W3C Candidate Recommendation Snapshot
Copyright © 2024 World Wide Web Consortium. W3C® liability, trademark and permissive document license rules apply.
This specification describes Data Integrity cryptographic suites for use when creating or verifying a digital signature using the the Ed25519 instantiation of the Edwards-Curve Digital Signature Algorithm (EdDSA).
This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
The Working Group is actively seeking implementation feedback for this specification. In order to exit the Candidate Recommendation phase, the Working Group has set the requirement of at least two independent implementations for each mandatory feature in the specification. For details on the conformance testing process, see the test suites listed in the implementation report.
Any feature with less than two independent implementations in the EdDSA Cryptosuite Implementation Report is an "at risk" feature and might be removed before the transition to W3C Proposed Recommendation.
This document was published by the Verifiable Credentials Working Group as a Candidate Recommendation Snapshot using the Recommendation track.
Publication as a Candidate Recommendation does not imply endorsement by W3C and its Members. A Candidate Recommendation Snapshot has received wide review, is intended to gather implementation experience, and has commitments from Working Group members to royalty-free licensing for implementations.
This Candidate Recommendation is not expected to advance to Proposed Recommendation any earlier than 05 December 2024.
This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
This document is governed by the 03 November 2023 W3C Process Document.
This specification defines a cryptographic suite for the purpose of creating, verifying proofs for Ed25519 EdDSA signatures in conformance with the Data Integrity [VC-DATA-INTEGRITY] specification. The approach is accepted by the U.S. National Institute of Standards in the latest [FIPS-186-5] publication and meets U.S. Federal Information Processing requirements when using cryptography to secure digital information.
The suites described in this specification use the RDF Dataset Canonicalization Algorithm [RDF-CANON] or the JSON Canonicalization Scheme [RFC8785] to transform an input document into its canonical form. The canonical representation is then hashed and signed with a detached signature algorithm.
Terminology used throughout this document is defined in the Terminology section of the Verifiable Credential Data Integrity 1.0 specification.
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key words MAY, MUST, MUST NOT, and SHOULD in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
A conforming proof is any concrete expression of the data model that complies with the normative statements in this specification. Specifically, all relevant normative statements in Sections 2. Data Model and 3. Algorithms of this document MUST be enforced.
A conforming processor is any algorithm realized as software and/or hardware that generates or consumes a conforming proof. Conforming processors MUST produce errors when non-conforming documents are consumed.
This document contains examples of JSON and JSON-LD data. Some of these examples
are invalid JSON, as they include features such as inline comments (//
)
explaining certain portions and ellipses (...
) indicating the omission of
information that is irrelevant to the example. These parts would have to be
removed in order to treat the examples as valid JSON or JSON-LD.
The following sections outline the data model that is used by this specification to express verification methods, such as cryptographic public keys, and data integrity proofs, such as digital signatures.
This cryptographic suite is used to verify Data Integrity Proofs [VC-DATA-INTEGRITY] produced using Edwards Curve cryptographic key material. The encoding formats for those key types are provided in this section. Lossless cryptographic key transformation processes that result in equivalent cryptographic key material MAY be used for the processing of digital signatures.
The Multikey format, defined in Controller Documents 1.0, is used to express public keys for the cryptographic suites defined in this specification.
The publicKeyMultibase
value of the verification method MUST start with the
base-58-btc prefix (z
), as defined in the
Multibase section of
Controller Documents 1.0. A Multibase-encoded Ed25519 256-bit public key value
follows, as defined in the
Multikey section of
Controller Documents 1.0. Any other encoding MUST NOT be allowed.
Developers are advised to not accidentally publish a representation of a private
key. Implementations of this specification will raise errors if they encounter a
Multikey prefix value other than 0xed01
in a publicKeyMultibase
value.
{ "id": "https://example.com/issuer/123#key-0", "type": "Multikey", "controller": "https://example.com/issuer/123", "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP" }
{ "@context": [ "https://www.w3.org/ns/did/v1", "https://w3id.org/security/multikey/v1" ], "id": "did:example:123", "verificationMethod": [{ "id": "did:example:123#key-0", "type": "Multikey", "controller": "did:example:123", "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP" }], "authentication": [ "did:example:123#key-0" ], "assertionMethod": [ "did:example:123#key-0" ], "capabilityDelegation": [ "did:example:123#key-0" ], "capabilityInvocation": [ "did:example:123#key-0" ] }
The secretKeyMultibase
value of the verification method MUST start with the
base-58-btc prefix (z
), as defined in the
Multibase section of
Controller Documents 1.0. A Multibase-encoded Ed25519 256-bit secret key value
follows, as defined in the
Multikey section of
Controller Documents 1.0. Any other encoding MUST NOT be allowed.
Developers are advised to prevent accidental publication of a representation of
a secret key, and to not export the secretKeyMultibase
property by default,
when serializing key pairs to Multikey.
This section details the proof representation formats that are defined by this specification.
A proof contains the attributes specified in the Proofs section of [VC-DATA-INTEGRITY] with the following restrictions.
The type
property MUST be DataIntegrityProof
.
The cryptosuite
property of the proof MUST be eddsa-rdfc-2022
or eddsa-jcs-2022
.
The proofValue
property of the proof MUST be a detached EdDSA signature
produced according to [RFC8032], encoded using the base-58-btc header and
alphabet as described in the
Multibase section of
Controller Documents 1.0.
{ "@context": [ {"myWebsite": "https://vocabulary.example/myWebsite"}, "https://www.w3.org/ns/credentials/v2" ], "myWebsite": "https://hello.world.example/", "proof": { "type": "DataIntegrityProof", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "https://vc.example/issuers/5678#z6MkrJVnaZkeFzdQyMZu1 cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", "proofPurpose": "assertionMethod", "proofValue": "z5C5b1uzYJN6pDR3aWgAqUMoSB1JY29epA74qyjaie9qh4okm9DZP6y77eTNq 5NfYyMwNu9bpQQWUHKH5zAmEtszK" } }
The following section describes multiple Data Integrity cryptographic suites that use the Edwards-Curve Digital Signature Algorithm.
This algorithm is used to configure a cryptographic suite to be used by the Add Proof and Verify Proof functions in Verifiable Credential Data Integrity 1.0. The algorithm takes an options object (map options) as input and returns a cryptosuite instance (struct cryptosuite).
DataIntegrityProof
, return cryptosuite.
eddsa-rdfc-2022
:
eddsa-jcs-2022
:
The eddsa-rdfc-2022
cryptographic suite takes an input document, canonicalizes
the document using the RDF Dataset Canonicalization algorithm [RDF-CANON], and then
cryptographically hashes and signs the output
resulting in the production of a data integrity proof. The algorithms in this
section also include the verification of such a data integrity proof.
When the RDF Dataset Canonicalization Algorithm [RDF-CANON] is used, implementations will detect dataset poisoning by default, and abort processing upon such detection.
The following algorithm specifies how to create a data integrity proof given an unsecured data document. Required inputs are an unsecured data document (map unsecuredDocument), and a set of proof options (map options). A data integrity proof (map), or an error, is produced as output.
