This document describes the Security Vocabulary, i.e., the vocabulary used to ensure the authenticity and integrity of Verifiable Credentials and similar types of constrained digital documents using cryptography, especially through the use of digital signatures and related mathematical proofs .
Alternate versions of the vocabulary definition exist in Turtle and JSON-LD.
Comments regarding this document are welcome. Please file issues directly on GitHub, or send them to public-vc-comments@w3.org (subscribe, archives).
In general, the terms — i.e., the properties and classes — used in the VCDM are formally specified in Recommendation Track documents published by the W3C Verifiable Credentials Working Group or, for some deprecated or reserved terms, in Reports published by the W3C Credentials Community Group. In each case of such external definition, the term's description in this document contains a link to the relevant specification. Additionally, the `rdfs:definedBy` property in the RDFS representation(s) refers to the formal specification.
In some cases, a local explanation is necessary to complement, or to replace, the definition found in an external specification. For instance, this is so when the term is needed to provide a consistent structure to the RDFS vocabulary, such as when the term defines a common supertype for class instances that are used as objects of specific properties, or when RDF Graphs are involved. For such cases, the extra definition is included in the current document (and the `rdfs:comment` property is used to include them in the RDFS representations).
This specification makes use of the following namespaces:
sechttps://w3id.org/security#credhttps://www.w3.org/2018/credentials#dchttp://purl.org/dc/terms/owlhttp://www.w3.org/2002/07/owl#rdfhttp://www.w3.org/1999/02/22-rdf-syntax-ns#rdfshttp://www.w3.org/2000/01/rdf-schema#xsdhttp://www.w3.org/2001/XMLSchema#vshttp://www.w3.org/2003/06/sw-vocab-status/ns#schemahttp://schema.org/jsonldhttp://www.w3.org/ns/json-ld#@context filesThe following @context files make use of the terms defined in this specification:
The following are property definitions in the sec namespace.
verificationMethodVerification method
See the formal definition of the term.
VerificationMethod@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2controllerController
See the formal definition of the term.
The property's value should be a URL, i.e., not a literal.
VerificationMethod@contexts:https://w3id.org/security/multikey/v1, https://w3id.org/security/jwk/v1, https://www.w3.org/ns/did/v1proofProof sets
See the formal definition of the term.
ProofGraph@contexts:https://www.w3.org/ns/credentials/v2, https://w3id.org/security/data-integrity/v2domainDomain of a proof
See the formal definition of the term.
xsd:stringProof@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2challengeChallenge of a proof
See the formal definition of the term.
xsd:stringProof@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2previousProofPrevious proof
See the formal definition of the term.
ProofProof@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2proofPurposeProof purpose
See the formal definition of the term.
VerificationRelationshipProof@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2proofValueProof value
See the formal definition of the term.
multibaseProof@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2createdProof creation time
See the formal definition of the term.
xsd:dateTimeProof@context:https://w3id.org/security/data-integrity/v2expirationExpiration time for a proof or verification method
See the formal definitions here and here.
xsd:dateTimeProofVerificationMethod@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2nonceNonce supplied by proof creator
See the formal definition of the term.
xsd:stringProof@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2authenticationAuthentication method
See the formal definition of the term.
VerificationRelationshipVerificationMethod@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2, https://www.w3.org/ns/did/v1assertionMethodAssertion method
See the formal definition of the term.
VerificationRelationshipVerificationMethod@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2, https://www.w3.org/ns/did/v1capabilityDelegationMethodCapability delegation method
See the formal definition of the term.
VerificationRelationshipVerificationMethod@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2, https://www.w3.org/ns/did/v1capabilityInvocationMethodCapability invocation method
See the formal definition of the term.
VerificationRelationshipVerificationMethod@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2, https://www.w3.org/ns/did/v1keyAgreementMethodKey agreement protocols
See the formal definition of the term.
VerificationRelationshipVerificationMethod@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2, https://www.w3.org/ns/did/v1cryptosuiteCryptographic suite
See the formal definition of the term.
cryptosuiteStringDataIntegrityProof@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2publicKeyMultibasePublic key multibase
See the formal definition of the term.
multibaseMultikey@context:https://w3id.org/security/multikey/v1secretKeyMultibaseSecret key multibase
See the formal definition of the term.
multibaseMultikey@context:https://w3id.org/security/multikey/v1publicKeyJwkPublic key JWK
See the formal definition of the term.
rdf:JSONJsonWebKey@context:https://w3id.org/security/jwk/v1secretKeyJwkSecret key JWK
See the formal definition of the term.
rdf:JSONJsonWebKey@context:https://w3id.org/security/jwk/v1revokedRevocation time
See the formal definition of the term.
xsd:dateTimeVerificationMethod@context:https://w3id.org/security/jwk/v1digestMultibaseDigest multibase
See the formal definition of the term.
multibase@context:https://www.w3.org/ns/credentials/v2The following are class definitions in the sec namespace.
ProofDigital proof
See the formal definition of the term.
previousProofdomain, challenge, previousProof, proofPurpose, proofValue, created, nonceexpiration@context:https://w3id.org/security/data-integrity/v2ProofGraphAn RDF Graph for a digital proof
proofVerificationMethodVerification method
See the formal definition of the term.
verificationMethod, authentication, assertionMethod, capabilityDelegationMethod, capabilityInvocationMethod, keyAgreementMethodcontroller, revokedexpiration@context:https://w3id.org/security/data-integrity/v2VerificationRelationshipVerification relationship
See the formal definition of the term.
rdf:PropertyproofPurposeDataIntegrityProofA Data Integrity Proof
See the formal definition of the term.
Proofcryptosuite@contexts:https://w3id.org/security/data-integrity/v2, https://www.w3.org/ns/credentials/v2MultikeyMultikey Verification Method
See the formal definition of the term.
VerificationMethodpublicKeyMultibase, secretKeyMultibase@context:https://w3id.org/security/multikey/v1JsonWebKeyJSON Web Key Verification Method
See the formal definition of the term.
VerificationMethodpublicKeyJwk, secretKeyJwk@context:https://w3id.org/security/jwk/v1Ed25519VerificationKey2020ED2559 Verification Key, 2020 version
See the formal definition of the term.
VerificationMethodEd25519Signature2020Ed25519 Signature Suite, 2020 version
See the formal definition of the term.
ProofProcessingErrorProcessing error
See the formal definition of the term.
The following are datatype definitions in the sec namespace.
cryptosuiteStringDatatype for cryptosuite Identifiers
See the formal definition of the term.
xsd:stringcryptosuite@context:https://w3id.org/security/data-integrity/v2multibaseDatatype for multibase values
See the formal definition of the term.
xsd:stringproofValue, publicKeyMultibase, secretKeyMultibase, digestMultibase@context:https://w3id.org/security/multikey/v1The following are definitions for individuals in the sec namespace.
PROOF_GENERATION_ERRORProof generation error (-16)
See the formal definition of the term.
ProcessingErrorPROOF_VERIFICATION_ERRORMalformed proof (-17)
See the formal definition of the term.
ProcessingErrorPROOF_TRANSFORMATION_ERRORMismatched proof purpose (-18)
See the formal definition of the term.
ProcessingErrorINVALID_DOMAIN_ERRORInvalid proof domain (-19)
See the formal definition of the term.
ProcessingErrorINVALID_CHALLENGE_ERRORInvalid challenge (-20)
See the formal definition of the term.
ProcessingErrorINVALID_VERIFICATION_METHOD_URLInvalid verification method URL (-21)
See the formal definition of the term.
ProcessingErrorINVALID_CONTROLLER_DOCUMENT_IDInvalid controller document id (-22)
See the formal definition of the term.
ProcessingErrorINVALID_CONTROLLER_DOCUMENTInvalid controller document (-23)
See the formal definition of the term.
ProcessingErrorINVALID_VERIFICATION_METHODInvalid verification method (-24)
See the formal definition of the term.
