vc-data-model
vc-data-model copied to clipboard
w3c
Define a standard way to use Credential Schemas for Credential Subjects
Follow up from the TPAC talk on September 16th on using JSON Schemas to define the data-shape for credential subjects.
Overview
There was a draft in the CCG a few years ago that had some moderate adoption: https://w3c-ccg.github.io/vc-json-schemas/v1/index.html
New draft could use some tlc: https://w3c-ccg.github.io/vc-json-schemas/v2/index.html
Notes from TPAC
- Agree to not require using JSON Schemas as a normative requirement
- We should define what
JsonSchemaValidator2018means -- or a new one for the current year. - We need a way to show which versions of JSON Schema are supported. There are a number of drafts in the IETF, the latest: https://json-schema.org/draft/2020-12/json-schema-core.html
- Mentions of using Open API, how could that be useful here?
- Some related work in JSON-LD/YAML-LD in wanting to use JSON Schemas to look into
- Related: a JSON Schema to define the VCDM
For the spec:
- Need to support Data Integrity and JWT representations as options
- Identifier, authorship, versioning needs to be solid
- Need to be careful about overlapping validation considerations (e.g. you could define a regex for an issuer's DID in a JSON schema) - what does it mean to have a 'valid' credential?
Asks
- Looking for whether it makes sense to continue developing the v2 of the spec in the CCG or move it here, if so what's the path?
- Who is interested in helping out with defining this all? Can use help 😄 (@dezell @OR13 I heard you express interest)
- Let's get this into a test suite (cc: @msporny)
@darrellodonnell I plan on discussing this on the next wg call to forge the best path forward. Perhaps for now the best thing to do is get towards a really solid draft here: https://github.com/w3c-ccg/vc-json-schemas?
Open to your suggestions
The next wg call is the one tomorrow right? The W3C VC call? @decentralgabe
I've made some significant changes to the latest draft, and opened up a number of issues which I could use help with. Those interested please take a look at the draft and issues and consider making a contribution: https://w3c-ccg.github.io/vc-json-schemas/
Some thoughts / questions:
- How is this specification progressed? Is the CCG still the right place?
- How do we refer to this and other specifications/types to be used in the
credentialSchemaproperty? - How do we specify which property/ies in the VCDM a
credentialSchemarefers to? (e.g. perhaps just thecredentialSubject) - Is it possible to have multiple credential schemas for a single credential? How should they be processed?
Is it possible to have multiple credential schemas for a single credential? How should they be processed?
Interesting. Thus, requiring an array of schemas for a credential, right?
Some other open thoughts - Should any schema be allowed to be a remote schema? How or should there be a guarantee of the integrity of the schema definitions relative to the properties that it's meant to describe?
Maybe this is not relevant for this idea you have here, @decentralgabe?
I'd be happy to help with this as well.
Interesting. Thus, requiring an array of schemas for a credential, right?
yes! this would require a change here
Should any schema be allowed to be a remote schema? How or should there be a guarantee of the integrity of the schema definitions relative to the properties that it's meant to describe?
What do you mean by remote? I imagine it points to a URI, which is likely always remote. For integrity....can you expand on what you mean a bit? the draft I have has a section on signing over the credentials. There is a section on interop with JSON-ld which may speak to the interop you're referring to.
I think the credentialSchema property should be an array because there is no one standard JSON schema validation language. So each element in the array will point to one JSON schema definition and will name the JSON schema language that is used to validate it.
@David-Chadwick have you taken a look at https://w3c-ccg.github.io/vc-json-schemas?
This lets you define some more processing rules around what a schema is and how you use it, including which JSON schema validation language you should use. I like this approach because you'll need to resolve the URI for the credentialSchema anyway, and it might as well give you other helpful information on how to handle it.
What do you mean by remote? I imagine it points to a URI, which is likely always remote. For integrity....can you expand on what you mean a bit? the draft I have has a section on signing over the credentials. There is a section on interop with JSON-ld which may speak to the interop you're referring to.
Yes, I was thinking remote = URI in my head. Maybe it was a better question in my head than said out loud. Certainly, a property credentialSchema that is an array of URIs makes logistical sense. One reason for the 'remote' question lends itself to my second question about schema integrity....
It seems like a desirable security feature (to me) to have a schema(s) referral via URI be an immutable reference between the VC whose properties are defined and validatable against the schema that it refers to.
I've been part of some conversations before where it's been proposed that even the schemas are signed and the URI reference to the schema from the VC schema property is the resolvable address of a schema VC.
I wager that I'm straying from your original intentions here so I don't mean to cause any confusion - it's just something that's on my wishlist for schema as a way to express a given credential's composable definition.
@sbutterfield
It seems like a desirable security feature (to me) to have a schema(s) referral via URI be an immutable reference between the VC whose properties are defined and validatable against the schema that it refers to.
Agreed
I've been part of some conversations before where it's been proposed that even the schemas are signed and the URI reference to the schema from the VC schema property is the resolvable address of a schema VC.
Yes also agreed. I intend for this spec to be used to sign schemas which are remote.
The issue was discussed in a meeting on 2022-11-09
- no resolutions were taken
View the transcript
2.2. Define a standard way to use Credential Schemas for Credential Subjects (issue vc-data-model#933)
See github issue vc-data-model#933.
Gabe Cohen: https://w3c-ccg.github.io/vc-json-schemas/.
Gabe Cohen: 933 makes use of credential schema property, we should have at least one official implementation of how to reference the JsonSchemaValidator2018 property. Need some help mostly been myself working on it. Also need to know if we should bring it into wg..
… how does the credentialSchema property apply to the rest of the credential, initially wanted it to apply to credentialSubject, but see value in applying to rest of credential. curios on thoughts and people willing to work on it..
Manu Sporny: +1 to use concrete mechanism for credentialSchema use, Gabe I noted theres some language that is concerning. This is not only talking about how to apply credentialSchema, there is notes about making @context optional as you can imagine there is pushback there, but there is a narrower scope that can be supported..
… if the issuer specifies something in the field, does this influence the credential in any way? It helps with specifying trusted issuer/verifier lists, with a schema that these credentials should conform to, so the issuer is not on the hook for specifying it. +1 for specifying it, +1 to being additive, +1 to being one of many schemas, just do not eat at the core datamodel.
Kristina Yasuda: I don't think this is mature enough, should be worked on at CCG while we acknowledge its value..
Manu Sporny: +1 to "how they can be used together".
Gabe Cohen: I agree its not quite ready, the intention is not to be at odds with JSON-LD, would love input into how to be used together..
This solution covers the entire JSON object:
- https://github.com/transmute-industries/vc-credential-schema-open-api-specification
including credential, metadata, and proof.