The following algorithm specifies how to verify a data integrity proof given an secured data document. Required inputs are an secured data document (map securedDocument). This algorithm returns a verification result, which is a struct whose items are:
true
or false
false
, Null;
otherwise, an unsecured data document
proof
value removed.
proofValue
removed.
true
, unsecuredDocument;
otherwise, NullThe following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section 3.2.4 Hashing (eddsa-rdfc-2022).
Required inputs to this algorithm are an
unsecured data document (unsecuredDocument
) and
transformation options (options
). The
transformation options MUST contain a type identifier for the
cryptographic suite (type
) and a cryptosuite
identifier (cryptosuite
). A transformed data document is
produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8
encoding.
options
.type
is not set to the string
DataIntegrityProof
and options
.cryptosuite
is not
set to the string eddsa-rdfc-2022
,
an error MUST be raised that SHOULD convey an error type of
PROOF_TRANSFORMATION_ERROR.
canonicalDocument
as the transformed data document.
The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section 3.2.6 Proof Serialization (eddsa-rdfc-2022) or Section 3.2.7 Proof Verification (eddsa-rdfc-2022).
The required inputs to this algorithm are a transformed data document
(transformedDocument
) and canonical proof configuration
(canonicalProofConfig
). A single hash data value represented as
series of bytes is produced as output.
proofConfigHash
be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [RFC6234]
to the canonicalProofConfig
. proofConfigHash
will be
exactly 32 bytes in size.
transformedDocumentHash
be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [RFC6234]
to the transformedDocument
. transformedDocumentHash
will
be exactly 32 bytes in size.
hashData
be the result of concatenating proofConfigHash
(the first hash produced above) followed by transformedDocumentHash
(the second hash produced above).
hashData
as the hash data.
The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the proof hashing algorithm.
The required inputs to this algorithm are the document
(unsecuredDocument) and the proof options
(options
). The proof options MUST contain a type identifier
for the
cryptographic suite (type
) and MUST contain a cryptosuite
identifier (cryptosuite
). A proof configuration
object is produced as output.
DataIntegrityProof
and/or
proofConfig.cryptosuite is not set to eddsa-rdfc-2022
, an
error MUST be raised and SHOULD convey an error type of
PROOF_GENERATION_ERROR.
@context
to
unsecuredDocument.@context.
The following algorithm specifies how to serialize a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4: Algorithms. Required inputs are
cryptographic hash data (hashData
) and
proof options (options
). The
proof options MUST contain a type identifier for the
cryptographic suite (type
) and MAY contain a cryptosuite
identifier (cryptosuite
). A single digital proof value
represented as series of bytes is produced as output.
privateKeyBytes
be the result of retrieving the
private key bytes associated with the
options
.verificationMethod
value as described in the
Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4.1: Processing Model.
proofBytes
be the result of applying the Edwards-Curve Digital
Signature Algorithm (EdDSA) [RFC8032], using the Ed25519
variant
(Pure EdDSA), with hashData
as the data to be signed using
the private key specified by privateKeyBytes
.
proofBytes
will be exactly 64 bytes in size.
proofBytes
as the digital proof.
The following algorithm specifies how to verify a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4: Algorithms. Required inputs are
cryptographic hash data (hashData
),
a digital signature (proofBytes
) and
proof options (options
). A verification result
represented as a boolean value is produced as output.
publicKeyBytes
be the result of retrieving the
public key bytes associated with the
options
.verificationMethod
value as described in the
Controller Documents 1.0 specification,
Section 3.3: Retrieve Verification Method.
verificationResult
be the result of applying the verification
algorithm for the Edwards-Curve Digital Signature Algorithm (EdDSA)
[RFC8032], using the Ed25519
variant (Pure EdDSA),
with hashData
as the data to be verified against the
proofBytes
using the public key specified by
publicKeyBytes
.
verificationResult
as the verification result.
The eddsa-jcs-2022
cryptographic suite takes an input document, canonicalizes
the document using the JSON Canonicalization Scheme [RFC8785], and then
cryptographically hashes and signs the output resulting in the production of a
data integrity proof.
The following algorithm specifies how to create a data integrity proof given an unsecured data document. Required inputs are an unsecured data document (map unsecuredDocument), and a set of proof options (map options). A data integrity proof (map), or an error, is produced as output.
unsecuredDocument
.@context is present,
set proof
.@context to
unsecuredDocument
.@context.
The following algorithm specifies how to verify a data integrity proof given an secured data document. Required inputs are an secured data document (map securedDocument). This algorithm returns a verification result, which is a struct whose items are:
true
or false
true
, an unsecured data document;
otherwise Null
proof
value
removed.
proofValue
removed.
false
and skip to the last step.
true
, unsecuredDocument;
otherwise, NullThe following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section 3.3.4 Hashing (eddsa-jcs-2022).
Required inputs to this algorithm are an
unsecured data document (unsecuredDocument
) and
transformation options (options
). The
transformation options MUST contain a type identifier for the
cryptographic suite (type
) and a cryptosuite
identifier (cryptosuite
). A transformed data document is
produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8
encoding.
options
.type
is not set to the string
DataIntegrityProof
and options
.cryptosuite
is not
set to the string eddsa-jcs-2022
,
an error MUST be raised that SHOULD convey an error type of
PROOF_VERIFICATION_ERROR.
canonicalDocument
be the result of applying the
JSON Canonicalization Scheme [RFC8785] to a JSON serialization of the
unsecuredDocument
.
canonicalDocument
as the transformed data document.
The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section 3.3.6 Proof Serialization (eddsa-jcs-2022) or Section 3.3.7 Proof Verification (eddsa-jcs-2022).
The required inputs to this algorithm are a transformed data document
(transformedDocument
) and canonical proof configuration
(canonicalProofConfig
). A single hash data value represented as
series of bytes is produced as output.
transformedDocumentHash
be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [RFC6234]
to the transformedDocument
. transformedDocumentHash
will
be exactly 32 bytes in size.
proofConfigHash
be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [RFC6234]
to the canonicalProofConfig
. proofConfigHash
will be
exactly 32 bytes in size.
hashData
be the result of joining proofConfigHash
(the
first hash) with transformedDocumentHash
(the second hash).
hashData
as the hash data.
The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the proof hashing algorithm.
The required inputs to this algorithm are proof options
(options
). The proof options MUST contain a type identifier
for the
cryptographic suite (type
) and MUST contain a cryptosuite
identifier (cryptosuite
). A proof configuration
object is produced as output.
proofConfig
be a clone of the options
object.
proofConfig
.type
is not set to DataIntegrityProof
or
proofConfig
.cryptosuite
is not set to eddsa-jcs-2022
,
an error MUST be raised that SHOULD convey an error type of
PROOF_GENERATION_ERROR.
canonicalProofConfig
be the result of applying the
JSON Canonicalization Scheme [RFC8785] to the proofConfig
.
canonicalProofConfig
.
