From 3f9b0b249949bbca8698e780398cf29a9b21159d Mon Sep 17 00:00:00 2001
From: Ivan Herman Proofs
verify the proof.
- Proofs
by a verifier during the verification process.
Proofs
specified as an [[XMLSCHEMA11-2]] combined date and time string.
Proofs
`b31d37d4-dd59-47d3-9dd8-c973da43b63a` (UUID).
Proofs
`1235abcd6789`, `79d34551-ae81-44ae-823b-6dadbab9ebd4`, and `ruby`.
Proofs
Add Proof Algorithm.
Verification Methods
The `verificationMethod` property is OPTIONAL. If present, the value @@ -873,7 +873,7 @@
+ In general, the terms — i.e., the properties and classes — used in the VCDM are formally specified in + Recommendation Track documents published by the W3C Verifiable Credentials + Working Group or, for some deprecated or reserved terms, in Reports published by the W3C Credentials Community Group. In each case of such external + definition, the term's description in this document contains a link to the relevant specification. Additionally, the + `rdfs:definedBy` property in the RDFS representation(s) refers to the formal specification. +
++ In some cases, a local explanation is necessary to complement, or to replace, the definition found in an external + specification. For instance, this is so when the term is needed to provide a consistent structure to the RDFS + vocabulary, such as when the term defines a common supertype for class instances that are used as objects of + specific properties, or when RDF Graphs are + involved. For such cases, the extra definition is included in the current document (and the `rdfs:comment` property + is used to include them in the RDFS representations). +
+This specification makes use of the following namespaces:
@@ -132,7 +152,7 @@All terms in this section are reserved. + Implementers may use these properties, but should expect them and/or their meanings to change during the process to + normatively specify them. +
+ +All terms in this section are deprecated, and are only kept in this vocabulary for backward compatibility.
New applications should not use them.
diff --git a/vocab/security/vocabulary.yml b/vocab/security/vocabulary.yml
index 0cd5c461..fb264bea 100644
--- a/vocab/security/vocabulary.yml
+++ b/vocab/security/vocabulary.yml
@@ -20,353 +20,216 @@ ontology:
class:
- id: Proof
label: Digital proof
- comment: |
- This class represents a digital proof on serialized data.
+ comment: This class represents a digital proof on serialized data.
- id: ProofGraph
label: An RDF Graph for a digital proof
- comment: Instances of this class are RDF Graphs, where each of these graphs must include exactly one Proof.
+ comment: Instances of this class are RDF Graphs [[RDF12-CONCEPTS]], where each of these graphs must include exactly one Proof.
- id: VerificationMethod
label: Verification method
- comment: A Verification Method class can express different verification methods, such as cryptographic public keys, which can be used to authenticate or authorize interaction with the `controller` or associated parties. Verification methods might take many parameters.
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#verification-methods
- id: DataIntegrityProof
label: A Data Integrity Proof
upper_value: sec:Proof
- comment: This class represents a data integrity proof used to encode a variety of cryptographic suite proof encodings.
- see_also:
- - label: vc-data-integrity
- url: https://www.w3.org/TR/vc-data-integrity/#dataintegrityproof
-
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#dataintegrityproof
+
- id: Multikey
label: Multikey Verification Method
upper_value: sec:VerificationMethod
- comment: Verification method to be used with, for example, data integrity proof cryptographic suites, such as the eddsa-2022 cryptographic suite. See the EdDSA Cryptosuite v2022 specification for further details.
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#multikey
see_also:
- label: EdDSA Cryptosuite v2022
url: https://www.w3.org/TR/vc-di-eddsa/#multikey
- - id: Ed25519Signature2020
- label: Ed25519 Signature Suite, 2020 version
- upper_value: sec:Proof
- deprecated: true
- comment: T.B.D.
-
-# These are the class definitions in the CCG documents that are not defined in the VCWG document; they are all deprecated
-
- id: Key
- deprecated: true
label: Cryptographic key
- comment: This class represents a cryptographic key that may be used for encryption, decryption, or digitally signing data.
