index.html

<!DOCTYPE html>
<html>
  <head>
    <title>Verifiable Credentials Implementation Guidelines 1.0</title>
    <meta http-equiv='Content-Type' content='text/html;charset=utf-8'/>
    <!--
      === NOTA BENE ===
      For the three scripts below, if your spec resides on dev.w3 you can check them
      out in the same tree and use relative links so that they'll work offline,
     -->
    <script src='https://www.w3.org/Tools/respec/respec-w3c-common' class='remove'></script>
    <script src="./common.js" class="remove"></script>
    <script type="text/javascript" class="remove">
      var respecConfig = {
        // specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
        specStatus: "ED",

        // the specification's short name, as in http://www.w3.org/TR/short-name/
        shortName: "vc-imp-guide",

        // subtitle for the spec
        subtitle: "Implementation guidance for Verifiable Credentials",

        // if you wish the publication date to be other than today, set this
        // publishDate:  "2019-09-24",

        // if there is a previously published draft, uncomment this and set its YYYY-MM-DD date
        // and its maturity status
        // previousPublishDate:  "1977-03-15",
        // previousMaturity:  "WD",

        // extend the bibliography entries
        localBiblio: vcwg.localBiblio,
        doJsonLd: true,

        github: "https://github.com/w3c/vc-imp-guide",
        includePermalinks: false,

        // if there a publicly available Editor's Draft, this is the link
        edDraftURI: "https://w3c.github.io/vc-imp-guide/",

        // if this is a LCWD, uncomment and set the end of its review period
        // lcEnd: "2009-08-05",

        // editors, add as many as you like
        // only "name" is required
        editors:  [{ name: "Andrei Sambra", url: "https://deiu.me/"}],

        // authors, add as many as you like.
        // This is optional, uncomment if you have authors as well as editors.
        // only "name" is required. Same format as editors.
        authors: [
        {
          name: "David Chadwick", url: "https://www.linkedin.com/in/david-chadwick-36816395/",
          company: "University of Kent", companyURL: "https://www.kent.ac.uk/"
        },
        {
          name: "Dave Longley", url: "https://github.com/dlongley",
          company: "Digital Bazaar", companyURL: "https://digitalbazaar.com/"
        },
        {
          name: "Manu Sporny", url: "http://manu.sporny.org/",
          company: "Digital Bazaar", companyURL: "https://digitalbazaar.com/"
        },
        {
          name: "Oliver Terbu", url: "mailto:oliver.terbu@consensys.net",
          company: "Consensys", companyURL: "https://consensys.net/"
        },
        {
          name: "Dmitri Zagidulin", url: "mailto:dzagidulin@gmail.com",
          company: "Digital Bazaar", companyURL: "https://digitalbazaar.com"
        },
        {
          name: "Brent Zundel", url: "https://www.linkedin.com/in/bzundel/",
          company: "Evernym", companyURL: "https://evernym.com/"
        }
        ],

        // name of the WG
        wg:           "Verifiable Claims Working Group",

        // URI of the public WG page
        wgURI:        "https://www.w3.org/2017/vc/",

        // name (with the @w3c.org) of the public mailing to which comments are due
        wgPublicList: "public-vc-comments",

        // URI of the patent status for this WG, for Rec-track documents
        // !!!! IMPORTANT !!!!
        // This is important for Rec-track documents, do not copy a patent URI from a random
        // document unless you know what you're doing. If in doubt ask your friendly neighbourhood
        // Team Contact.
        wgPatentURI:  "https://www.w3.org/2004/01/pp-impl/98922/status",
        maxTocLevel: 4,
        inlineCSS: true
      };
    </script>
    <style>
pre .highlight {
  font-weight: bold;
  color: green;
}
pre .subject {
  font-weight: bold;
  color: RoyalBlue;
}
pre .property {
  font-weight: bold;
  color: DarkGoldenrod;
}
pre .comment {
  font-weight: bold;
  color: SteelBlue;
  -webkit-user-select: none;
  -moz-user-select: none;
  -ms-user-select: none;
  user-select: none;
}
.supported {
  background-color: #93c47d;
}
.missing {
  background-color: #e06666;
}
</style>
  </head>
  <body>
    <section id='abstract'>
      <p>
This document provides implementation guidance for Verifiable Credentials.
      </p>
    </section>

    <section id='sotd'>
      <p>
Future versions of this document will be updated and maintained by the
<a href="https://www.w3.org/community/credentials/">
Credentials Community Group</a>. Please consult that group for the most
up to date version of this document.
      </p>
      <p>
The work on this document was carried out under tight time constraints due to
limitations of the W3C process and publishing deadlines. Under such conditions,
errors are unavoidable and some of the ideas presented here are incomplete.
The Working Group hopes that in the future, W3C process can be revised to better
support the dynamic nature of standards work in a more consistent way across
different groups.
      </p>
      <p>
Comments regarding this document are welcome. Please file issues
directly on <a href="https://github.com/w3c/vc-data-model/issues/">GitHub</a>,
or send them to
<a href="mailto:public-vc-comments@w3.org">public-vc-comments@w3.org</a>
(<a href="mailto:public-vc-comments-request@w3.org?subject=subscribe">subscribe</a>,
<a href="https://lists.w3.org/Archives/Public/public-vc-comments/">archives</a>).
      </p>
    </section>

    <section>
      <h2>Introduction</h2>
      <em>This section is non-normative.</em>

      <p>
This guide provides some examples and resources for implementing
protocols which make use of <a>verifiable credentials</a>, beyond those available in the core specification.
      </p>
      <p>
It may be useful to first familiarize yourself with the official
<a href="https://www.w3.org/TR/verifiable-claims-use-cases/">Use Cases document</a>,
which offers a concise collection of examples of <a>Verifiable Credentials</a>
as they may appear in everyday life, and how they may be used.
      </p>
      <p>
The <a href="https://www.w3.org/TR/vc-data-model/">data model specification</a>
contains the technical details about <a>verifiable credentials</a>. However, the
data model specification does not specify any <em>protocols</em> for using
<a>verifiable credentials</a>, nor any <em>proof formats</em> or additional
<em>identifiers</em> upon which such protocols may depend.
      </p>
    </section>