The following algorithm specifies how to serialize a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4: Algorithms. Required inputs are
cryptographic hash data (hashData
) and
proof options (options
). The
proof options MUST contain a type identifier for the
cryptographic suite (type
) and MAY contain a cryptosuite
identifier (cryptosuite
). A single digital proof value
represented as series of bytes is produced as output.
privateKeyBytes
be the result of retrieving the
private key bytes associated with the
options
.verificationMethod
value as described in the
Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4: Retrieving Cryptographic Material.
proofBytes
be the result of applying the Edwards-Curve Digital
Signature Algorithm (EdDSA) [RFC8032], using the Ed25519
variant
(Pure EdDSA), with hashData
as the data to be signed using
the private key specified by privateKeyBytes
.
proofBytes
will be exactly 64 bytes in size.
proofBytes
as the digital proof.
The following algorithm specifies how to verify a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4: Algorithms. Required inputs are
cryptographic hash data (hashData
),
a digital signature (proofBytes
) and
proof options (options
). A verification result
represented as a boolean value is produced as output.
publicKeyBytes
be the result of retrieving the
public key bytes associated with the
options
.verificationMethod
value as described in the
Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4: Retrieving Cryptographic Material.
verificationResult
be the result of applying the verification
algorithm for the Edwards-Curve Digital Signature Algorithm (EdDSA)
[RFC8032], using the Ed25519
variant (Pure EdDSA),
with hashData
as the data to be verified against the
proofBytes
using the public key specified by
publicKeyBytes
.
verificationResult
as the verification result.
Before reading this section, readers are urged to familiarize themselves with general security advice provided in the Security Considerations section of the Data Integrity specification.
The following section describes security considerations that developers implementing this specification should be aware of in order to create secure software.
This section is non-normative.
Ed25519 signatures (EdDSA algorithm with edwards25519 curve) have been widely adopted, due both to the compact size of the keys and signatures and to the speed at which signatures can be produced and verified. Many libraries exist that can create and verify Ed25519 signatures. Since the publication of [RFC8032], security properties of Ed25519 signatures have been rigorously proven (see [Provable_Ed25519] and [Taming_EdDSAs]). However, it has been observed that a significant number of libraries do not achieve these security levels, due to missing input validity checks during the signature verification process. In this section, we summarize the security levels achievable with Ed25519 signatures, and indicate how one can determine whether a library will support those levels.
Digital signatures might exhibit a number of desirable cryptographic properties [Taming_EdDSAs] among these are:
EUF-CMA (existential unforgeability under chosen message attacks) is usually the minimal security property required of a signature scheme. It guarantees that any efficient adversary who has the public key of the signer and received an arbitrary number of signatures on messages of its choice (in an adaptive manner): , cannot output a valid signature for a new message (except with negligible probability). If the attacker outputs a valid signature on a new message: , it is called an existential forgery.
SUF-CMA (strong unforgeability under chosen message attacks) is a stronger notion than EUF-CMA. It guarantees that for any efficient adversary who has the public key of the signer and received an arbitrary number of signatures on messages of its choice: , it cannot output a new valid signature pair , such that (except with negligible probability). Strong unforgeability implies that an adversary not only cannot sign new messages, but also cannot find a new signature on an old message. See [Provable_Ed25519] for a real world attack that would have been circumvented with SUF-CMA security over EUF-CMA security.
Binding signature (BS) We say that a signature scheme is binding if no efficient signer can output a tuple , where both and are valid message signature pairs under the public key and (except with negligible probability). A binding signature makes it impossible for the signer to claim later that it has signed a different message; the signature binds the signer to the message.
Strongly Binding signature (SBS) Certain applications may require a signature to not only be binding to the message but also be binding to the public key. We say that a signature scheme is strongly-binding if any efficient signer cannot output a tuple , where is a valid signature for the public key and is a valid signature for the public key and either or , or both (except with negligible probability). See [Provable_Ed25519] for real world attacks that would have been circumvented with the SBS property.
Note that the BS and SBS properties are forms of non-repudiation.
As pointed out in [Taming_EdDSAs], flaws in Ed25519 libraries primarily occur on the signature verification side, where edge cases are sometimes not properly checked. An Ed25519 signature library that is in conformance with [RFC8032] or [FIPS-186-5], i.e., one that performs all specified validation checks, will have the SUF-CMA property in addition to EUF-CMA.
Reference [Taming_EdDSAs] achieves the BS and SBS properties along with SUF-CMA in their "signature verification algorithm 2" where an additional check is performed against the public key A to make sure that it is not one of eight "small order points". These additional checks incur minimal processing overhead.
Reference [Taming_EdDSAs] included a set of twelve test vectors to test various Ed25519 libraries available at the time of publication. They found that a significant portion missed edge cases and hence did not achieve SUF-CMA (just EUF-CMA), and only two libraries out of sixteen achieved all the security properties. Since the time of publication, more Ed25519 libraries have been created, and some of the libraries have been updated to include all verification checks. Implementers are recommended to test the Ed25519 library they are using against the test vectors of [Taming_EdDSAs].
Before reading this section, readers are urged to familiarize themselves with general privacy advice provided in the Privacy Considerations section of the Data Integrity specification.
The following section describes privacy considerations that developers implementing this specification should be aware of in order to avoid violating privacy assumptions.
The cryptographic suites described in this specification do not support selective disclosure or unlinkable disclosure. If selective disclosure is a desired feature, readers might find the Data Integrity ECDSA Cryptosuites v1.0 specification useful. If unlinkable disclosure is of interest, the Data Integrity BBS Cryptosuites v1.0 specification provides an unlinkable digital signature mechanism.
Ed25519Signature2020
is an earlier version of a cryptographic suite
for use of the EdDSA algorithm and Curve25519. While it has
been used in production systems, new implementations should instead use
eddsa-rdfc-2022
. Ed25519Signature2020
has
been kept in this specification to provide a stable reference.
The key format described in this section is provided to document a legacy mechanism that has been deployed to production. The key format described in section 2.1.1 Multikey supercedes the one described in this section. New applications are strongly urged to use the newer key format.
The type
of the verification method MUST be
Ed25519VerificationKey2020.
The controller
of the verification method MUST be a URL.
The publicKeyMultibase
value of the verification method MUST start with the
base-58-btc prefix (z
), as defined in the
Multibase section of
[VC-DATA-INTEGRITY]. A Multibase-encoded Multikey value follows, which MUST
consist of a binary value that starts with the two-byte prefix 0xed01
, which
is the Multikey header for an Ed25519 public key, followed by the 32-byte
public key data, all of which is then encoded using base-58-btc. Any other
encoding MUST NOT be allowed.
Developers are advised to not accidentally publish a representation of a private
key. Implementations of this specification will raise errors in the event of a
Multikey header value other than 0xed01
being used in a
publicKeyMultibase
value.
