Signed Data (JSON – LD vs JWTS or something else)
Signed Data (JSON – LD vs JWTS or Something Else)
Day/Session:Wednesday 1K
Convener:Pelle Braendgaard
Notes-taker(s): Pelle Braendgaard
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
There are pros and cons of json-ld-signatures vs JWTs. While this was a general conversation it was seen in the context of W3C Verifiable Credentials.
JSON-LD
Pros:
- Semantics
- Graph
- Human Readable
Cons:
- Difficult to integrity/canonicalization of graph for signing purposes
- Canonicalization requirement
- Difficult to understand what is signed
- Cognitive overload when understanding data
- Lack of diversity in tooling
- You have to really know what you do to verify a signed json-ld document
Asks of JSON-LD community to make it useful for Verifiable Credentials:
- Better Tooling (automatically resolve DIDs and verify signatures)
- Better documentation for specific use cases
- Middleware for various server implementations to automatically verify signatures etc of json-ld requests
- Remove embedded schema
JWTs
Pros:
- You always know what is signed (easy to verify)
- No canonicalization needed
- Good tooling
Cons:
- Key definition/lookup part is not very well defined
- No built in semantics/schemas
- Not Human Readable
Asks of JWT community:
- Libraries should support DID resolution (eg implementation: https://github.com/uport-project/did-jwt)
- Help work on defining Verifiable Credentials using JWT