    <section>
      <h2>Identifiers</h2>
      <em>This section is non-normative.</em>
      <p>
When expressing statements about a specific entity, such as a person, product,
or organization, it is often useful to have an identifier for it so that others
can express statements about the same thing. The <a>verifiable credentials</a>
<a href="https://www.w3.org/TR/vc-data-model//">data model specification</a>
contains numerous examples where the identifier is a
<a href="https://w3c-ccg.github.io/did-primer/">decentralized identifier</a>,
also known as a DID. An example of a DID is <code>did:example:123456abcdef</code>.
      </p>
      <p>
There is currently a proposed charter for a W3C <a href="https://w3c-ccg.github.io/did-wg-charter/">
Decentralized Identifier Working Group</a>, which will put DIDs on track to
become a W3C standard.
      </p>
      <p class="note">
As of the publication of the <a>verifiable credentials</a>
<a href="https://www.w3.org/TR/vc-data-model/">data model specification</a>,
DIDs are not necessary for <a>verifiable credentials</a> to be useful.
Specifically, <a>verifiable credentials</a> do not depend on <a>DIDs</a> and
<a>DIDs</a> do not depend on <a>verifiable credentials</a>. However, it is
expected that many <a>verifiable credentials</a> will use <a>DIDs</a> and that
software libraries implementing the
<a href="https://www.w3.org/TR/vc-data-model/">data model specification</a>
will benefit from knowing how to resolve <a>DIDs</a>. <a>DID</a>-based URLs may
be used to express identifiers associated with <a>subjects</a>, <a>issuers</a>,
<a>holders</a>, credential status lists, cryptographic keys, and other
machine-readable information associated with a <a>verifiable credential</a>.
      </p>

    </section>

    <section class="informative">
      <h2>Terminology</h2>

      <div data-include="./terms.html"
        data-oninclude="restrictReferences">
      </div>
    </section>

    <section>
      <h2>Verification</h2>

      <em>This section is non-normative.</em>

      <p>
<a>Verification</a> is the process a <a>verifier</a> or <a>holder</a> performs
when presented with a <a>verifiable presentation</a> or
<a>verifiable credential</a>. <a>Verification</a> includes checking the
presented item against the <a href="https://www.w3.org/TR/vc-data-model/">core
data model</a>, and may also include validating the provided proof section and
checking the item's status.
      </p>

      <section>
        <h3>Core Data Model</h3>

        <p>
Conformant tooling that processes Verifiable Credentials will ensure that
the core data model is verified when processing credentials.
        </p>
      </section>

      <section>
        <h3>Specific Verifiable Credentials</h3>

        <p>
There are many data verification languages, the following approach is one
that should work for most use cases.
        </p>
      </section>
      <section>
        <h3>Content Integrity</h3>
        <p>
Protecting the integrity of content is an important component of verification.
<a>Verifiers</a> need to have confidence that the content they rely on to
verify <a>credentials</a> doesn't change without their knowledge. This content
may include data schemas, identifiers, public keys, etc.
        </p>
        <p>
There are a number of ways to provide content integrity protection. A few of
these are described in greater detail below.
        </p>

        <section>
          <h4>Hashlinks</h4>

          <p>
<a href="https://tools.ietf.org/html/draft-sporny-hashlink">Hashlink URLs</a>
can be used to provide content integrity for links to external resources.
          </p>
        </section>

        <section>
          <h4>Verifiable Data Registries</h4>
          <p>
A <a>verifiable data registry</a> can also provide content integrity protection.
One example of a <a>verifiable data registry</a> which provides content
integrity protection is a distributed ledger. This is a shared transaction
record which provides mechanisms for verifying the content it stores. These
mechanisms include consensus protocols, digital signatures, and verifiable data
structures such as Merkle trees. These mechanisms provide cryptographic
assurances that the content retrieved from the ledger has not been altered, and
is complete.
          </p>
        </section>
      </section>
    </section>

    <section>
      <h3>Referencing Other Credentials</h3>
      <p>
Usage of <a>verifiable credentials</a> will often require referencing other
credentials, embedding or attaching multiple credentials, or otherwise binding
them together.
      </p>

      <section>
        <h4>Referencing Credentials Without Integrity Protection</h4>
        <p>
The simplest way for a <a>credential</a> to reference another external
credential is to link to it, either directly by using its URI, or indirectly by
providing a well-known ID (for example, a credential modeling an internal
company Invoice may refer to its parent Purchase Order credential simply by the
PO Number, relevant only within the context of this specific enterprise).
        </p>

        <p>
This method of linking to an external credential without using an integrity
protection mechanism may be acceptable in some use cases, such as when both
credentials are issued by the same entity, the verifier has a high level of
trust and confidence in the issuer's security and auditing mechanisms, and the
risk to the verifier is sufficiently low. However, implementers should keep
in mind that although the credential that contains the reference may be
integrity protected itself (by a cryptographic signature or a similar proof
mechanism), the verifier has no way of knowing that the external credential
being linked to has not been tampered with, unless the link itself has a content
integrity protection mechanism built into it.
        </p>
      </section>

      <section>
        <h4>Referencing Credentials With Integrity Protection</h4>
        <p>
The recommended way of referencing an external credential from within a
<a>verifiable credential</a> is to use a linking mechanism that
cryptographically binds the contents of the target document to the URI itself.
One way to accomplish this would be to use <a>hashlinks</a> or an equivalent
URI scheme. Another mechanism would be to encode the full contents of the
target credential in the URI itself, although this is much less commonly used,
and the discussion of the practical limits of URI length are outside the scope
of this document.
        </p>
      </section>

      <section>
        <h4>Attaching Evidence</h4>
        <p>
<a>Issuers</a> wishing to attach additional supporting information to a
<a>verifiable credential</a> are encouraged to use the
<a href="https://www.w3.org/TR/vc-data-model/#evidence">evidence</a> property.
Note that this can be done either by embedding the relevant evidence information
in the credential itself, or by referencing it (with or without an integrity
protection mechanism, as previously discussed).
        </p>
      </section>
    </section>
  </section>

  <section class="informative">
    <h2>Subject-Holder Relationships</h2>

    <p>
This section describes possible relationships between a <a>subject</a> and a
<a>holder</a> and how the Verifiable Credentials Data Model expresses these
relationships. The following diagram illustrates these relationships, with the
subsequent sections describing how each of these relationships are handled in
the data model.
    </p>

    <figure>
      <img style="margin: auto; display: block; width: 75%;"
        src="diagrams/subject-ne-holder.svg" alt="Long decision tree
        from top to bottom.  For the first question, 'Subject
        Present?', No means Bearer Credential and Yes points to the
        rest of the tree.  From this point on until the very end,
        each Yes points to an answer and each No points to another
        question.  The first question here is 'Subject = Holder?',
        with Yes meaning Most Common Use Case.  If No, 'Credential
        Uniquely Identifies Subject?' with Yes meaning Irrelevant who
        Holder is.  If No, 'Subject Passes VC to Holder?' with Yes
        meaning, e.g., Power of Attorney, Employee.  If No, 'Issuer
        Independently Authorizes Holder?' with Yes meaning, e.g., Law
        Enforcement.  If No, 'Holder Acts for Subject?' with Yes
        meaning, e.g., Parent, Pet Owner, Travel Agent.  If No,
        'Holder Acts for Verifier?' with Yes meaning, e.g., Recruiter
        passing on VC of job applicant to employer and No meaning
        'Random Holder with no relationship to Subject, Issuer or Verifier">
      <figcaption style="text-align: center;">
Subject-Holder Relationships in Verifiable Credentials.
      </figcaption>
    </figure>