{ "id": "https://example.com/issuer/123#key-0", "type": "Ed25519VerificationKey2020", "controller": "https://example.com/issuer/123", "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP" }
{ "@context": [ "https://www.w3.org/ns/did/v1", "https://w3id.org/security/suites/ed25519-2020/v1" ], "id": "did:example:123", "verificationMethod": [{ "id": "did:example:123#key-0", "type": "Ed25519VerificationKey2020", "controller": "did:example:123", "publicKeyMultibase": "z6Mkf5rGMoatrSj1f4CyvuHBeXJELe9RPdzo2PKGNCKVtZxP" }], "authentication": [ "did:example:123#key-0" ], "assertionMethod": [ "did:example:123#key-0" ], "capabilityDelegation": [ "did:example:123#key-0" ], "capabilityInvocation": [ "did:example:123#key-0" ] }
The proof format described in this section is provided to document a legacy
mechanism that has been deployed to production. The DataIntegrityProof
formats
described in section 2.2.1 DataIntegrityProof supercede the one described in
this section. New applications are strongly urged to use the newer proof format.
The verificationMethod
property of the proof MUST be a URL.
Dereferencing the verificationMethod
MUST result in an object
containing a type
property with the value set to
Ed25519VerificationKey2020
.
The type
property of the proof MUST be Ed25519Signature2020
.
The created
property of the proof MUST be an [XMLSCHEMA11-2]
formatted date string.
The proofPurpose
property of the proof MUST be a string, and MUST
match the verification relationship expressed by the verification method
controller
.
The proofValue
property of the proof MUST be a detached EdDSA
produced according to [RFC8032], encoded using
the base-58-btc header and alphabet as described in the
Multibase section of [VC-DATA-INTEGRITY].
{ "@context": [ {"myWebsite": "https://vocabulary.example/myWebsite"}, "https://w3id.org/security/suites/ed25519-2020/v1" ], "myWebsite": "https://hello.world.example/", "proof": { "type": "Ed25519Signature2020", "created": "2020-11-05T19:23:24Z", "verificationMethod": "https://di.example/issuer#z6MkjLrk3gKS2nnkeWcmcxiZPGskmesDpuwRBorgHxUXfxnG", "proofPurpose": "assertionMethod", "proofValue": "z4oey5q2M3XKaxup3tmzN4DRFTLVqpLMweBrSxMY2xHX5XTYVQeVbY8nQAVHMrXFkXJpmEcqdoDwLWxaqA3Q1geV6" } }
The Ed25519Signature2020
cryptographic suite takes an input document,
canonicalizes the document using the RDF Dataset Canonicalization algorithm [RDF-CANON],
and then cryptographically hashes and signs the output
resulting in the production of a data integrity proof. The algorithms in this
section also include the verification of such a data integrity proof.
To generate a proof, the algorithm in Section 4.1: Add Proof in the Data Integrity [VC-DATA-INTEGRITY] specification MUST be executed. For that algorithm, the cryptographic suite specific transformation algorithm is defined in Section A.2.1.3 Transformation (Ed25519Signature2020), the hashing algorithm is defined in Section A.2.1.4 Hashing (Ed25519Signature2020), and the proof serialization algorithm is defined in Section A.2.1.6 Proof Serialization (Ed25519Signature2020).
To verify a proof, the algorithm in Section 4.2: Verify Proof in the Data Integrity [VC-DATA-INTEGRITY] specification MUST be executed. For that algorithm, the cryptographic suite specific transformation algorithm is defined in Section A.2.1.3 Transformation (Ed25519Signature2020), the hashing algorithm is defined in Section A.2.1.4 Hashing (Ed25519Signature2020), and the proof verification algorithm is defined in Section A.2.1.7 Proof Verification (Ed25519Signature2020).
The following algorithm specifies how to transform an unsecured input document into a transformed document that is ready to be provided as input to the hashing algorithm in Section A.2.1.4 Hashing (Ed25519Signature2020).
Required inputs to this algorithm are an
unsecured data document (unsecuredDocument
) and
transformation options (options
). The
transformation options MUST contain a type identifier for the
cryptographic suite (type
) and a cryptosuite
identifier (cryptosuite
). A transformed data document is
produced as output. Whenever this algorithm encodes strings, it MUST use UTF-8
encoding.
options
.type
is not set to the string
Ed25519Signature2020
,
an error MUST be raised that SHOULD convey an error type of
PROOF_TRANSFORMATION_ERROR.
canonicalDocument
as the transformed data document.
The following algorithm specifies how to cryptographically hash a transformed data document and proof configuration into cryptographic hash data that is ready to be provided as input to the algorithms in Section A.2.1.6 Proof Serialization (Ed25519Signature2020) or Section A.2.1.7 Proof Verification (Ed25519Signature2020).
The required inputs to this algorithm are a
transformed data document (transformedDocument
) and
proof configuration (proofConfig
). The
proof configuration MUST contain a type identifier for the
cryptographic suite (type
) and MAY contain a cryptosuite
identifier (cryptosuite
). A single hash data value
represented as series of bytes is produced as output.
transformedDocumentHash
be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [RFC6234]
to the transformedDocument
. transformedDocumentHash
will
be exactly 32 bytes in size.
proofConfigHash
be the result of applying the
SHA-256 (SHA-2 with 256-bit output) cryptographic hashing algorithm [RFC6234]
to the canonicalProofConfig
. proofConfigHash
will be
exactly 32 bytes in size.
hashData
be the result of joining proofConfigHash
(the
first hash) with transformedDocumentHash
(the second hash).
hashData
as the hash data.
The following algorithm specifies how to generate a proof configuration from a set of proof options that is used as input to the proof hashing algorithm.
The required inputs to this algorithm are proof options
(options
). The proof options MUST contain a type identifier
for the
cryptographic suite (type
) and MAY contain a cryptosuite
identifier (cryptosuite
). A proof configuration
object is produced as output.
proofConfig
.type
is not set to Ed25519Signature2020
,
an error MUST be raised and SHOULD convey an error type of
PROOF_GENERATION_ERROR.
proofConfig
.@context to
unsecuredDocument
.@context
canonicalProofConfig
be the result of applying the
RDF Dataset Canonicalization algorithm [RDF-CANON] to the proofConfig
.
canonicalProofConfig
.
The following algorithm specifies how to serialize a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4: Algorithms. Required inputs are
cryptographic hash data (hashData
) and
proof options (options
). The
proof options MUST contain a type identifier for the
cryptographic suite (type
) and MAY contain a cryptosuite
identifier (cryptosuite
). A single digital proof value
represented as series of bytes is produced as output.
privateKeyBytes
be the result of retrieving the
private key bytes associated with the
options
.verificationMethod
value as described in the
Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4: Retrieving Cryptographic Material.
proofBytes
be the result of applying the Edwards-Curve Digital
Signature Algorithm (EdDSA) [RFC8032], using the Ed25519
variant
(Pure EdDSA), with hashData
as the data to be signed using
the private key specified by privateKeyBytes
.
proofBytes
will be exactly 64 bytes in size.
proofBytes
as the digital proof.
The following algorithm specifies how to verify a digital signature from
a set of cryptographic hash data. This
algorithm is designed to be used in conjunction with the algorithms defined
in the Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4: Algorithms. Required inputs are
cryptographic hash data (hashData
),
a digital signature (proofBytes
) and
proof options (options
). A verification result
represented as a boolean value is produced as output.
publicKeyBytes
be the result of retrieving the
public key bytes associated with the
options
.verificationMethod
value as described in the
Data Integrity [VC-DATA-INTEGRITY] specification,
Section 4: Retrieving Cryptographic Material.
verificationResult
be the result of applying the verification
algorithm for the Edwards-Curve Digital Signature Algorithm (EdDSA)
[RFC8032], using the Ed25519
variant (Pure EdDSA),
with hashData
as the data to be verified against the
proofBytes
using the public key specified by
publicKeyBytes
.
verificationResult
as the verification result.