+ comment: This class represents a cryptographic key that may be used for encryption, decryption, or digitally signing data. This class serves as a supertype for specific key types.
- - id: Signature
- deprecated: true
- label: Digital signature
+ - id: Ed25519VerificationKey2020
+ label: ED2559 Verification Key, 2020 version
+ upper_value: sec:Key
+ defined_by: https://www.w3.org/TR/vc-di-eddsa/#ed25519verificationkey2020
+ comment: A linked data proof suite verification method type used with Ed25519Signature2020.
+
+ - id: Ed25519Signature2020
+ label: Ed25519 Signature Suite, 2020 version
upper_value: sec:Proof
- comment: |
- This class represents a digital signature on serialized data. It is an abstract class and should not be used other than for Semantic Web reasoning purposes, such as by a reasoning agent. This class MUST NOT be used directly, but only through its subclasses.
+ defined_by: https://www.w3.org/TR/vc-di-eddsa/#ed25519signature2020
- - id: SignatureGraph
- deprecated: true
- label: An RDF Graph for a digital signature
- upper_value: sec:ProofGraph
- comment: Instances of this class are RDF Graphs, where each of these graphs must include exactly one Signature.
+# These are the class definitions in the CCG documents that are not defined in a VCWG document; they are all deprecated
+# In some cases a ccg document was found and used for the definition, but in some cases even that is missing...
+
+
- id: EcdsaSecp256k1Signature2019
deprecated: true
- label: TBD.
- upper_value: sec:Signature
- comment: This class represents a data integrity signature suite.
- see_also:
- - label: ecdsa-sep256k1
- url: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsa-secp256k1
+ label: ecdsa-sep256k1, 2019 version
+ defined_by: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsa-secp256k1
- id: EcdsaSecp256k1Signature2020
deprecated: true
- label: TBD.
- upper_value: sec:Signature
- comment: This class represents a data integrity signature suite.
- see_also:
- - label: ecdsa-sep256k1
- url: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsa-secp256k1
-
- - id: EcdsaSecp256k1RecoverySignature2020
- deprecated: true
- label: TBD.
- upper_value: sec:Signature
- comment: This class represents a data integrity signature.
- see_also:
- - label: ecdsasecp256k1recoverysignature2020
- url: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsasecp256k1recoverysignature2020
+ label: ecdsa-sep256k1, 2020 version
+ defined_by: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsa-secp256k1
- id: EcdsaSecp256k1VerificationKey2019
deprecated: true
- label: TBD.
+ label: ecdsa-secp256k1 verification key, 2019 version
+ defined_by: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsasecp256k1recoverysignature2020
upper_value: sec:Key
- comment: This class represents a data integrity verification method.
- see_also:
- - label: ecdsa-secp256k1
- url: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsa-secp256k1
-
- - id: EcdsaSecp256k1RecoveryMethod2020
- deprecated: true
- label: TBD.
- upper_value: sec:Key
- comment: This class represents a data integrity verification method.
- see_also:
- - label: ecdsasecp256k1recoverymethod2020
- url: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsasecp256k1recoverymethod2020
- - id: RsaSignature2018
- deprecated: true
- label: Signature Suite for RSA (was deprecated in the CCG document)
- upper_value: sec:Signature
- comment: This class represents a data integrity signature suite.
- see_also:
- - label: RSA registry entry
- url: https://w3c-ccg.github.io/ld-cryptosuite-registry/#rsa
-
- - id: RsaVerificationKey2018
- deprecated: true
- label: Verification Key for RSA (was deprecated in the CCG document)
- upper_value: sec:Key
- comment: This class represents a data integrity verification method.
- see_also:
- - label: RSA registry entry
- url: https://w3c-ccg.github.io/ld-cryptosuite-registry/#rsa
-
- - id: SchnorrSecp256k1Signature2019
- deprecated: true
- label: TBD.
- upper_value: sec:Signature
- comment: This class represents a data integrity signature suite.
