`

- Domain of:
`publicKeyJwk`

,`secretKeyJwk`

- Relevant
`@context`

: `https://w3id.org/security/jwk/v1`

`Ed25519VerificationKey2020`

*ED2559 Verification Key, 2020 version*

See the formal definition of the term.

- Subclass of:
`VerificationMethod`

`Ed25519Signature2020`

*Ed25519 Signature Suite, 2020 version*

See the formal definition of the term.

- Subclass of:
`Proof`

`ProcessingError`

*Processing error*

See the formal definition of the term.

The following are datatype definitions in the `sec`

namespace.

`cryptosuiteString`

*Datatype for cryptosuite Identifiers*

See the formal definition of the term.

- Derived from:
`xsd:string`

- Range of:
`cryptosuite`

- Relevant
`@context`

: `https://w3id.org/security/data-integrity/v2`

`multibase`

*Datatype for multibase values*

See the formal definition of the term.

- Derived from:
`xsd:string`

- Range of:
`proofValue`

,`publicKeyMultibase`

,`secretKeyMultibase`

,`digestMultibase`

- Relevant
`@context`

: `https://w3id.org/security/multikey/v1`

The following are definitions for individuals in the `sec`

namespace.

`PROOF_GENERATION_ERROR`

*Proof generation error (-16)*

See the formal definition of the term.

- Type
`ProcessingError`

`PROOF_VERIFICATION_ERROR`

*Malformed proof (-17)*

See the formal definition of the term.

- Type
`ProcessingError`

`PROOF_TRANSFORMATION_ERROR`

*Mismatched proof purpose (-18)*

See the formal definition of the term.

- Type
`ProcessingError`

`INVALID_DOMAIN_ERROR`

*Invalid proof domain (-19)*

See the formal definition of the term.

- Type
`ProcessingError`

`INVALID_CHALLENGE_ERROR`

*Invalid challenge (-20)*

See the formal definition of the term.

- Type
`ProcessingError`

`INVALID_VERIFICATION_METHOD_URL`

*Invalid verification method URL (-21)*

See the formal definition of the term.

- Type
`ProcessingError`

`INVALID_CONTROLLER_DOCUMENT_ID`

*Invalid controller document id (-22)*

See the formal definition of the term.

- Type
`ProcessingError`

`INVALID_CONTROLLER_DOCUMENT`

*Invalid controller document (-23)*

See the formal definition of the term.

- Type
`ProcessingError`

`INVALID_VERIFICATION_METHOD`

*Invalid verification method (-24)*

See the formal definition of the term.

- Type
`ProcessingError`

`INVALID_PROOF_PURPOSE_FOR_VERIFICATION_METHOD`

*Invalid proof purpose for verification method (-25)*

See the formal definition of the term.

- Type
`ProcessingError`

All terms in this section are * reserved*.
Implementers may use these properties, but should expect them and/or their meanings to change during the process to
normatively specify them.

The following are * reserved* property definitions in the

`sec`

namespace.`allowedAction`

*Allowed action** (reserved)*

See the formal definition of the term.

`capabilityChain`

*Capability chain** (reserved)*

See the formal definition of the term.

`capabilityAction`

*Capability action** (reserved)*

See the formal definition of the term.

`caveat`

*Caveat** (reserved)*

See the formal definition of the term.

`delegator`

*Delegator** (reserved)*

See the formal definition of the term.

`invocationTarget`

*Invocation target** (reserved)*

See the formal definition of the term.

`invoker`

*Invoker** (reserved)*

See the formal definition of the term.

All terms in this section are * deprecated*, and are only kept in this vocabulary for backward compatibility.

New applications should not use them.

The following are * deprecated* property definitions in the

`sec`

namespace.`blockchainAccountId`

*Blockchain account ID** (deprecated)*

See the formal definition of the term.

- Range:
`xsd:string`

`ethereumAddress`

*Ethereum address** (deprecated)*

See the formal definition of the term.

- See also:
- EIP-55

Ethereum Yellow Paper: Ethereum: a secure decentralised generalised transaction ledger

- Range:
`xsd:string`

`publicKeyBase58`

*Base58-encoded Public Key** (deprecated)*

See the formal definition of the term.

- Range:
`xsd:string`

`publicKeyPem`

*Public key PEM** (deprecated)*

See the formal definition of the term.

- Range:
`xsd:string`

`publicKeyHex`

*Hex-encoded version of public Key** (deprecated)*

See the formal definition of the term.

- See also:
- rfc4648

- Range:
`xsd:string`

`jws`

*Json Web Signature** (deprecated)*

See the formal definition of the term.

- See also:
- Detached JSON Web Signature

The following are * deprecated* class definitions in the

`sec`

namespace.`Key`

*Cryptographic key** (deprecated)*

This class represents a cryptographic key that may be used for encryption, decryption, or digitally signing data. This class serves as a supertype for specific key types.

`EcdsaSecp256k1Signature2019`

*ecdsa-sep256k1, 2019 version** (deprecated)*

See the formal definition of the term.

`EcdsaSecp256k1Signature2020`

*ecdsa-sep256k1, 2020 version** (deprecated)*

See the formal definition of the term.

`EcdsaSecp256k1VerificationKey2019`

*ecdsa-secp256k1 verification key, 2019 version** (deprecated)*

See the formal definition of the term.

- Subclass of:
`Key`

`EcdsaSecp256k1RecoverySignature2020`

*ecdsa-secp256k1 recovery signature, 2020 version** (deprecated)*

See the formal definition of the term.

