Signed Data (JSON – LD vs JWTS or something else)

From IIW

Signed Data (JSON – LD vs JWTS or Something Else)


Day/Session:Wednesday 1K

Convener:Pelle Braendgaard

Notes-taker(s): Pelle Braendgaard


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


There are pros and cons of json-ld-signatures vs JWTs. While this was a general conversation it was seen in the context of W3C Verifiable Credentials.


JSON-LD 

Pros:

- Semantics

- Graph

- Human Readable

Cons:

- Difficult to integrity/canonicalization of graph for signing purposes

- Canonicalization requirement

- Difficult to understand what is signed

- Cognitive overload when understanding data

- Lack of diversity in tooling

- You have to really know what you do to verify a signed json-ld document

Asks of JSON-LD community to make it useful for Verifiable Credentials:

- Better Tooling (automatically resolve DIDs and verify signatures)

- Better documentation for specific use cases

- Middleware for various server implementations to automatically verify signatures etc of json-ld requests

- Remove embedded schema


JWTs

Pros:

- You always know what is signed (easy to verify)

- No canonicalization needed

- Good tooling

Cons:

- Key definition/lookup part is not very well defined

- No built in semantics/schemas

- Not Human Readable

Asks of JWT community:

- Libraries should support DID resolution (eg implementation:  https://github.com/uport-project/did-jwt)

- Help work on defining Verifiable Credentials using JWT