    <section class="informative">
      <h3>Subject is the Holder</h3>

      <p>
The most common relationship is when a <a>subject</a> is the <a>holder</a>. In
this case, a <a>verifier</a> can easily deduce that a <a>subject</a> is the
<a>holder</a> if the <a>verifiable presentation</a> is digitally signed by the
<a>holder</a> and all contained <a>verifiable credentials</a> are about a
<a>subject</a> that can be identified to be the same as the <a>holder</a>.
      </p>

      <p>
If only the <code>credentialSubject</code> is allowed to insert a
<a>verifiable credential</a> into a <a>verifiable presentation</a>, the
<a>issuer</a> can insert the <code>nonTransferable</code> <a>property</a> into
the <a>verifiable credential</a>, as described below.
      </p>

      <section class="informative">
        <h4>nonTransferable Property</h4>

        <p>
The <code>nonTransferable</code> <a>property</a> indicates that a
<a>verifiable credential</a> must only be encapsulated into a
<a>verifiable presentation</a> whose proof was issued by the
<code>credentialSubject</code>. A <a>verifiable presentation</a> that contains
a <a>verifiable credential</a> containing the <code>nonTransferable</code>
<a>property</a>, whose proof creator is not the <code>credentialSubject</code>,
is invalid.
        </p>

        <pre class="example nohighlight" title="Usage of the nonTransferable property">
{
"@context": [
  "https://www.w3.org/2018/credentials/v1",
  "https://www.w3.org/2018/credentials/examples/v1"
],
"id": "http://example.edu/credentials/3732",
"type": ["VerifiableCredential", "ProofOfAgeCredential"],
"issuer": "https://example.edu/issuers/14",
"issuanceDate": "2010-01-01T19:23:24Z",
"credentialSubject": {
  "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
  "ageOver": 21
  },
"nonTransferable": true,
"proof": { ..
"verificationMethod": "did:example:ebfeb1f712ebc6f1c276e12ec21",
... }
}
        </pre>
      </section>
    </section>

    <section class="informative">
      <h3>Credential Uniquely Identifies a Subject</h3>

      <p>
In this case, the <code>credentialSubject</code> <a>property</a> might contain
multiple <a>properties</a>, each providing an aspect of a description of the
<a>subject</a>, which combine together to unambiguously identify the
<a>subject</a>. Some use cases might not require the <a>holder</a> to be
identified at all, such as checking to see if a doctor (the <a>subject</a>) is
board-certified. Other use cases might require the <a>verifier</a> to use
out-of-band knowledge to determine the relationship between the <a>subject</a>
and the <a>holder</a>.
      </p>

      <pre class="example nohighlight" title="A credential uniquely identifying a subject">
{
"@context": ["https://www.w3.org/2018/credentials/v1", "https://schema.org/"]
"id": "http://example.edu/credentials/332",
"type": ["VerifiableCredential", "IdentityCredential"],
"issuer": "https://example.edu/issuers/4",
"issuanceDate": "2017-02-24T19:73:24Z",
"credentialSubject": {
  "name": "J. Doe",
  "address": {
    "streetAddress": "10 Rue de Chose",
    "postalCode": "98052",
    "addressLocality": "Paris",
    "addressCountry": "FR"
  },
  "birthDate": "1989-03-15"
  ...
},
"proof": { <span class="comment">...</span> }
}
      </pre>

      <p>
The example above uniquely identifies the <a>subject</a> using the name,
address, and birthdate of the individual.
      </p>
    </section>

    <section class="informative">
      <h3>Subject Passes the Verifiable Credential to a Holder</h3>

      <p>
Usually <a>verifiable credentials</a> are presented to <a>verifiers</a> by the
<a>subject</a>. However, in some cases, the <a>subject</a> might need to pass the
whole or part of a <a>verifiable credential</a> to another <a>holder</a>. For
example, if a patient (the <a>subject</a>) is too ill to take a prescription
(the <a>verifiable credential</a>) to the pharmacist (the <a>verifier</a>), a
friend might take the prescription in to pick up the medication.
      </p>

      <p>
The data model allows for this by letting the <a>subject</a> issue a new
<a>verifiable credential</a> and give it to the new <a>holder</a>, who can
then present both <a>verifiable credentials</a> to the <a>verifier</a>.
However, the content of this second <a>verifiable credential</a> is likely to
be application-specific, so this specification cannot standardize the contents
of this second <a>verifiable credential</a>. Nevertheless, a non-normative
example is provided in Appendix
<a href="#subject-passes-a-verifiable-credential-to-someone-else"></a>.
      </p>
    </section>

    <section class="informative">
      <h3>Holder Acts on Behalf of the Subject</h3>

      <p>
The Verifiable Credentials Data Model supports the <a>holder</a> acting on
behalf of the <a>subject</a> in at least the following ways. The:
      </p>

      <ul>
        <li>
<a>Issuer</a> can include the relationship between the <a>holder</a> and
the <a>subject</a> in the <code>credentialSubject</code> <a>property</a>.
        </li>
        <li>
<a>Issuer</a> can express the relationship between the <a>holder</a> and
the <a>subject</a> by issuing a new <a>verifiable credential</a>, which the
<a>holder</a> utilizes.
        </li>
        <li>
<a>Subject</a> can express their relationship with the <a>holder</a> by
issuing a new <a>verifiable credential</a>, which the <a>holder</a> utilizes.
        </li>
      </ul>

      <p>
The mechanisms listed above describe the relationship between the
<a>holder</a> and the <a>subject</a> and helps the <a>verifier</a> decide
whether the relationship is sufficiently expressed for a given use case.
      </p>

      <p class="note">
The additional mechanisms the <a>issuer</a> or the <a>verifier</a> uses to
verify the relationship between the <a>subject</a> and the <a>holder</a> are
outside the scope of this specification.
      </p>

      <pre class="example nohighlight" title="The relationship property in a child's credential">{
"@context": [
  "https://www.w3.org/2018/credentials/v1",
  "https://www.w3.org/2018/credentials/examples/v1"
],
"id": "http://example.edu/credentials/3732",
"type": ["VerifiableCredential", "AgeCredential", "RelationshipCredential"],
"issuer": "https://example.edu/issuers/14",
"issuanceDate": "2010-01-01T19:23:24Z",
"credentialSubject": {
  "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
  "ageUnder": 16,
  "parent": {
    "id": "did:example:ebfeb1c276e12ec211f712ebc6f",
    "type": "Mother"
  }
},
"proof": { <span class="comment">...</span> }  <span class="comment">// the proof is generated by the DMV</span>
}
      </pre>

      <p>
In the example above, the <a>issuer</a> expresses the relationship between the
child and the parent such that a <a>verifier</a> would most likely accept the
<a>credential</a> if it is provided by the child or the parent.
      </p>