-
- - id: SchnorrSecp256k1VerificationKey2019
- deprecated: true
- label: TBD.
- upper_value: sec:Key
- comment: This class represents a data integrity verification method.
-
- - id: ServiceEndpointProxyService
- deprecated: true
- label: TBD.
- comment: T.B.D.
-
- - id: Digest
- deprecated: true
- label: Message digest
- comment: This class represents a message digest that may be used for data integrity verification. The digest algorithm used will determine the cryptographic properties of the digest.
-
- - id: EncryptedMessage
- deprecated: true
- label: Encrypted message
- comment: A class of messages that are obfuscated in some cryptographic manner. These messages are incredibly difficult to decrypt without the proper decryption key.
-
- - id: GraphSignature2012
- deprecated: true
- label: RDF graph signature
- upper_value: sec:Signature
- comment: |
- A graph signature is used for digital signatures on RDF graphs. The default canonicalization mechanism is specified in the RDF Graph normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature.
-
- - id: LinkedDataSignature2015
+ - id: EcdsaSecp256k1RecoverySignature2020
deprecated: true
- label: Linked data signature, 2015 version (was deprecated in the CCG document)
- upper_value: sec:Signature
- comment: |
- A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature.
-
- - id: LinkedDataSignature2016
+ label: ecdsa-secp256k1 recovery signature, 2020 version
+ defined_by: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsasecp256k1recoverysignature2020
+
+ - id: EcdsaSecp256k1RecoveryMethod2020
deprecated: true
- label: Linked data signature, 2016 version (was deprecated in the CCG document)
- upper_value: sec:Signature
- comment: |
- A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and RSA to perform the digital signature.
+ label: ecdsa-secp256k1 recovery method, 2020 version
+ #upper_value: sec:Key
+ defined_by: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ecdsasecp256k1recoverymethod2020
- id: MerkleProof2019
deprecated: true
label: Merkle Proof
- upper_value: sec:Signature
- comment: |
- Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which effectively deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and ECDSA to perform the digital signature.
- see_also:
- - label: Merkle Proof 2019
- url: https://w3c-ccg.github.io/lds-merkle-proof-2019/
+ defined_by: https://w3c-ccg.github.io/lds-merkle-proof-2019/
- id: X25519KeyAgreementKey2019
deprecated: true
- label: X25519 Key Agreement Key 2019
- upper_value: sec:Key
- comment: This class represents a verification key.
+ label: X25519 Key Agreement Key, 2019 version
+ #upper_value: sec:Key
+ defined_by: https://w3c-ccg.github.io/security-vocab/#X25519KeyAgreementKey2019
- id: Ed25519VerificationKey2018
deprecated: true
label: ED2559 Verification Key, 2018 version
- upper_value: sec:Key
- comment: This class represents a data integrity verification method.
- see_also:
- - label: eddsa-ed25519 registry entry
- url: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ed25519
-
- - id: Ed25519VerificationKey2020
- deprecated: true
- label: ED2559 Verification Key, 2020 version
- upper_value: sec:Key
- comment: A linked data proof suite verification method type used with `Ed25519Signature2020`.
+ defined_by: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ed25519
+ #upper_value: sec:Key
- id: JsonWebKey2020
deprecated: true
label: JSON Web Key, 2020 version
- upper_value: sec:Key
+ #upper_value: sec:Key
+ defined_by: https://w3c-ccg.github.io/security-vocab/#JsonWebKey2020
comment: A linked data proof suite verification method type used with `JsonWebSignature2020`
- id: JsonWebSignature2020
deprecated: true
label: JSON Web Signature, 2020 version
- upper_value: sec:Signature
- comment: |
- A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. The default signature mechanism uses a SHA-256 digest and JWS to perform the digital signature.
+ defined_by: https://w3c-ccg.github.io/security-vocab/#JsonWebSignature2020
- id: BbsBlsSignature2020
deprecated: true
label: BBS Signature, 2020 version
- upper_value: sec:Signature
- comment: |
- A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. Importantly, a `BbsBlsSignature` digests each of the statements produced by the normalization process individually to enable selective disclosure. The signature mechanism uses Blake2B as the digest for each statement and produces a single output digital signature.