`EcdsaSecp256k1RecoveryMethod2020`

*ecdsa-secp256k1 recovery method, 2020 version** (deprecated)*

See the formal definition of the term.

`MerkleProof2019`

*Merkle Proof** (deprecated)*

See the formal definition of the term.

`X25519KeyAgreementKey2019`

*X25519 Key Agreement Key, 2019 version** (deprecated)*

See the formal definition of the term.

`Ed25519VerificationKey2018`

*ED2559 Verification Key, 2018 version** (deprecated)*

See the formal definition of the term.

`JsonWebKey2020`

*JSON Web Key, 2020 version** (deprecated)*

See the formal definition of the term.

A linked data proof suite verification method type used with `JsonWebSignature2020`

`JsonWebSignature2020`

*JSON Web Signature, 2020 version** (deprecated)*

See the formal definition of the term.

`BbsBlsSignature2020`

*BBS Signature, 2020 version** (deprecated)*

See the formal definition of the term.

`BbsBlsSignatureProof2020`

*BBS Signature Proof, 2020 version** (deprecated)*

See the formal definition of the term.

`Bls12381G1Key2020`

*BLS 12381 G1 Signature Key, 2020 version** (deprecated)*

See the formal definition of the term.

`Bls12381G2Key2020`

*BLS 12381 G2 Signature Key, 2020 version** (deprecated)*

See the formal definition of the term.

The diagram uses boxes, ellipses, and connecting lines with different "styles" (border color, end marker, line type) to differentiate their semantic meaning: "Property", "Class", and "Datatype" are identified by the shape of the graph node (e.g., an ellipse signifies a "Class"); "Superclass", "Domain Of", "Range", "Type", and "Contains" relationships are identified by the style of the connecting line. These style names are used in the explanation text that follows, below.

The diagram is roughly divided into three sections — lower left, lower right, and upper. To make this description easier to understand, these sections will be respectively referred to as the "Proof", "Verification Method", and "Verification Relationship" sections. Shapes in the three sections are connected by lines of different styles; additionally, one box, labeled as "multibase" and shaped as "Datatype", bridges the two lower sections ("Proof" and "Verification Method").

Each of these sections has an ellipse at the top, labeled as "Proof", "VerificationMethod", and "VerificationRelationship", respectively.

The left side of the section contains another ellipse, labeled as "ProofGraph", and connected with a line styled as "Contains" to the "Proof" ellipse. A separate box, styled as "Property" and labeled as "proof", is connected with a line styled as "Range" to the "ProofGraph" ellipse.

There are two more ellipses in this section, labeled as "Ed25519Signature2020" and "DataIntegrityProof", and each connected to the "Proof" ellipse with lines styled as "Superclass". The "DataIntegrityProof" ellipse is also connected to a box, styled as "Property" and labeled as "cryptosuite", with a line styled as "Domain Of". The "cryptosuite" Property box is connected to a shape, styled as "Datatype" and labeled as "cryptosuiteString", with a line styled as "Range".

The right side of the section contains a column of labeled boxes, all styled as "Property". The labels, from top to bottom, are "previousProof", "domain", "challenge", "nonce", "created", and "proofValue". The "Proof" ellipse is connected to all of these boxes with lines styled as "Domain Of". The "previousProof" box is also connected to the "Proof" ellipse, with a line styled as "Range". The "proofValue" box is connected to a shape, styled as "Datatype" and labeled as "multibase", with a line styled as "Range". Finally, the same "multibase" "Datatype" shape is connected to another box, styled as "Property" and labeled as "digestMultibase", with a line styled as "Range".

The left side of this section contains a column of three labeled boxes, all styled as "Property". The labels, from top to bottom, are "expires", "controller", and "revoked". Each of these is connected to the "VerificationMethod" ellipse, with a line styled as "Domain Of". The "expires" "Property" box is also connected to the "Proof" ellipse (in the Proof section), with a line styled as "Domain Of".

There is also a distinct box, styled as "Property" and labeled as "verificationMethod". This "verificationMethod" box is connected to the "VerificationMethod" ellipse, with a connecting line styled as "Range".

The middle of this section contains three more ellipses, labeled as "Multikey, "Ed25519VerificationKey2020", and "JsonWebKey". Each of these is connected to the "VerificationMethod" ellipse, with a line styled as "Superclass".

Two boxes, styled as "Property" and labeled as "secretKeyMultibase" and "publicKeyMultibase", are connected to the ellipse labeled as "Multikey" with a line styled as "Domain Of". Each of these boxes is also connected to the "multibase" "Datatype" shape in the Proof section, with lines styled as "Range".

Finally, two boxes, styled as "Property" and labeled as "secretKeyJwk" and "publicKeyJwk", are connected to the "JsonWebKey" ellipse, with a line styled as "Domain Of". Both boxes are also connected to a shape, styled as "Datatype" and labeled as "rdf:JSON", with lines styled as "Range".

The left side of the section contains a single box, styled as "Property" and labeled as "proofPurpose". This box is connected to the "VerificationRelationship" ellipse, with a line styled as "Range". It is also connected to the "Proof" ellipse in the Proof section, with a line styled as "Domain Of".

The right side of the section contains a column of labeled boxes, all styled as "Property". The labels, from top to bottom, are "verificationMethod", "authentication", "assertionMethod", "capabilityDelegation", "capabilityInvocation", and "keyAgreement". Each of these boxes is connected to the "VerificationMethod" ellipse in the Verification Method section, with a line styled as "Range". Finally, each of these boxes is also connected to the "VerificationRelationship" ellipse, with a line styled as "Type".