The information contained in this page will be applicable to future versions. Currently, the credential securing mechanisms are defined by the specifications of VCDM 1.1 given by W3C and can be found here.
JAdES Signature Profile using DIDs and VCs
Introduction
In this document we define JAdES profiles that encompasses various signature profiles to attain different levels of assurance. The profiles will inherit numerous features from JAdES, whilst adapting X.509 concepts to comply with Decentralised Identifiers (DIDs) and Verifiable Credentials (VCs), while preserving conformance with JAdES.
Generic format
The profile will incorporate JWS Serialisation and header parameters typ
, alg
, cty
, kid
, crit
, b64
defined in IETF RFC 7515 and IETF RFC 7797. The crit
and typ
header parameters delineate the signature profile, where the crit
indicates the utilised extensions and typ
defines the requirements.
JWS protected header parameters will encompass information pertinent to the signature and the signer, whilst the payload is any JSON object. The signed header parameters must be located in the JWS protected header section.
Media Types
The profile is compatible with all JWS serialisation formats, though Compact serialisation is suggested for Zero. The JWS Payload should exclusively contain the original payload, with the JWS Payload media type determined by the cty
header parameter. For example, if a VCDM2.0 data model is incorporated into the JWS Payload, the cty
property should be vc+ld+json
.
The serialised output will be identified with a media type, contingent on the utilised serialisation. JWS Compact serialisation will have a media type of application/jose
, while Flattened and General JWS JSON serialisation will have a media type of application/jose+json
.
typ
is defined as jades-d-{profile name}
. jades
denotes that the profile is based on JAdES, d
that it supports DIDs, {profile name}
denotes a profile that further defines rules and policies. This document defines profile: zero
.
Generic Signed Header Parameters
This outline provides a breakdown of the Generic Signed Header Parameters:
alg
: Shall be a signed header parameter that qualifies the signature, with syntax and semantics defined in IETF RFC 7515.cty
: Shall be a signed header parameter that qualifies the JWS Payload, with syntax and semantics defined in IETF RFC 7515.kid
: Shall be a signed header parameter that qualifies the signature, with syntax and semantics defined in IETF RFC 7515. Content of the parameter shall be a DID URI identifying a public key.crit
: Shall be a signed header parameter that qualifies the signature, with syntax and semantics defined in IETF RFC 7515. The parameter must contain all JAdES D defined signed header parameter and optionallyb64
, whilst excludingalg
,cty
,kid
, andcrit
.b64
: Shall be a signed header parameter, with syntax and semantics defined in IETF RFC 7515. The parameter is optional.
JAdES D-Zero Signed Header Parameters
JAdES D-Zero will define a minimalistic signature profile, which does not contain other extra proofs than signature time.
The following Signed Header Parameter will be amended on top of the Generic Signed Header Parameters:
typ
: Shall bejades-d-z
.sigT
: Shall be a signed header parameter that qualifies the signature, where the value shall specify the time at which the signer claims to have performed the signing process. The value shall be formatted as IETF RFC 3339, contain UTC time for date and time, and shall not contain a fraction of seconds. An example is2023-11-04T10:16:12Z
.sigPl
: Shall be a signed header parameter that qualifies the signer, where the value shall specify an address associated with the signer at a particular geographical location. The value shall be a JSON Object with syntax and semantics from schema.org definition of PostalAddress type, where at least one property must be defined.
"sigPl": {
"type": "object",
"properties":{
"addressCountry": {"type": "string"},
"addressLocality": {"type": "string"},
"addressRegion": {"type": "string"},
"postOfficeBoxNumber": {"type": "string"},
"postalCode": {"type": "string"},
"streetAddress": {"type": "string"}
},
"minProperties": 1,
"additionalProperties": false
}
JAdES D-Zero example
eyJhbGciOiJFUzI1NiIsInR5cCI6ImphZGVzLWQteiIsImtpZCI6ImRpZDplYnNpOnp2SFdYMzU5QTNDdmZKbkNZYUFpQWRlI0YwcjVPeXRfbGFodnZ6Nk1XbFlzM21jWU5LWmlpUWRVZnF2OHRzaEhOOXciLCJjcml0IjpbInNpZ1QiLCJzaWdQbCJdLCJzaWdUIjoiMjAyMy0xMS0wNFQxMDoxNjoxMloiLCJzaWdQbCI6eyJhZGRyZXNzQ291bnRyeSI6IkZJIn0sImN0eSI6InZjK2xkK2pzb24ifQ.eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvbnMvY3JlZGVudGlhbHMvdjIiXSwiaWQiOiJ1cm46dXVpZDowMDNhMWRkOC1hNWQyLTQyZWYtODE4Mi1lOTIxYzBhOWYzMmEiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIl0sImlzc3VlciI6ImRpZDplYnNpOnp2SFdYMzU5QTNDdmZKbkNZYUFpQWRlIiwidmFsaWRGcm9tIjoiMjAyMy0xMS0wNVQwMDowMDowMFoiLCJ2YWxpZFVudGlsIjoiMjAyNS0xMS0xMFQwMDowMDowMFoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDprZXk6ejJkbXpEODFjZ1B4OFZraTdKYnV1TW1GWXJXUGdZb3l0eWtVWjNleXFodDFqOUticmt2dWNGRTQyZWhnajhRRXdpUmN1VTlhdVg0b2puN3E3MUhtdFRNVExpMUUycERQenR5RjRRNlNYTHZSb0J3RDR6enhoQXo5dWkyaDlOYVNDU000TVhSS3ZXeEZyV2lZNWh1UDZFMlpiN3FQekFiUW4zbzJHaXRMY1k5VkhKWjE3SiJ9LCJjcmVkZW50aWFsU2NoZW1hIjpbeyJ0eXBlIjoiSnNvblNjaGVtYSIsImlkIjoiaHR0cHM6Ly9hcGktdGVzdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92My9zY2hlbWFzLzB4ZmY0ZjFmYTRmMGVmZDQzMDZhMjE4ZjY2OWM3NDgyZDhjZmNjN2ExM2JhNDRmMzRhZjY5ZjQxODg5NzA0MDAyYSJ9XSwicmVsYXRlZFJlc291cmNlIjpbeyJpZCI6Imh0dHBzOi8vd3d3LnczLm9yZy9ucy9jcmVkZW50aWFscy92MiIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL2xkK2pzb24iLCJkaWdlc3RTUkkiOiJzaGEzODQtbEhLREhoMG1zYzZwUng4UGhET01rTnRTSThiT2ZzcDRnaU5iVXJ3NzFuWFhMZjEzblRxTkpvUnAzTngrQXJWSyIsImRpZ2VzdE11bHRpYmFzZSI6Im1vTGF5MHV0N0JVTDVJZnZQVGFFMlFocXJ0SDVjVTNtcmY0ZlFiL01ockg1TmhHaCtvRHdkb3FFMEF5bkdSakZKIn1dfQ.EOH0Y0GQFk_PvMZWumOFMFcOSNxTHFlCU1_u0CQHJaPNrcfxhLT7OSqrfFYtgZxRWzpO6PMRRpiYZMqszV0hXg