      <pre class="example nohighlight" title="A relationship credential issued to a parent">{
"@context": [
  "https://www.w3.org/2018/credentials/v1",
  "https://www.w3.org/2018/credentials/examples/v1"
],
"id": "http://example.edu/credentials/3732",
"type": ["VerifiableCredential", "RelationshipCredential"],
"issuer": "https://example.edu/issuers/14",
"issuanceDate": "2010-01-01T19:23:24Z",
"credentialSubject": {
  "id": "did:example:ebfeb1c276e12ec211f712ebc6f",
  "child": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "type": "Child"
  }
},
"proof": { <span class="comment">...</span> } <span class="comment">// the proof is generated by the DMV</span>
}
      </pre>

      <p>
In the example above, the <a>issuer</a> expresses the relationship between the
child and the parent in a separate <a>credential</a> such that a
<a>verifier</a> would most likely accept any of the child's <a>credentials</a>
if they are provided by the child or if the <a>credential</a> above is
provided with any of the child's <a>credentials</a>.
      </p>

      <pre class="example nohighlight" title="A relationship credential issued by a child">{
"@context": [
  "https://www.w3.org/2018/credentials/v1",
  "https://www.w3.org/2018/credentials/examples/v1"
],
"id": "http://example.org/credentials/23894",
"type": ["VerifiableCredential", "RelationshipCredential"],
"issuer": "http://example.org/credentials/23894",
"issuanceDate": "2010-01-01T19:23:24Z",
"credentialSubject": {
  "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
  "parent": {
    "id": "did:example:ebfeb1c276e12ec211f712ebc6f",
    "type": "Mother"
  }
},
"proof": { <span class="comment">...</span> } <span class="comment">// the proof is generated by the child</span>
}
      </pre>

      <p>
In the example above, the child expresses the relationship between the child and
the parent in a separate <a>credential</a> such that a <a>verifier</a> would
most likely accept any of the child's <a>credentials</a> if the
<a>credential</a> above is provided.
      </p>

      <p>
Similarly, the strategies described in the examples above can be used for many
other types of use cases, including power of attorney, pet ownership, and
patient prescription pickup.
      </p>
    </section>

    <section class="informative">
      <h3>Subject Passes a Verifiable Credential to Someone Else</h3>

      <p>
When a <a>subject</a> passes a <a>verifiable credential</a> to another
<a>holder</a>, the <a>subject</a> might issue a new <a>verifiable credential</a>
to the <a>holder</a> in which the:
      </p>

      <ul>
        <li>
<a>Issuer</a> is the <a>subject</a>.
        </li>
        <li>
<a>Subject</a> is the <a>holder</a> to whom the <a>verifiable credential</a> is
being passed.
        </li>
        <li>
<a>Claim</a> contains the <a>properties</a> being passed on.
        </li>
      </ul>

      <p>
The <a>holder</a> can now create a <a>verifiable presentation</a> containing
these two <a>verifiable credentials</a> so that the <a>verifier</a> can
<a>verify</a> that the <a>subject</a> gave the original
<a>verifiable credential</a> to the <a>holder</a>.
      </p>

      <pre class="example nohighlight" title="A holder presenting a
verifiable credential that was passed to it by the subject">
{
"@context": [
  "https://www.w3.org/2018/credentials/v1",
  "https://www.w3.org/2018/credentials/examples/v1"
],
"id": "https://example.com/VP/0987654321",
"type": ["VerifiablePresentation"],
"verifiableCredential": [
  {
   "@context": [
     "https://www.w3.org/2018/credentials/v1",
     "https://www.w3.org/2018/credentials/examples/v1"
    ],
    "id": "http://pharma.example.com/credentials/3732",
    "type": ["VerifiableCredential", "PrescriptionCredential"],
    "issuer": "https://pharma.example.com/issuer/4",
    "issuanceDate": "2010-01-01T19:23:24Z",
    "credentialSubject": {
      "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
      "prescription": {....}
    },
    "credentialStatus": {
      "id": "https://pharma.example.com/credentials/status/3#94567",
      "type": "RevocationList2020Status",
      "revocationListIndex": "94567",
      "revocationListCredential": "https://pharma.example.com/credentials/status/3"
    },
    "proof": {....}
  },
  {
    "@context": [
      "https://www.w3.org/2018/credentials/v1",
      "https://www.w3.org/2018/credentials/examples/v1"
    ],
    "id": "https://example.com/VC/123456789",
    "type": ["VerifiableCredential", "PrescriptionCredential"],
    "issuer": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "issuanceDate": "2010-01-03T19:53:24Z",
    "credentialSubject": {
      "id": "did:example:76e12ec21ebhyu1f712ebc6f1z2",
      "prescription": {....}
    },
    "proof": {
      "type": "RsaSignature2018",
      "created": "2018-06-17T10:03:48Z",
      "proofPurpose": "assertionMethod",
      "jws": "pYw8XNi1..Cky6Ed=",
      "verificationMethod": "did:example:ebfeb1f712ebc6f1c276e12ec21/keys/234"
    }
  }
],
"proof": [{
  "type": "RsaSignature2018",
  "created": "2018-06-18T21:19:10Z",
  "proofPurpose": "authentication",
  "verificationMethod": "did:example:76e12ec21ebhyu1f712ebc6f1z2/keys/2",
  "challenge": "c0ae1c8e-c7e7-469f-b252-86e6a0e7387e",
  "jws": "BavEll0/I1..W3JT24="
}]
}
      </pre>

      <p>
In the above example, a patient (the original <a>subject</a>) passed a
prescription (the original <a>verifiable credential</a>) to a friend, and
issued a new <a>verifiable credential</a> to the friend, in which the friend is
the <a>subject</a>, the <a>subject</a> of the original
<a>verifiable credential</a> is the <a>issuer</a>, and the <a>credential</a> is
a copy of the original prescription.
      </p>
    </section>

    <section class="informative">
      <h3>Issuer Authorizes Holder</h3>

      <p>
When an <a>issuer</a> wants to authorize a <a>holder</a> to possess a
<a>credential</a> that describes a <a>subject</a> who is not the <a>holder</a>,
and the <a>holder</a> has no known relationship with the <a>subject</a>, then
the <a>issuer</a> might insert the relationship of the <a>holder</a> to itself
into the <a>subject's</a> <a>credential</a>.
      </p>

      <p class="note">
Verifiable credentials are not an authorization framework and therefore
delegation is outside the scope of this specification. However, it is understood
that verifiable credentials are likely to be used to build authorization and
delegation systems. The following is one approach that might be appropriate for
some use cases.
      </p>

      <pre class="example nohighlight" title="A credential issued to a
holder who is not the (only) subject of the credential, who has no relationship with
the subject of the credential, but who has a relationship with the issuer">