This section is non-normative.
The signer needs to generate a private/public key pair with the private key used for signing and the public key made available for verification. The representation of the public key and the representation of the private key are shown below.
{ publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", secretKeyMultibase: "z3u2en7t5LR2WtQH5PfFqMqwVHBeXouLzo6haApm8XHqvjxq" }
Signing begins with a credential without an attached proof, which is converted to canonical form, and then hashed, as shown in the following three examples.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": ["VerifiableCredential", "AlumniCredential"], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" } }
<did:example:abcdefgh> <https://www.w3.org/ns/credentials/examples#alumniOf> "The School of Examples" . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/2018/credentials#VerifiableCredential> . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/ns/credentials/examples#AlumniCredential> . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <https://schema.org/description> "A minimum viable example of an Alumni Credential." . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <https://schema.org/name> "Alumni Credential" . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <https://www.w3.org/2018/credentials#credentialSubject> <did:example:abcdefgh> . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <https://www.w3.org/2018/credentials#issuer> <https://vc.example/issuers/5678> . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <https://www.w3.org/2018/credentials#validFrom> "2023-01-01T00:00:00Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
517744132ae165a5349155bef0bb0cf2258fff99dfe1dbd914b938d775a36017
The next step is to take the proof options document, convert it to canonical form, and obtain its hash, as shown in the next three examples.
{ "type": "DataIntegrityProof", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2#z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", "proofPurpose": "assertionMethod", "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ] }
_:c14n0 <http://purl.org/dc/terms/created> "2023-02-24T23:36:38Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> . _:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#DataIntegrityProof> . _:c14n0 <https://w3id.org/security#cryptosuite> "eddsa-rdfc-2022"^^<https://w3id.org/security#cryptosuiteString> . _:c14n0 <https://w3id.org/security#proofPurpose> <https://w3id.org/security#assertionMethod> . _:c14n0 <https://w3id.org/security#verificationMethod> <did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2#z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2> .
bea7b7acfbad0126b135104024a5f1733e705108f42d59668b05c0c50004c6b0
Finally, we concatenate the hash of the proof options followed by the hash of the credential without proof, use the private key with the combined hash to compute the Ed25519 signature, and then base58-btc encode the signature.
bea7b7acfbad0126b135104024a5f1733e705108f42d59668b05c0c50004c6b0517744132ae165a5349155bef0bb0cf2258fff99dfe1dbd914b938d775a36017
4d8e53c2d5b3f2a7891753eb16ca993325bdb0d3cfc5be1093d0a18426f5ef8578cadc0fd4b5f4dd0d1ce0aefd15ab120b7a894d0eb094ffda4e6553cd1ed50d
z2YwC8z3ap7yx1nZYCg4L3j3ApHsF8kgPdSb5xoS1VR7vPG3F561B52hYnQF9iseabecm3ijx4K1FBTQsCZahKZme
Assemble the signed credential with the following two steps:
proofValue
field with the previously computed base58-btc
value to the proof options document.
proof
field of the credential to the augmented proof
option document.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": { "type": "DataIntegrityProof", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2#z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", "proofPurpose": "assertionMethod", "proofValue": "z2YwC8z3ap7yx1nZYCg4L3j3ApHsF8kgPdSb5xoS1VR7vPG3F561B52hYnQF9iseabecm3ijx4K1FBTQsCZahKZme" } }
The signer needs to generate a private/public key pair with the private key used for signing and the public key made available for verification. The representation of the public key, and the representation of the private key are shown below.
{ publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", secretKeyMultibase: "z3u2en7t5LR2WtQH5PfFqMqwVHBeXouLzo6haApm8XHqvjxq" }
Signing begins with a credential without an attached proof, which is converted to canonical form, and then hashed, as shown in the following three examples.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": ["VerifiableCredential", "AlumniCredential"], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" } }
{"@context":["https://www.w3.org/ns/credentials/v2","https://www.w3.org/ns/credentials/examples/v2"],"credentialSubject":{"alumniOf":"The School of Examples","id":"did:example:abcdefgh"},"description":"A minimum viable example of an Alumni Credential.","id":"urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33","issuer":"https://vc.example/issuers/5678","name":"Alumni Credential","type":["VerifiableCredential","AlumniCredential"],"validFrom":"2023-01-01T00:00:00Z"}
59b7cb6251b8991add1ce0bc83107e3db9dbbab5bd2c28f687db1a03abc92f19
The next step is to take the proof options document, convert it to canonical form, and obtain its hash, as shown in the next three examples.
{ "type": "DataIntegrityProof", "cryptosuite": "eddsa-jcs-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2#z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", "proofPurpose": "assertionMethod" }
{"created":"2023-02-24T23:36:38Z","cryptosuite":"eddsa-jcs-2022","proofPurpose":"assertionMethod","type":"DataIntegrityProof","verificationMethod":"did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2#z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2"}
c46b3487ab7087c4f426b546c449094ff57b8fefa6fd85e83f1b31e24c230da8
Finally, we concatenate the hash of the proof options followed by the hash of the credential without proof, use the private key with the combined hash to compute the Ed25519 signature, and then base58-btc encode the signature.
c46b3487ab7087c4f426b546c449094ff57b8fefa6fd85e83f1b31e24c230da859b7cb6251b8991add1ce0bc83107e3db9dbbab5bd2c28f687db1a03abc92f19
1e04ce056c39eb657691a7f2187aa8514d7587fbf9ab0ec14774a32d5930151ac242f77f8e3ada94748cbc4bf81de97a1d1c1a224da24cf1956117f34543b407
zboydVv31kj6jP37GMBZwYyjbvrqr9MWeY9NCEfYUwLcKwkdqAcB44dqEcqaMi8mfdvT2Vbnvdrv6XRaYzgpuPWn
Assemble the signed credential with the following two steps:
proofValue
field with the previously computed base58-btc
value to the proof options document.
proof
field of the credential to the augmented proof
option document.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": { "type": "DataIntegrityProof", "cryptosuite": "eddsa-jcs-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2#z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", "proofPurpose": "assertionMethod", "proofValue": "zboydVv31kj6jP37GMBZwYyjbvrqr9MWeY9NCEfYUwLcKwkdqAcB44dqEcqaMi8mfdvT2Vbnvdrv6XRaYzgpuPWn" } }
The signer needs to generate a private/public key pair with the private key used for signing and the public key made available for verification. The representation of the public key, and the representation of the private key, are shown below.
{ publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", secretKeyMultibase: "z3u2en7t5LR2WtQH5PfFqMqwVHBeXouLzo6haApm8XHqvjxq" }
Signing begins with a credential without an attached proof, which is converted to canonical form, and then hashed, as shown in the following three examples.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": ["VerifiableCredential", "AlumniCredential"], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" } }
<did:example:abcdefgh> <https://www.w3.org/ns/credentials/examples#alumniOf> "The School of Examples" . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/2018/credentials#VerifiableCredential> . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/ns/credentials/examples#AlumniCredential> . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <https://schema.org/description> "A minimum viable example of an Alumni Credential." . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <https://schema.org/name> "Alumni Credential" . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <https://www.w3.org/2018/credentials#credentialSubject> <did:example:abcdefgh> . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <https://www.w3.org/2018/credentials#issuer> <https://vc.example/issuers/5678> . <urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33> <https://www.w3.org/2018/credentials#validFrom> "2023-01-01T00:00:00Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
517744132ae165a5349155bef0bb0cf2258fff99dfe1dbd914b938d775a36017
The next step is to take the proof options document, convert it to canonical form, and obtain its hash, as shown in the next three examples.
{ "type": "Ed25519Signature2020", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2#z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", "proofPurpose": "assertionMethod", "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2", "https://w3id.org/security/suites/ed25519-2020/v1" ] }
_:c14n0 <http://purl.org/dc/terms/created> "2023-02-24T23:36:38Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> . _:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#Ed25519Signature2020> . _:c14n0 <https://w3id.org/security#proofPurpose> <https://w3id.org/security#assertionMethod> . _:c14n0 <https://w3id.org/security#verificationMethod> <did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2#z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2> .
04e14bcf5727cba0c0aa04a04d22a56fef915d5f8f7756bb92ae67cb1d0c4847
Finally, we concatenate the hash of the proof options followed by the hash of the credential without proof, use the private key with the combined hash to compute the Ed25519 signature, and then base58-btc encode the signature.
04e14bcf5727cba0c0aa04a04d22a56fef915d5f8f7756bb92ae67cb1d0c4847517744132ae165a5349155bef0bb0cf2258fff99dfe1dbd914b938d775a36017
cd8d023e8a9b462d563bbbd24c4499d8172738eb3f5235d74f65971e9be36dd7f23a1e201791e9a6747e45b8fa877a984f51f591567365c4d8222ecad39be60c
z57Mm1vboMtZiCyJ4aReZsv8co4Re64Y8GEjL1ZARzMbXZgkARFLqFs1P345NpPGG2hgCrS4nNdvJhpwnrNyG3kEF
Assemble the signed credential with the following two steps:
proofValue
field with the previously computed base58-btc
value to the proof options document.
proof
field of the credential to the augmented proof
option document.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2", "https://w3id.org/security/suites/ed25519-2020/v1" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": { "type": "Ed25519Signature2020", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2#z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", "proofPurpose": "assertionMethod", "proofValue": "z57Mm1vboMtZiCyJ4aReZsv8co4Re64Y8GEjL1ZARzMbXZgkARFLqFs1P345NpPGG2hgCrS4nNdvJhpwnrNyG3kEF" } }
Proof sets and chains are defined in the [VC-DATA-INTEGRITY]. We
provide test vectors showing the creation of proof sets and chains with the
eddsa-rdfc-2022
cryptosuite. Multiple signers can be involved in the generation
of proof sets and chains so multiple public/private key pairs are needed. These
are shown below.
{ "keyPair1": { "publicKeyMultibase": "z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7", "privateKeyMultibase": "z3u2W4YnTstS1nSSBAgZcYSJF43JuZ9uLV6bF38B1Bf8NugW" }, "keyPair2": { "publicKeyMultibase": "z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E", "privateKeyMultibase": "z3u2cfp4Q17kMGhNCh348a3yw3cUBiWK6RXRzyJE54sixMFn" }, "keyPair3": { "publicKeyMultibase": "z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1", "privateKeyMultibase": "z3u2Zr3tcDLBDQKGxVa9SRDFNLqNqPWsa8p9rWPvCEH6bADB" }, "keyPair4": { "publicKeyMultibase": "z6Mkm1S51iPHJvDEkJ9MRtxJmT8Pqo6wHipAFwBAjN83vntT", "privateKeyMultibase": "z3u2ZTWiFwM17veUR7sXniY66Gf14SqMdpMLy7SW9x4EDdmw" } }
The original unsigned credential is shown below:
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": ["VerifiableCredential", "AlumniCredential"], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" } }
To demonstrate creating a proof set, we start with a document containing a
single proof and add another proof to it. The starting document is shown below and
contains a proof signed with keyPair1
.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": { "type": "DataIntegrityProof", "id": "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7#z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7", "proofPurpose": "assertionMethod", "proofValue": "z66vWyqwAghu52WbpRkCwFRTu6Msn92ArtjpJ3gGMSVoU5RADwBfszoDt1QWY8owqLPz4nTj7hAwV7xFti1p93zdr" } }
The options
input to
Section 4.4: Add Proof Set/Chain in [VC-DATA-INTEGRITY]
is shown below. Note that it does not include a previousProof
attribute since
we are constructing a proof set and not a chain. In addition, we will be using
keyPair2
for signing.
{ "type": "DataIntegrityProof", "id": "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E#z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E", "proofPurpose": "assertionMethod" }
Per the algorithm of
Section 4.4: Add Proof Set/Chain in [VC-DATA-INTEGRITY],
we create an array variable, allProofs
, and add the proof from the
starting document to it. Since there is no previousProof
attribute, no
modification of unsignedDocument
is needed prior to computing the signed proof
in step 6 of
Section 4.4: Add Proof Set/Chain in
[VC-DATA-INTEGRITY]. The signed proof configuration is shown below.
{ "type": "DataIntegrityProof", "id": "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E#z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E", "proofPurpose": "assertionMethod", "proofValue": "z2scr94SNNrGpP2bE7ajvKWeUHm7HJ2edDkxpARvFAQ8V3USzwEzibqrXKaLHBrWostswsfvg82twQR88BgtnsrXY" }
The signed proof options
above gets appended to the allProofs
variable, which then gets set as the proof
attribute of the unsigned document
to produce the final signed document as shown below.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": [ { "type": "DataIntegrityProof", "id": "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7#z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7", "proofPurpose": "assertionMethod", "proofValue": "z66vWyqwAghu52WbpRkCwFRTu6Msn92ArtjpJ3gGMSVoU5RADwBfszoDt1QWY8owqLPz4nTj7hAwV7xFti1p93zdr" }, { "type": "DataIntegrityProof", "id": "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E#z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E", "proofPurpose": "assertionMethod", "proofValue": "z2scr94SNNrGpP2bE7ajvKWeUHm7HJ2edDkxpARvFAQ8V3USzwEzibqrXKaLHBrWostswsfvg82twQR88BgtnsrXY" } ] }
This collection of test vectors demonstrates the construction a proof chain. We
start with a document containing a proof set, i.e., our previous example, and
then add a new proof to the credential that has a dependency on the existing
proofs. This example also demonstrates the case where the previousProofs
attribute is an array. This example uses keyPair3
and the starting document is
given below.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": [ { "type": "DataIntegrityProof", "id": "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7#z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7", "proofPurpose": "assertionMethod", "proofValue": "z66vWyqwAghu52WbpRkCwFRTu6Msn92ArtjpJ3gGMSVoU5RADwBfszoDt1QWY8owqLPz4nTj7hAwV7xFti1p93zdr" }, { "type": "DataIntegrityProof", "id": "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E#z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E", "proofPurpose": "assertionMethod", "proofValue": "z2scr94SNNrGpP2bE7ajvKWeUHm7HJ2edDkxpARvFAQ8V3USzwEzibqrXKaLHBrWostswsfvg82twQR88BgtnsrXY" } ] }
The options
input to
Section 4.4: Add Proof Set/Chain in [VC-DATA-INTEGRITY]
is shown below. Note that it includes a previousProof
attribute since we are
constructing a proof chain.