+ defined_by: https://w3c-ccg.github.io/security-vocab/#BbsBlsSignature2020
- id: BbsBlsSignatureProof2020
deprecated: true
label: BBS Signature Proof, 2020 version
- upper_value: sec:Signature
- comment: |
- A Linked Data signature is used for digital signatures on RDF Datasets. The default canonicalization mechanism is specified in the RDF Dataset Normalization specification, which deterministically names all unnamed nodes. Importantly, a `BbsBlsSignatureProof2020` is in fact a proof of knowledge of an unrevealed BbsBlsSignature2020 enabling the ability to selectively reveal information from the set that was originally signed. Each of the statements produced by the normalizing process for a JSON-LD document featuring a `BbsBlsSignatureProof2020` represent statements that were originally signed in producing the `BbsBlsSignature2020` and represent the denomination under which information can be selectively disclosed. The signature mechanism uses Blake2B as the digest for each statement and produces a single output digital signature.
+ defined_by: https://w3c-ccg.github.io/security-vocab/#BbsBlsSignatureProof2020
- id: Bls12381G1Key2020
deprecated: true
label: BLS 12381 G1 Signature Key, 2020 version
- upper_value: sec:Key
- comment: This class represents a data integrity signature key.
- see_also:
- - label: eddsa-ed25519 registry entry
- url: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ed25519
+ #upper_value: sec:Key
+ defined_by: https://w3c-ccg.github.io/security-vocab/#Bls12381G1Key2020
- id: Bls12381G2Key2020
deprecated: true
label: BLS 12381 G2 Signature Key, 2020 version
- upper_value: sec:Key
- comment: This class represents a data integrity signature key.
- see_also:
- - label: eddsa-ed25519 registry entry
- url: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ed25519
+ #upper_value: sec:Key
+ defined_by: https://w3c-ccg.github.io/security-vocab/#Bls12381G2Key2020
property:
- id: verificationMethod
label: Verification method
range: sec:VerificationMethod
- comment: A `verificationMethod` property is used to specify a URL that contains information used for proof verification.
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-verificationmethod
see_also:
- label: Decentralized Identifiers (DIDs) v1.0
url: https://www.w3.org/TR/did-core/#verification-methods
+ - id: controller
+ label: Controller
+ domain: sec:VerificationMethod
+ range: IRI
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#defn-controller
+
+ - id: proof
+ label: Proof sets
+ range: sec:ProofGraph
+ comment: The value of property must identify ProofGraph instances (informally, it indirectly identifies Proof instances, each contained in a separate graph). The property is used to associate a proof with a graph of information. The proof property is typically not included in the canonicalized graphs that are then digested and digitally signed. The order of the proofs is not relevant. There is no URL yet in a VCWG document to define this term.
+
- id: domain
label: Domain of a proof
domain: sec:Proof
range: xsd:string
- comment: The `domain` property is used to associate a domain with a proof, for use with a `proofPurpose` such as `authentication` and indicating its intended usage.
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#defn-domain
- id: challenge
- label: Challenge with a proof
+ label: Challenge of a proof
domain: sec:Proof
range: xsd:string
- comment: The challenge property is used to associate a challenge with a proof, for use with a `proofPurpose` such as `authentication`. This string value SHOULD be included in a proof if a `domain` is specified.
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#defn-challenge
- id: previousProof
label: Previous proof
domain: sec:Proof
range: sec:Proof
- comment: The `previousProof` property is used to identify a proof that MUST be verified before the proof that contains this property.
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-previousproof
- id: proofPurpose
label: Proof purpose
domain: sec:Proof
range: xsd:string
- comment: The` proofPurpose` property is used to associate a purpose, such as `assertionMethod` or `authentication` with a proof. The proof purpose acts as a safeguard to prevent the proof from being misused by being applied to a purpose other than the one that was intended.