{
"@context": [
  "https://www.w3.org/2018/credentials/v1",
  "https://www.w3.org/2018/credentials/examples/v1"
],
"id": "http://example.edu/credentials/3732",
"type": ["VerifiableCredential", "NameAndAddress"],
"issuer": "https://example.edu/issuers/14",
"holder": {
  "type": "LawEnforcement",
  "id": "did:example:ebfeb1276e12ec21f712ebc6f1c"
},
"issuanceDate": "2010-01-01T19:23:24Z",
"credentialSubject": {
  "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
  "name": "Mr John Doe",
  "address": "10 Some Street, Anytown, ThisLocal, Country X"
},
"proof": {
  "type": "RsaSignature2018",
  "created": "2018-06-17T10:03:48Z",
  "proofPurpose": "assertionMethod",
  "verificationMethod": "https://example.edu/issuers/14/keys/234",
  "jws": "pY9...Cky6Ed = "
}
}
      </pre>
    </section>

    <section class="informative">
      <h3>Holder Acts on Behalf of the Verifier, or has no Relationship with
the Subject, Issuer, or Verifier</h3>

      <p>
The Verifiable Credentials Data Model currently does not support either of
these scenarios. It is for further study how they might be supported.
      </p>
    </section>

  </section>

    <section>
      <h2>Disputes</h2>

      <p>
There are at least two different cases to consider where an <a>entity</a>
wants to dispute a <a>credential</a> issued by an <a>issuer</a>:
      </p>

      <ul>
        <li>
A <a>subject</a> disputes a claim made by the <a>issuer</a>. For example, the
<code>address</code> property is incorrect or out of date.
        </li>
        <li>
An <a>entity</a> disputes a potentially false claim made by the <a>issuer</a>
about a different <a>subject</a>. For example, an imposter has claimed the
social security number for an <a>entity</a>.
        </li>
      </ul>

      <p>
The mechanism for issuing a <code>DisputeCredential</code> is the same as
for a regular <a>credential</a>, except that the <code>credentialSubject</code>
identifier in the <code>DisputeCredential</code> property is the identifier of
the disputed <a>credential</a>.
      </p>

      <p>
For example, if a <a>credential</a> with an identifier of
<code>https://example.org/credentials/245</code> is disputed, an <a>entity</a>
can issue one of the <a>credentials</a> shown below. In the first example, the
<a>subject</a> might present this to the <a>verifier</a> along with the disputed
<a>credential</a>. In the second example, the <a>entity</a> might publish the
<code>DisputeCredential</code> in a public venue to make it known that the
<a>credential</a> is disputed.
      </p>

      <pre class="example nohighlight" title="A subject disputes a credential">
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1"
  ],
  "id": "http://example.com/credentials/123",
  "type": ["VerifiableCredential", "DisputeCredential"],
  <span class="highlight">"credentialSubject": {
    "id": "http://example.com/credentials/245",
    "currentStatus": "Disputed",
    "statusReason": {
      "@value": "Address is out of date",
      "@language": "en"
    },
  }</span>,
  "issuer": "https://example.com/people#me",
  "issuanceDate": "2017-12-05T14:27:42Z",
  "proof": { <span class="comment">...</span> }
}
      </pre>

      <pre class="example nohighlight" title="Another entity disputes a credential">
{
  "@context": "https://w3id.org/credentials/v1",
  "id": "http://example.com/credentials/321",
  "type": ["VerifiableCredential", "DisputeCredential"],
  <span class="highlight">"credentialSubject": {
    "id": "http://example.com/credentials/245",
    "currentStatus": "Disputed",
    "statusReason": {
      "@value": "Credential contains disputed statements",
      "@language": "en"
    },
    "disputedClaim": {
      "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
      "address": "Is Wrong"
    }
  }</span>,
  "issuer": "https://example.com/people#me",
  "issuanceDate": "2017-12-05T14:27:42Z",
  "proof": { <span class="comment">...</span> }
}
      </pre>

      <p>
In the above <a>verifiable credential</a>, the <a>issuer</a> is claiming that
the address in the disputed <a>verifiable credential</a> is wrong. For example,
the <a>subject</a> might wrongly be claiming to have the same address as that of
the <a>issuer</a>.
      </p>
      <p class="note">
If a <a>credential</a> does not have an identifier, a content-addressed
identifier can be used to identify the disputed <a>credential</a>. Similarly,
content-addressed identifiers can be used to uniquely identify individual
claims.
      </p>
    </section>

    <section>
      <h3>Presentations</h3>

      <p>
<a>Verifiable credentials</a> may be presented to a <a>verifier</a> by
using a <a>verifiable presentation</a>. A <a>verifiable presentation</a> can
be targeted to a specific <a>verifier</a> by using a Linked Data Proof
that includes a <code>domain</code> and <code>challenge</code>. This also
helps prevent a <a>verifier</a> from reusing a <a>verifiable presentation</a>
as their own.
      </p>
      <p>
The <code>domain</code> value can be any string or URI, and the
<code>challenge</code> should be a randomly generated string.
      </p>
      <p>
The following sample <a>verifiable presentation</a> is for authenticating to
a website, <code>https://example.com</code>.
      </p>

      <pre class="example nohighlight" title="A targeted verifiable presentation">
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1"
  ],
  "type": "VerifiablePresentation,
  "verifiableCredential": { <span class="comment">...</span> },
  "proof": {
    "type": "Ed25519Signature2018",
    "created": "2019-08-13T15:09:00Z",
    <span class="highlight">"challenge": "d1b23d3...3d23d32d2",
    "domain": "https://example.com",</span>
    "jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..uyW7Hv
      VOZ8QCpLJ63wHode0OdgWjsHfJ0O8d8Kfs55dMVEg3C1Z0bYUGV49s8IlTbi3eXsNvM63n
      vah79E-lAg",
    "proofPurpose": "authentication"
  }
}
      </pre>

    </section>

    <section>
      <h4>Using the JWT aud claim</h3>

      <p>
The JWT <code>aud</code> <a>claim</a> name refers to (i.e., identifies) the
intended audience of the <a>verifiable presentation</a> (i.e., the <a>verifier(s)</a>).
Consequently this is an alternative to the Linked Data Proof method specified
above. It lets the <a>holder</a> indicate which <a>verifier(s)</a> it allows
to verify the <a>verifiable presentation</a>. Any JWT-compliant <a>verifier</a>
that is not identified in the <code>aud</code> is required to
reject the JWT (see <a href="https://tools.ietf.org/html/rfc7519">RFC 7519</a>).
      </p>
      <p>
<a href="https://tools.ietf.org/html/rfc7519">RFC 7519</a> defines
<code>aud</code> as "an array of case-sensitive strings, each containing a
<code>StringOrURI</code> value". For use in a <a>verifiable presentation</a>,
we strongly suggest that this be restricted to a single URI value, equal to the URI
of the intended verifier.
      </p>
      <p>
The <a href="https://w3c.github.io/vc-data-model/">data model specification</a>
provides no guidance of how to transform this JWT <a>claim</a> into a property
of the <a>verifiable presentation</a>, nor vice versa. We strongly suggest that the
<code>aud</code> JWT <a>claim</a> be mapped to the <code>verifier</code>
property of the <a>verifiable presentation</a>.
      </p>