{ "type": "DataIntegrityProof", "id": "urn:uuid:d94f792a-c546-4d06-b38a-da070ab56c23", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-26T22:06:38Z", "verificationMethod": "did:key:z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1#z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1", "proofPurpose": "assertionMethod", "previousProof": [ "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54" ] }
Per the algorithm of
Section 4.4: Add Proof Set/Chain in [VC-DATA-INTEGRITY],
we create an array variable, allProofs
, and add the proofs from the
starting document to it. Since the options contains the previousProof
attribute, we compute the matchingProofs
variable per step 4
of Section 4.4: Add Proof
Set/Chain, and we set the
unsecuredDocument.proof
equal to the matchingProofs
. This
produces the document shown below.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": [ { "type": "DataIntegrityProof", "id": "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7#z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7", "proofPurpose": "assertionMethod", "proofValue": "z66vWyqwAghu52WbpRkCwFRTu6Msn92ArtjpJ3gGMSVoU5RADwBfszoDt1QWY8owqLPz4nTj7hAwV7xFti1p93zdr" }, { "type": "DataIntegrityProof", "id": "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E#z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E", "proofPurpose": "assertionMethod", "proofValue": "z2scr94SNNrGpP2bE7ajvKWeUHm7HJ2edDkxpARvFAQ8V3USzwEzibqrXKaLHBrWostswsfvg82twQR88BgtnsrXY" } ] }
In step 6, we use the previous document (unsecured document with previous proofs
added to it) to compute the proofValue
attribute. This gives the signed
configuration options (proof) shown below:
{ "type": "DataIntegrityProof", "id": "urn:uuid:d94f792a-c546-4d06-b38a-da070ab56c23", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-26T22:06:38Z", "verificationMethod": "did:key:z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1#z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1", "proofPurpose": "assertionMethod", "previousProof": [ "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54" ], "proofValue": "zWaPeEvBAkhQpNQj8pknuvg5STcKnt3cvM9t4kAYeJETFjvVMSXEEjadC4uxC9fKCn6JHbjt6fj2fhoaVNynBm6J" }
The signed proof options
above gets appended to the allProofs
variable, which then gets set as the proof
attribute of the unsigned document
to produce the final signed document as shown below.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": [ { "type": "DataIntegrityProof", "id": "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7#z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7", "proofPurpose": "assertionMethod", "proofValue": "z66vWyqwAghu52WbpRkCwFRTu6Msn92ArtjpJ3gGMSVoU5RADwBfszoDt1QWY8owqLPz4nTj7hAwV7xFti1p93zdr" }, { "type": "DataIntegrityProof", "id": "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E#z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E", "proofPurpose": "assertionMethod", "proofValue": "z2scr94SNNrGpP2bE7ajvKWeUHm7HJ2edDkxpARvFAQ8V3USzwEzibqrXKaLHBrWostswsfvg82twQR88BgtnsrXY" }, { "type": "DataIntegrityProof", "id": "urn:uuid:d94f792a-c546-4d06-b38a-da070ab56c23", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-26T22:06:38Z", "verificationMethod": "did:key:z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1#z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1", "proofPurpose": "assertionMethod", "previousProof": [ "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54" ], "proofValue": "zWaPeEvBAkhQpNQj8pknuvg5STcKnt3cvM9t4kAYeJETFjvVMSXEEjadC4uxC9fKCn6JHbjt6fj2fhoaVNynBm6J" } ] }
This collection of test vectors demonstrates construction of an extended proof
chain. We start with the output of the previous section and add an additional
proof that is dependent on one of the existing proofs. This example uses
keyPair4
, and the starting document is given below.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": [ { "type": "DataIntegrityProof", "id": "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7#z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7", "proofPurpose": "assertionMethod", "proofValue": "z66vWyqwAghu52WbpRkCwFRTu6Msn92ArtjpJ3gGMSVoU5RADwBfszoDt1QWY8owqLPz4nTj7hAwV7xFti1p93zdr" }, { "type": "DataIntegrityProof", "id": "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E#z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E", "proofPurpose": "assertionMethod", "proofValue": "z2scr94SNNrGpP2bE7ajvKWeUHm7HJ2edDkxpARvFAQ8V3USzwEzibqrXKaLHBrWostswsfvg82twQR88BgtnsrXY" }, { "type": "DataIntegrityProof", "id": "urn:uuid:d94f792a-c546-4d06-b38a-da070ab56c23", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-26T22:06:38Z", "verificationMethod": "did:key:z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1#z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1", "proofPurpose": "assertionMethod", "previousProof": [ "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54" ], "proofValue": "zWaPeEvBAkhQpNQj8pknuvg5STcKnt3cvM9t4kAYeJETFjvVMSXEEjadC4uxC9fKCn6JHbjt6fj2fhoaVNynBm6J" } ] }
The options
input to
Section 4.4: Add Proof Set/Chain in [VC-DATA-INTEGRITY]
is shown below. Note that it includes a previousProof
attribute since we are
constructing a proof chain, however this time it is a single value.
{ "type": "DataIntegrityProof", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-26T22:16:38Z", "verificationMethod": "did:key:z6Mkm1S51iPHJvDEkJ9MRtxJmT8Pqo6wHipAFwBAjN83vntT#z6Mkm1S51iPHJvDEkJ9MRtxJmT8Pqo6wHipAFwBAjN83vntT", "proofPurpose": "assertionMethod", "previousProof": "urn:uuid:d94f792a-c546-4d06-b38a-da070ab56c23" }
Per the algorithm of
Section 4.4: Add Proof Set/Chain in [VC-DATA-INTEGRITY],
we create an array variable, allProofs
, and add the proofs from the
starting document to it. Since the options
contains the previousProof
attribute, we compute the matchingProofs
variable per step 4
of Section 4.4: Add Proof
Set/Chain, and we set the
unsecuredDocument.proof
equal to the matchingProofs
. This
produces the document shown below.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": [ { "type": "DataIntegrityProof", "id": "urn:uuid:d94f792a-c546-4d06-b38a-da070ab56c23", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-26T22:06:38Z", "verificationMethod": "did:key:z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1#z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1", "proofPurpose": "assertionMethod", "previousProof": [ "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54" ], "proofValue": "zWaPeEvBAkhQpNQj8pknuvg5STcKnt3cvM9t4kAYeJETFjvVMSXEEjadC4uxC9fKCn6JHbjt6fj2fhoaVNynBm6J" } ] }
In step 6, we use the previous document (unsecured document with previous proofs
added to it) to compute the proofValue
attribute. This gives the signed
configuration options (proof) shown below:
{ "type": "DataIntegrityProof", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-26T22:16:38Z", "verificationMethod": "did:key:z6Mkm1S51iPHJvDEkJ9MRtxJmT8Pqo6wHipAFwBAjN83vntT#z6Mkm1S51iPHJvDEkJ9MRtxJmT8Pqo6wHipAFwBAjN83vntT", "proofPurpose": "assertionMethod", "previousProof": "urn:uuid:d94f792a-c546-4d06-b38a-da070ab56c23", "proofValue": "z4b5uUtxNiV4E541LiR8qLvA21xM1Vt4Hfn6nLmmDePdFvLB3jFj3HyEEJyRMbpJzv4Gfdr8ABeuRTxAvZv6KWRRh" }
The signed proof options
above gets appended to the allProofs
variable, which then gets set as the proof
attribute of the unsigned document
to produce the final signed document as shown below.