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-proofpurpose
- id: proofValue
label: Proof value
domain: sec:Proof
range: xsd:string
- comment: A string value that contains the data necessary to verify the digital proof using the `verificationMethod` specified
-
- - id: proof
- label: Proof sets
- range: sec:ProofGraph
- comment: The value of the `proof` property MUST identify `ProofGraph` instances (informally, it indirectly identifies `Proof` instances, each contained in a separate graph). The property is used to associate a proof with a graph of information. The proof property is typically not included in the canonicalized graphs that are then digested and digitally signed. The order of the proofs is not relevant.
-
- - id: controller
- label: Controller
- domain: sec:VerificationMethod
- range: IRI
- comment: |
- A controller is an entity that claims control over a particular resource. Note that control is best validated as a two-way relationship, where the controller claims control over a particular resource, and the resource clearly identifies its controller.
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-proofvalue
- id: authentication
label: Authentication method
- range: VerificationMethod
- comment: An `authentication` property is used to specify a URL that contains information about a `verificationMethod` used for authentication.
+ range: sec:VerificationMethod
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-authentication
- id: assertionMethod
label: Assertion method
- range: VerificationMethod
- comment: An `assertionMethod` property is used to specify a URL that contains information about a `verificationMethod` used for assertions.
+ range: sec:VerificationMethod
+ defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-assertionmethod
- id: capabilityDelegation
label: Capability Delegation Method
- range: VerificationMethod
- comment: |
-
A `capabilityDelegation` property is used to express that one or more `verificationMethods` are authorized to verify cryptographic proofs that were created for the purpose of delegating capabilities.
-A `verificationMethod` may be referenced by its identifier (a URL) or expressed in full.
-The aforementioned proofs are created to prove that some entity is delegating the authority to take some action to another entity. A verifier of the proof should expect the proof to express a `proofPurpose` of `capabilityDelegation` and reference a `verificationMethod` to verify it. The dereferenced `verificationMethod` MUST have a controller property that has a property of `capabilityDelegation` that references the `verificationMethod`. This indicates that the controller has authorized it for the expressed `proofPurpose`.
+ range: sec:VerificationMethod + defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-capabilitydelegation - id: capabilityInvocation label: Capability Invocation Method - range: VerificationMethod - comment: | -A `capabilityInvocation` property is used to express that one or more `verificationMethods` are authorized to verify cryptographic proofs that were created for the purpose of invoking capabilities.
-A `verificationMethod` MAY be referenced by its identifier (a URL) or expressed in full.
-The aforementioned proofs are created to prove that some entity is attempting to exercise some authority they possess to take an action. A verifier of the proof should expect the proof to express a `proofPurpose` of `capabilityInvocation` and reference a `verificationMethod` to verify it. The dereferenced `verificationMethod` MUST have a controller property that, when dereferenced, has a property of `capabilityInvocation` that references the `verificationMethod.` This indicates that the controller has authorized it for the expressed `proofPurpose`.
- + range: sec:VerificationMethod + defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-capabilityinvocation + - id: keyAgreement label: Key agreement protocols - range: VerificationMethod - comment: Indicates that a proof is used for for key agreement protocols, such as Elliptic Curve Diffie Hellman key agreement used by popular encryption libraries. + range: sec:VerificationMethod + defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-keyagreement - id: cryptosuite label: Cryptographic suite domain: sec:DataIntegrityProof range: xsd:string - comment: A text-based identifier for a specific cryptographic suite. - see_also: - - label: vc-data-integrity - url: https://www.w3.org/TR/vc-data-integrity/#dataintegrityproof + defined_by: https://www.w3.org/TR/vc-data-integrity/#dfn-cryptosuite - id: publicKeyMultibase label: Public key multibase domain: sec:VerificationMethod range: xsd:string - comment: | -The public key multibase property is used to specify the multibase-encoded version of a public key. The contents of the property are defined by specifications such as ED25519-2020 and listed in the Linked Data Cryptosuite Registry. Most public key type definitions are expected to:
-