      <pre class="example nohighlight" title="An example of a
targeted verifiable presentation using the verifier property">
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2019/credentials/v1.1"
  ],
  "type": "VerifiablePresentation",
  "verifiableCredential": [" <span class="comment">...</span> "],
  "holder": "did:example:ebfeb1f712ebc6f1c276e12ec21",
  "verifier": "https://some.verifier.com"
}
      </pre>

      <pre class="example nohighlight" title="An example JWT for a
targeted verifiable presentation using the JWT aud claim">
{
  "iss": "did:example:ebfeb1f712ebc6f1c276e12ec21",
  "jti": "urn:uuid:3978344f-8596-4c3a-a978-8fcaba3903c5",
  "aud": "https://some.verifier.com",
  "nbf": 1541493724,
  "iat": 1541493724,
  "exp": 1573029723,
  "nonce": "343s$FSFDa-",
  "vp": {
    "@context": [
      "https://www.w3.org/2018/credentials/v1",
      "https://www.w3.org/2018/credImpGuide/v1"
    ],
    "type": "VerifiablePresentation",
    "verifiableCredential": [" <span class="comment">...</span> "]
  }
}
      </pre>
    </section>

    <section>
      <h2>Extensions</h2>

      <em>This section is non-normative.</em>

      <p>
The Verifiable Credentials Data Model is designed around an <em>open world
assumption</em>, meaning that any entity can say anything about another entity.
This approach enables permissionless innovation; there is no centralized
registry or authority through which an extension author must register
themselves nor the specific data models and vocabularies they create.
      </p>

      <p>
Instead, credential data model authors are expected to use machine-readable
vocabularies through the use of [LINKED-DATA]. This implementation guide
provides examples for how to express data models using a data format that
is popular with software developers and web page authors called [JSON-LD]. This
data format provides features that enable authors to express their data models
in idiomatic JSON while also ensuring that their vocabulary terms are
unambigiously understood, even by software that does not implement
JSON-LD processing.
      </p>

      <p>
The Verifiable Credentials data model also uses a graph-based data model,
which allows authors to model both simple relationships that describe
one or more attributes for a single entity and complex multi-entity
relationships.
      </p>

      <p>
The rest of this section describes how to author extensions that build on
the Verifiable Credentials Data Model.
      </p>

      <section>
        <h3>Creating New Credential Types</h3>

        <p>
We expect the most common extensions to the Verifiable Credentials Data Model
to be new credential types. Whenever someone has something to say about one or
more entities and they want their authorship to be verifiable, they should use
a Verifiable Credential. Sometimes there may be an existing credential type,
that someone else has created, that can be reused to make the statements they
want to make. However, there are often cases where new credential types are
needed.
        </p>

        <p>
New credential types can be created by following a few steps. This guide will
also walk you through creating an example new credential type. At a high level,
the steps to follow are:
        </p>

        <ol>
          <li>
Design the data model.
          </li>
          <li>
Create a new JSON-LD context.
          </li>
          <li>
Select a publishing location.
          </li>
          <li>
Use the new JSON-LD context when issuing new credentials.
          </li>
        </ol>

        <p>
So, let's walk through creating a new credential type which we will
call <code>ExampleAddressCredential</code>. The purpose of this credential
will be to express a person's postal address.
        </p>

        <h4>Design the data model</h4>

        <p>
First, we must design a data model for our new credential type. We know that
we will need to be able to express the basics of a postal address, things
like a person's city, state, and zipcode. Of course, those items are quite
US centric, so we should consider internationalizing those terms. But before
we go further, since we're using [LINKED-DATA] vocabularies, there is a good
chance that commonly known concepts may already have a vocabulary that someone
else has created that we can leverage.
        </p>

        <p>
If we are going to use someone else's vocabulary, we will want to make sure it
is stable and unlikely to change in any significant way. There may even be
technologies that we can make use of that store immutable vocabularies that
we can reference, but those are not the focus of this example. Here we will
rely on the inertia that comes from a very popularly used vocabulary on the
Web, schema.org. It turns out that this vocabulary has just what we need; it
has already modeled a postal address and even has examples for how to express
it using JSON-LD.
        </p>

        <p>
Please note that schema.org is developed incrementally, meaning that the definition
of a term today may differ from a future definition, or even be removed. Although
schema.org developers encourage using the latest release, as in the simple
non-versioned schema.org URLs such as <code>http://schema.org/Place</code> in
structured data applications, there are times in which more precise versioning is
important. Schema.org also provides dated snapshots of each release, including both
human and machine readable definitions of the schema.org core vocabulary. These are
linked from the <a href="https://schema.org/docs/releases.html">releases page</a>.
For instance, instead of the unversioned URI <code>http://schema.org/Place</code>,
you might use the versioned URI
<code>https://schema.org/version/3.9/schema-all.html#term_Place</code>.

In addition, the <code>schemaVersion</code> property has been defined to provide a
way for documents to indicate the specific intended version of schema.org's
definitions.
        </p>

        <p>
Using the schema.org vocabulary and JSON-LD we can express a person's address
like so:
        </p>

        <pre class="example nohighlight" title="Example schema.org address">
          {
            <span class="highlight">
            "@context": [
              "http://schema.org"
            ]</span>,
            "type": "Person",
            "address": {
              "type": "PostalAddress",
              "streetAddress": "123 Main St."
              "addressLocality": "Blacksburg",
              "addressRegion": "VA",
              "postalCode": "24060",
              "addressCountry": "US"
            }
          }
        </pre>

        <p>
Note the above <code>@context</code> key in the JSON. This <code>@context</code>
refers to a machine-readable file (also expressed in JSON) that provides
term definitions [JSON-LD]. A term definition maps a key or type used in the
JSON, such as <code>address</code> or <code>PostalAddress</code>, to a globally
unique identifier: a URL.
        </p>

        <p>
This ensures that when software sees the <code>@context</code>
<em>http://schema.org</em>, that it will interpret the the keys and types in the
JSON in a globally consistent way, without requiring developers to use full URLs
in the JSON or in the code that may traverse it. As long as the software is
aware of the specific <code>@context</code> used (or if it uses JSON-LD
processing to transform it to some other known <code>@context</code>), then it
will understand the <em>context</em> in which the JSON was written and meant to
be understood. The use of <code>@context</code> also allows [JSON-LD] keywords
such as <code>@type</code> to be aliased to the simpler <code>type</code> as
is done in the above example.
        </p>

