Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address the alg language per the comment here #37

Closed
OR13 opened this issue Nov 2, 2022 · 7 comments
Closed

Address the alg language per the comment here #37

OR13 opened this issue Nov 2, 2022 · 7 comments
Labels
pending-close

Comments

@OR13
Copy link
Contributor

OR13 commented Nov 2, 2022

We may need to beef up the language about inclusion of alg as a required header parameter, but we could do that in a separate PR.

#11 (review)
@Sakurann
Copy link
Contributor

+1

If only the proof property is needed for the chosen signature method (that is, if there is no choice of algorithm within that method), the alg header MUST be set to none.

I think alg = none should not be allowed. what is the point of using verifiable credentials if there is no integrity protection..

@Sakurann Sakurann mentioned this issue Jan 16, 2023
Closed
@OR13
Copy link
Contributor Author

OR13 commented Jan 16, 2023

I think alg = none should not be allowed. what is the point of using verifiable credentials if there is no integrity protection...

I agree with you, but the VCWG decided to define VPs exactly this way.

If this document forbids alg: none in a VC-JWT, there are use cases that data integrity can handle that jwt cannot.

I think it's probably worth accepting the deviation there are explicitly forbid alg: none in the header of either a VC or a VP.

@Sakurann
Copy link
Contributor

What are those use-cases? (Or where can I read them up?)

alg=none in VP-JWT does not make sense to me. What kind of information in a presentation is useful without a cryptographic holder binding that VP-JWT gives? Just send VC-JWT instead of an unsigned VP-JWT, no?

alg=none in VC-JWT also does not make much sense, but I am more willing to accept there might be issuers who want to reuse the syntax of VC-data-model (but than why not sign...)

@OR13
Copy link
Contributor Author

OR13 commented Jan 17, 2023

alg=none in VP-JWT does not make sense to me.

https://www.w3.org/TR/vc-data-model/#presentations-0

^ basically how does vc-jwt support this use case... its ok if it doesn't... but better to be explicit about this.

alg=none in VC-JWT also does not make much sense

Agreed, also, its probably illegal... depending on your definiton of "external proof".

https://www.w3.org/TR/vc-data-model/#proofs-signatures

@OR13
Copy link
Contributor Author

OR13 commented Jun 30, 2023

@Sakurann recent PRs elaborated on this in great detail, based on conformance to the normative requirements of the core data model... please review.

cc @mprorock @selfissued

Due to the core data model stating proof is optional, I will object to creating an incompatibility in functionality.

But I am happy to discuss in depth.

@OR13
Copy link
Contributor Author

OR13 commented Jun 30, 2023

I'm marking pending close, on the offhand chance, folks doing the review, feel the current text is sufficient.

@OR13
Copy link
Contributor Author

OR13 commented Jul 19, 2023

Marked pending close over 1 week ago, closing.

@OR13 OR13 closed this as completed Jul 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending-close
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OR13 @Sakurann