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2" ], "id": "urn:uuid:58172aac-d8ba-11ed-83dd-0b3aef56cc33", "type": [ "VerifiableCredential", "AlumniCredential" ], "name": "Alumni Credential", "description": "A minimum viable example of an Alumni Credential.", "issuer": "https://vc.example/issuers/5678", "validFrom": "2023-01-01T00:00:00Z", "credentialSubject": { "id": "did:example:abcdefgh", "alumniOf": "The School of Examples" }, "proof": [ { "type": "DataIntegrityProof", "id": "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7#z6MktgKTsu1QhX6QPbyqG6geXdw6FQCZBPq7uQpieWbiQiG7", "proofPurpose": "assertionMethod", "proofValue": "z66vWyqwAghu52WbpRkCwFRTu6Msn92ArtjpJ3gGMSVoU5RADwBfszoDt1QWY8owqLPz4nTj7hAwV7xFti1p93zdr" }, { "type": "DataIntegrityProof", "id": "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "did:key:z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E#z6MkhWqdDBPojHA7cprTGTt5yHv5yUi1B8cnXn8ReLumkw6E", "proofPurpose": "assertionMethod", "proofValue": "z2scr94SNNrGpP2bE7ajvKWeUHm7HJ2edDkxpARvFAQ8V3USzwEzibqrXKaLHBrWostswsfvg82twQR88BgtnsrXY" }, { "type": "DataIntegrityProof", "id": "urn:uuid:d94f792a-c546-4d06-b38a-da070ab56c23", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-26T22:06:38Z", "verificationMethod": "did:key:z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1#z6MkmEq87wkHCYnWnNZkigeDMGTN7oUw1upkhzd77KuXERS1", "proofPurpose": "assertionMethod", "previousProof": [ "urn:uuid:26329423-bec9-4b2e-88cb-a7c7d9dc4544", "urn:uuid:8cc9022b-6b14-4cf3-8571-74972c5feb54" ], "proofValue": "zWaPeEvBAkhQpNQj8pknuvg5STcKnt3cvM9t4kAYeJETFjvVMSXEEjadC4uxC9fKCn6JHbjt6fj2fhoaVNynBm6J" }, { "type": "DataIntegrityProof", "cryptosuite": "eddsa-rdfc-2022", "created": "2023-02-26T22:16:38Z", "verificationMethod": "did:key:z6Mkm1S51iPHJvDEkJ9MRtxJmT8Pqo6wHipAFwBAjN83vntT#z6Mkm1S51iPHJvDEkJ9MRtxJmT8Pqo6wHipAFwBAjN83vntT", "proofPurpose": "assertionMethod", "previousProof": "urn:uuid:d94f792a-c546-4d06-b38a-da070ab56c23", "proofValue": "z4b5uUtxNiV4E541LiR8qLvA21xM1Vt4Hfn6nLmmDePdFvLB3jFj3HyEEJyRMbpJzv4Gfdr8ABeuRTxAvZv6KWRRh" } ] }
This section is non-normative.
This section contains the substantive changes that have been made to this specification over time.
Changes since the First Candidate Recommendation:
created
proof option is not required and additional proof
options are included in the generated proof.
Changes since the First Public Working Draft:
This section is non-normative.
Work on this specification has been supported by the Rebooting the Web of Trust community facilitated by Christopher Allen, Shannon Appelcline, Kiara Robles, Brian Weller, Betty Dhamers, Kaliya Young, Manu Sporny, Drummond Reed, Joe Andrieu, Heather Vescent, Kim Hamilton Duffy, Samantha Chase, Andrew Hughes, Erica Connell, Shigeya Suzuki, and Zaïda Rivai. The participants in the Internet Identity Workshop, facilitated by Phil Windley, Kaliya Young, Doc Searls, and Heidi Nobantu Saul, also supported the refinement of this work through numerous working sessions designed to educate about, debate on, and improve this specification.
The Working Group also thanks our Chair, Brent Zundel, our ex-Chair Kristina Yasuda, as well as our W3C Staff Contact, Ivan Herman, for their expert management and steady guidance of the group through the W3C standardization process.
Portions of the work on this specification have been funded by the United States Department of Homeland Security's Science and Technology Directorate under contracts 70RSAT20T00000029, 70RSAT21T00000016, 70RSAT23T00000005, 70RSAT20T00000010/P00001, 70RSAT20T00000029, 70RSAT21T00000016/P00001, 70RSAT23T00000005, 70RSAT23C00000030, 70RSAT23R00000006, and the National Science Foundation through NSF 22-572. The content of this specification does not necessarily reflect the position or the policy of the U.S. Government and no official endorsement should be inferred.
The Working Group would like to thank the following individuals for reviewing and providing feedback on the specification (in alphabetical order):
Will Abramson, Mahmoud Alkhraishi, Christopher Allen, Joe Andrieu, Bohdan Andriyiv, Anthony, George Aristy, Hadley Beeman, Greg Bernstein, Bob420, Sarven Capadisli, Melvin Carvalho, David Chadwick, Matt Collier, Gabe Cohen, Sebastian Crane, Kyle Den Hartog, Veikko Eeva, Eric Elliott, Raphael Flechtner, Julien Fraichot, Benjamin Goering, Kim Hamilton Duffy, Joseph Heenan, Helge, Ivan Herman, Michael Herman, Anil John, Andrew Jones, Michael B. Jones, Rieks Joosten, Gregory K, Gregg Kellogg, Filip Kolarik, David I. Lehn, Charles E. Lehner, Christine Lemmer-Webber, Eric Lim, Dave Longley, Tobias Looker, Jer Miller, nightpool, Luis Osta, Nate Otto, George J. Padayatti, Addison Phillips, Mike Prorock, Brian Richter, Anders Rundgren, Eugeniu Rusu, Markus Sabadello, silverpill, Wesley Smith, Manu Sporny, Patrick St-Louis, Orie Steele, Henry Story, Oliver Terbu, Ted Thibodeau Jr, John Toohey, Bert Van Nuffelen, Mike Varley, Snorre Lothar von Gohren Edwin, Jeffrey Yasskin, Kristina Yasuda, Benjamin Young, Dmitri Zagidulin, and Brent Zundel.
Referenced in:
Referenced in: