vc-data-model
vc-data-model copied to clipboard
w3c
Suggest to make explicit reference to the JADES standard
Digital Signatures in Europe are regulated by the eIDAS directive, which sets mandatory technical specifications for legally admissible digital signatures in Europe. There are a range of different signature options, covering enveloped, enveloping and detached signatures, with different 'baselines' which essentially add signed timestamps to a file for long-term preservation.
An example of a JADES-LTA signed credential is attached to this issue - this one contains the highest level of assurance, with extendable long-term archiving timestamps - as produced by the DSS libraries (reference libraries for implementing the JADES standards, distributed by the European Commission to all member states).
Given the geographic scope of JADES (27 countries adopting this standard through legislation),and the sheer number of users that will be covered by the implementation, I would suggest that at minimum the standard would recognise the existence of the JADES standard, and that JADES standards can be used with verifiable credentials, and are RECOMMENDED for users based in the EU.
The appropriate reference would be to (TS 119 182-1 - V1.1.1 - Electronic Signatures and Infrastructures (ESI); JAdES digital signatures; Part 1: Building blocks and JAdES baseline signatures (etsi.org)).
I'm not opposed to seeing an example in the spec that has been secured using JAdES, but the WG will need to come to consensus on that.
Has it been listed in the VC Specifications Directory as a viable securing mechanism? That should be the first step regardless.
@anthonycamilleri wrote:
@brentzundel added as w3c/vc-specs-dir#36
This has been merged and included in the VC Specs Directory.
I'll note that the example linked to above is really big and verbose. Do you think you could add a JADES extension to respec-vc? That is what we use to generate the digitally signed examples. We could include JADES as another tab in some of the examples if you did so.
In any case, we should capitalize JAdES (the "JSON format for AdES Signatures") correctly, painful though it may be...
The issue was discussed in a meeting on 2024-06-05
- no resolutions were taken
View the transcript
6.1. Suggest to make explicit reference to the JADES standard (issue vc-data-model#1481)
See github issue vc-data-model#1481.
Brent Zundel: suggestion to make explicit reference to JADES standard.
… request is to have an example in our spec of how to do this.
Manu Sporny: I prefer not to include a big example, things signed with JADES are like 100KB blobs, adding an example would not demonstrate anything.
Dmitri Zagidulin: can we /link/ to a JADES example?
Manu Sporny: request to normatively say it is totally fine to use JADES, we shouldn't do that either.
… we do in the spec mention a variety of other securing formats, we mention JWT, CWT, mDL, Gordian Envelopes, etc, can add JADES to list.
Brent Zundel: +1 to adding to that list.
Brent Zundel: proposal is to link to JADES as we have linked to other securing mechanisms.
Phillip Long: +1 to that.
Brent Zundel: if you are opposed jump into the issue and tell us, otherwise that is what we will do.
… thanks to all for being here.
Ivan Herman: +1 for me as well.
PR #1501 has been raised to address this issue. This issue will be closed once PR #1501 has been merged.
The issue was discussed in a meeting on 2024-06-12
- no resolutions were taken
View the transcript
2.2. Add reference to JAdES standard in Ecosystem Compatability. (pr vc-data-model#1501)
See github pull request vc-data-model#1501.
See github issue vc-data-model#1481.
Brent Zundel: pull request 1501. the related issue is 1481. 1481 says -- we have a JADES impl of securing a VC, and think the spec should note that. this PR adds a link to JADES for ecosystem compatibility -- already has anoncreds, ACDC, many other 'vc-like' things that should be compatible with this spec.
… want to give folks a chance to look at it if they have not yet. it will be merged.