        <p>
Note that we could also express the JSON using full URLs, if we want to avoid
using <em>@context</em>. Here is what the example would look like if we did
that:
        </p>

        <pre class="example nohighlight" title="Example schema.org address with full URLs">
          {
            "@type": "http://schema.org/Person",
            "http://schema.org/address": {
              "@type": "http://schema.org/PostalAddress",
              "http://schema.org/streetAddress": "123 Main St."
              "http://schema.org/addressLocality": "Blacksburg",
              "http://schema.org/addressRegion": "VA",
              "http://schema.org/postalCode": "24060",
              "http://schema.org/addressCountry": "US"
            }
          }
        </pre>

        <p>
While this form is an acceptable way to express the information such that it is
unambiguous, many software developers would prefer to use more idiomatic JSON.
The use of <code>@context</code> enables idiomatic JSON without losing global
consistency and without the need for a centralized registry or authority for
creating extensions. Note that <code>@context</code> can also have more than
one value. In this case, a JSON array is used to express multiple values, where
each value references another context that defines terms. Using this mechanism
we can first bring in the terms defined in the Verifiable Credentials Data Model
specification and then bring in the terms defined by schema.org:
        </p>

        <pre class="example nohighlight" title="Example address credential with schema.org context">
          {
            <span class="highlight">
            "@context": [
              "https://www.w3.org/2018/credentials/v1",
              "http://schema.org"
            ]</span>,
            <span class="comment">...</span>
            "credentialSubject": {
              "type": "Person",
              "address": {
                "type": "PostalAddress",
                "streetAddress": "123 Main St."
                "addressLocality": "Blacksburg",
                "addressRegion": "VA",
                "postalCode": "24060",
                "addressCountry": "US"
              }
            },
            <span class="comment">...</span>
          }
        </pre>

        <p>
Note, however, that each <em>context</em> might have a different definition for
the same term, e.g., the JSON key <code>address</code> might map to a different
URL in each <em>context</em>. By default, [JSON-LD] allows terms in a
<code>@context</code> to be redefined using a <em>last term wins</em>
order. While these changes can be safely dealt with by using JSON-LD
processing, we want to lower the burden on consumers of Verifiable Credentials.
We want consumer software to be able to make assumptions about the meaning of
terms by only having to read and understand the string value associated with
the <code>@context</code> key. We don't want them to have to worry about terms
being redefined in unexpected ways. That way their software can inspect only
the <code>@context</code> values and then be hard coded to understand the
meaning of the terms.
        </p>

        <p>
In order to prevent term redefinition, the [JSON-LD] <code>@protected</code>
feature must be applied to term definitions in the <code>@context</code>. All
terms in the core Verifiable Credentials <code>@context</code> are
already protected in this way. The only time that an existing term is allowed
to be redefined is if the new definition is scoped underneath another new term
that is defined in a <em>context</em>. This matches developer expectations and
ensures that consumer software has strong guarantees about the semantics of the
data it is processing; it can be written such that it is never confused about
the definition of a term. Note that consumers must determine their own risk
profile for how to handle any credentials their software processes that include
terms that it does not understand.
        </p>

        <h4>Create a new JSON-LD context</h4>

        <p>
Given the above, there is at least one reason why we don't want to use
the schema.org <em>context</em>: it is designed to be very flexible and thus
does not use the <code>@protected</code> feature. There are a few additional
reasons we want to create our own [JSON-LD] context though. First, the
schema.org context does not define our new credential type:
<em>ExampleAddressCredential</em>. Second, it is not served via a secure
protocol (e.g., <em>https</em>); rather, it uses <em>http</em>. Note that this
is less of a concern than it may seem, as it is recommended that all Verifiable
Credential consumer software hard code the <code>@context</code> values it
understands and not reach out to the Web to fetch them. Lastly, it is a very
large context, containing many more term definitions than are necessary for our
purposes.
        </p>

        <p>
So, we will create our own [JSON-LD] context that expresses just those term
definitions that we need for our new credential type. Note that this does not
mean that we must mint new URLs; we can still reuse the schema.org vocabulary
terms. All we are doing is creating a more concise and targeted context. Here's
what we'll need in our context:
        </p>

        <pre class="example nohighlight" title="Example address credential context">
          {
            "@version": 1.1,
            "@protected": true,

            "ExampleAddressCredential":
              "https://example.org/ExampleAddressCredential",

            "Person": {
              "@id": "http://schema.org/Person",
              "@context": {
                "@version": 1.1,
                "@protected": true,

                "address": "http://schema.org/address"
              }
            },
            "PostalAddress": {
              "@id": "http://schema.org/PostalAddress",
              "@context": {
                "@version": 1.1,
                "@protected": true,

                "streetAddress": "http://schema.org/streetAddress",
                "addressLocality": "http://schema.org/addressLocality",
                "addressRegion": "http://schema.org/addressRegion",
                "postalCode": "http://schema.org/postalCode",
                "addressCountry": "http://schema.org/addressCountry"
              }
            }
          }
        </pre>

        <p>
The above context defines a term for our new credential type
<em>ExampleAddressCredential</em>, mapping it to the URL
<em>https://example.org/ExampleAddressCredential</em>. We could have also
chosen a URI like <em>urn:private-example:ExampleAddressCredential</em>, but
this approach would not allow us to serve up a Web page to describe it, if we
so desire. The context also defines the terms for types <em>Person</em> and
<em>PostalAddress</em>, mapping them to their schema.org vocabulary URLs.
Furthermore, when those types are used, it also defines protected terms for
each of them via a <em>scoped context</em>, mapping terms like <em>address</em>
and <em>streetAddress</em> to their schema.org vocabulary URLs. For more
information on how to write a JSON-LD context or <em>scoped contexts</em>, see
the [JSON-LD] specification.
        </p>

        <h4>Select a publishing location</h4>

        <p>
Now that we have a [JSON-LD] context, we must give it a URL. Technically
speaking, we could just use a URI, for example, a private URN such as
<em>urn:private-example:my-extension</em>. However, if we want people to be
able to read and discover it on the Web, we should give it a URL like
<em>https://example.org/example-address-credential-context/v1</em>.
        </p>

        <p>
When this URL is dereferenced, it should return
<em>application/ld+json</em> by default, to allow JSON-LD processors to process
the context. However, if a user agent requests <em>HTML</em>, it should return
human readable text that explains, to humans, what the term definitions are and
what they map to. Since we're reusing an existing vocabulary, schema.org, we
can also simply link to the definitions of the meaning of our types and terms
via their website. If we had created our own new vocabulary terms, we would
describe them on our own site, ideally including machine readable Information
as well.
        </p>

        <h4>Use the new JSON-LD context when issuing new credentials</h4>

        <p>
Now we're ready for our context to be used by anyone who
wishes to issue an <em>ExampleAddressCredential</em>!
        </p>