ProcessingErrorINVALID_PROOF_PURPOSE_FOR_VERIFICATION_METHODInvalid proof purpose for verification method (-25)
See the formal definition of the term.
ProcessingErrorAll terms in this section are reserved. Implementers may use these properties, but should expect them and/or their meanings to change during the process to normatively specify them.
The following are reserved property definitions in the sec namespace.
allowedActionAllowed action (reserved)
See the formal definition of the term.
capabilityChainCapability chain (reserved)
See the formal definition of the term.
capabilityActionCapability action (reserved)
See the formal definition of the term.
caveatCaveat (reserved)
See the formal definition of the term.
delegatorDelegator (reserved)
See the formal definition of the term.
invocationTargetInvocation target (reserved)
See the formal definition of the term.
invokerInvoker (reserved)
See the formal definition of the term.
All terms in this section are deprecated, and are only kept in this vocabulary for backward compatibility.
New applications should not use them.
The following are deprecated property definitions in the sec namespace.
blockchainAccountIdBlockchain account ID (deprecated)
See the formal definition of the term.
xsd:stringethereumAddressEthereum address (deprecated)
See the formal definition of the term.
xsd:stringpublicKeyBase58Base58-encoded Public Key (deprecated)
See the formal definition of the term.
xsd:stringpublicKeyPemPublic key PEM (deprecated)
See the formal definition of the term.
xsd:stringpublicKeyHexHex-encoded version of public Key (deprecated)
See the formal definition of the term.
xsd:stringjwsJson Web Signature (deprecated)
See the formal definition of the term.
The following are deprecated class definitions in the sec namespace.
KeyCryptographic key (deprecated)
EcdsaSecp256k1Signature2019ecdsa-sep256k1, 2019 version (deprecated)
See the formal definition of the term.
EcdsaSecp256k1Signature2020ecdsa-sep256k1, 2020 version (deprecated)
See the formal definition of the term.
EcdsaSecp256k1VerificationKey2019ecdsa-secp256k1 verification key, 2019 version (deprecated)
See the formal definition of the term.
KeyEcdsaSecp256k1RecoverySignature2020ecdsa-secp256k1 recovery signature, 2020 version (deprecated)
See the formal definition of the term.
EcdsaSecp256k1RecoveryMethod2020ecdsa-secp256k1 recovery method, 2020 version (deprecated)
See the formal definition of the term.
MerkleProof2019Merkle Proof (deprecated)
See the formal definition of the term.
X25519KeyAgreementKey2019X25519 Key Agreement Key, 2019 version (deprecated)
See the formal definition of the term.
Ed25519VerificationKey2018ED2559 Verification Key, 2018 version (deprecated)
See the formal definition of the term.
JsonWebKey2020JSON Web Key, 2020 version (deprecated)
See the formal definition of the term.
JsonWebSignature2020JSON Web Signature, 2020 version (deprecated)
See the formal definition of the term.
BbsBlsSignature2020BBS Signature, 2020 version (deprecated)
See the formal definition of the term.
BbsBlsSignatureProof2020BBS Signature Proof, 2020 version (deprecated)
See the formal definition of the term.
Bls12381G1Key2020BLS 12381 G1 Signature Key, 2020 version (deprecated)
See the formal definition of the term.
Bls12381G2Key2020BLS 12381 G2 Signature Key, 2020 version (deprecated)
See the formal definition of the term.
The diagram uses boxes, ellipses, and connecting lines with different "styles" (border color, end marker, line type) to differentiate their semantic meaning; these styles identify "Property", "Class", or "Datatype" via the shapes used for the graph nodes, and "Superclass", "Domain Of", "Range", "Type", or "Contains", via the styles of the connecting lines. In particular, all ellipses are styled as "Class". These style names are used in the explanation text that follows, below.
The diagram is roughly divided into three sections — lower left, lower right, and upper. To make this description easier to understand, these sections will be respectively referred to as the "Proof", "Verification Method", and "Verification Relationship" sections. The three sections are connected by lines of different types; additionally, one box, labeled as "multibase", and having shape "Datatype", is shared by the two lower sections ("Proof" and "Verification Method").
Each of these sections has an ellipse at the top, labeled as "Proof", "VerificationMethod", and "VerificationRelationship", respectively.
The left side of the section contains another ellipse, labeled as "ProofGraph", and connected to the ellipse labeled as "Proof" with a connecting line, styled as "Contains". A separate box, styled as "Property" and labeled as "proof", is connected to the ellipse labeled as "ProofGraph", with a connecting line styled as "Range".
There are two more ellipses in this section, labeled as "Ed25519Signature2020" and "DataIntegrityProof", respectively, each connected to the ellipse labeled as "Proof" through connecting lines styled as "Superclass". The ellipse labeled as "DataIntegrityProof" is also connected to a box, styled as "Property" and labeled as "cryptosuite", with a connecting line styled as "Domain Of". The "cryptosuite" Property box is connected to a shape, styled as "Datatype" and labeled as "cryptosuiteString", with a connecting line styled as "Range".
The right side of the section contains a column of labeled boxes, all styled as "Property". The labels, from top to bottom, are "previousProof", "domain", "challenge", "nonce", "created", and "proofValue". The ellipse, labeled as "Proof", is connected to all of these with connecting lines styled as "Domain Of". The box labeled as "previousProof" is also connected to the ellipse, labeled as "Proof", with a connecting line styled as "Range". The box labeled as "proofValue" is connected to a shape, styled as "Datatype" and labeled as "multibase", with a connecting line styled as "Range". Finally, another box, styled as "Property" and labeled as "digestMultibase", is connected to the same "multibase" shape, styled as "Datatype", with a connecting line styled as "Range".
The left side of this section contains a column of three labeled boxes, all styled as "Property". The labels, from top to bottom, are "expires", "controller", and "revoked". Each of these is connected to the ellipse, labeled "VerificationMethod", with connecting lines styled as "Domain Of". The "expires" "Property" box is also connected to the ellipse labeled "Proof" in the Proof section, with a connecting line styled as "Domain Of".
There is also a distinct box, styled as "Property" and labeled as "verificationMethod". This box is connected to the ellipse, labeled as "VerificationMethod", with a connecting line styled as "Range".
The middle of this section contains three more ellipses, labeled as "Multikey, "Ed25519VerificationKey2020", and "JsonWebKey", respectively. Each of these is connected to the ellipse, labeled as "VerificationMethod", with a connecting line styled as "Superclass".
Two boxes, styled as "Property" and labeled as "secretKeyMultibase" and "publicKeyMultibase", respectively, are connected to the ellipse labeled as "Multikey" with a connecting line styled as "Domain Of". Each of these boxes is also connected to the shape in the Proof section, styled as "Datatype" and labeled as "multibase", with connecting lines styled as "Range".
Finally, two boxes, styled as "Property" and labeled as "secretKeyJwk" and "publicKeyJwk", respectively, are connected to the ellipse labeled "JsonWebKey", with a connecting line styled as "Domain Of". Both boxes are also connected to a shape, styled as "Datatype" and labeled as "rdf:JSON", with connecting lines styled as "Range".
The left side of the section contains a single box, styled as "Property" and labeled as "proofPurpose". This box is connected to the ellipse, labeled as "VerificationRelationship", with a connecting line styled as "Range". It is also connected to the ellipse in the Proof section, labeled "Proof", with a connecting line styled as "Domain Of".
The right side of the section contains a column of labeled boxes, all styled as "Property". The labels, from top to bottom, are "verificationMethod", "authentication", "assertionMethod", "capabilityDelegation", "capabilityInvocation", and "keyAgreement". Each of these boxes is connected to the ellipse in the Verification Method section, labeled "VerificationMethod", with a connecting line styled as "Range". Finally, each of these boxes is also connected to the ellipse, labeled "VerificationRelationship", with a connecting line styled as "Type".