        <pre class="example nohighlight" title="Example address credential with schema.org context">
          {
            <span class="highlight">
            "@context": [
              "https://www.w3.org/2018/credentials/v1",
              "https://example.org/example-address-credential-context/v1"
            ]</span>,
            "id": "https://example.org/credentials/1234",
            "type": "ExampleAddressCredential",
            "issuer": "https://example.org/people#me",
            "issuanceDate": "2017-12-05T14:27:42Z",
            "credentialSubject": {
              "id": "did:example:1234",
              "type": "Person",
              "address": {
                "type": "PostalAddress",
                "streetAddress": "123 Main St."
                "addressLocality": "Blacksburg",
                "addressRegion": "VA",
                "postalCode": "24060",
                "addressCountry": "US"
              }
            },
            "proof": { <span class="comment">...</span> }
          }
        </pre>

        <p>
Note that writing this new credential type requires permission from no one,
you must only adhere to the above referenced standards.
        </p>

      </section>

      <section>
        <h3>Extending JWTs</h3>

        <p>
The [[[vc-data-model]]] specifies a minimal set of
JWT <a>claim</a> names that are to be used to represent the
properties of a <a>verifiable credential</a>
and its <code>credentialSubject</code>. Implementers may wish to extend a
<a>verifiable credential</a> with some
properties that are new (e.g., <code>drivingLicenseNumber</code>,
<code>mySpecialProperty</code> or that are already registered with IANA
as JWT <a>claim</a> names (e.g., <code>given_name</code>.
<code>phone_number_verified</code>.
      </p>
      <p>
As the [[[vc-data-model]]] states, such extension properties are best
placed directly in either the JWT <code>vc</code> <a>claim</a> or the
<code>credentialSubject</code> property of the <code>vc</code> <a>claim</a>
as appropriate, although they <em>MAY</em> be placed directly into their own
JWT <a>claims</a>.
        </p>
        <p>
If implementers wish to use JWT <a>claim</a> names for these extensions,
the following steps are recommended. Note that there are three types of JWT
<a>claim</a> name: public, named with a URI; private, named with a local name; and
registered with IANA.
        <ol>
          <li>
First, check with IANA (https://www.iana.org/assignments/jwt/jwt.xhtml) to see
if the JWT <a>claim</a> name already exists.
          </li>
          <li>
If it does not exist, the implementer may wish to either give it a public name
(i.e., a URI), give it a local name (i.e., any string), or register it with IANA.
          </li>
          <li>
Once the JWT <a>claim</a> name exists, define encoding/decoding
transformation rules to convert the <a>verifiable credential</a> property
or <code>credentialSubject</code> property into the JWT <a>claim</a>.
           <ul>
           <li>
<em>Encoding</em>: Remove the property from the <a>verifiable credential</a>, encode it
according to the defined rule, and place it in the JWT <a>claim</a>
           </li>
          <li>
<em>Decoding</em>: Remove the value from the JWT <a>claim</a>, decode it according to the
defined rule, and place it in the new <a>verifiable credential</a> JSON object,
as either a property of the <a>verifiable credential</a>
or the <code>credentialSubject</code>, as appropriate.
        </li>
       </ul>
       </li>

      </section>

      <section>
        <h3>Human Readability</h3>
        <p>
The JSON-LD Context declaration mechanism is used by implementations to
signal the context in which the data transmission is happening to consuming
applications:
        </p>

        <pre class="example nohighlight" title="Use of @context mechanism">
          {
            <span class="highlight">
            "@context": [
              "https://www.w3.org/2018/credentials/v1",
              "https://www.w3.org/2018/credentials/examples/v1"
            ]</span>,
            "id": "http://example.edu/credentials/1872",
            <span class="comment">...</span>
        </pre>

        <p>
Extension authors are urged to publish two types of information at the
context URLs. The first type of information is for machines, and is the
machine-readable JSON-LD Context. The second type of information is for
humans, and should be an HTML document. It is suggested that the default
mode of operation is to serve the machine-readable JSON-LD Context as that is
the primary intended use of the URL. If content-negotiation is supported,
requests for <code>text/html</code> should result in a human readable document.
The human readable document should at least contain usage information for the
extension, such as the expected order of URLs associated with the
<code>@context</code> property, specifications that elaborate on the extension,
and examples of typical usage of the extension.
        </p>
      </section>

    </section>

    <section>
      <h2>Proof Formats</h2>
      <em>This section is non-normative.</em>

      <p>
The <a>verifiable credentials</a>
<a href="https://w3c.github.io/vc-data-model/">data model </a> is designed to be
proof format agnostic. <a href="https://w3c.github.io/vc-data-model/">The
specification</a> does not normatively require any particular digital proof or
signature format. While the data model is the canonical representation of a
<a>verifiable credential</a> or <a>verifiable presentation</a>, the proving
mechanisms for these are often tied to the syntax used in the transmission of
the document between parties. As such, each proofing mechanism has to specify
whether the validation of the proof is calculated against the state of the
document as transmitted, against the transformed data model, or against another
form. At the time of publication, at least two proof formats are being actively
utilized by implementers, and the Working Group felt that documenting what these
proof formats are and how they are being used would be beneficial to other
implementers.
      </p>
      <p>
This guide provides tables in section <a href="#pf1b">Benefits of JWTs</a> and
section <a href="#pf1b">Benefits of JSON-LD and LD-Proofs</a> that compare three
syntax and proof format ecosystems; JSON+JWTs, JSON-LD+JWTs, and
JSON-LD+LD-Proofs.
      </p>
      <p>
Because the Verifiable Credentials Data Model is extensible, and agnostic to any
particular proof format, the specification and use of additional proof formats
is supported.
      </p>
        <section>
            <h3>Benefits of JWTs</h3>

            <p>
The Verifiable Credentials Data Model is designed to be compatible with a
variety of existing and emerging syntaxes and digital proof formats. Each
approach has benefits and drawbacks. The following table is intended to
summarize a number of these native trade-offs.
            </p>

            <p>
The table below compares three syntax and proof format ecosystems; JSON+JWTs,
JSON-LD+JWTs, and JSON-LD+LD-Proofs.
            </p>

            <table class="simple" id="#pfatable">
                <thead>
                <tr>
                    <th style="text-align: center;">Feature</th>
                    <th style="text-align: center;">JSON<br>+<br>JWTs</th>
                    <th style="text-align: center;">JSON&#8209;LD<br>+<br>JWTs</th>
                    <th style="text-align: center;">JSON&#8209;LD<br>+<br>LD&#8209;Proofs</th>
                </tr>
                </thead>

                <tbody>
                <tr>
                    <td>
<a href="#pf1a">PF1a.</a> Proof format supports Zero-Knowledge Proofs.
                    </td>
                    <td class="supported">✓</td>
                    <td class="supported">✓</td>
                    <td class="supported">✓</td>
                </tr>
                <tr>
                    <td>
<a href="#pf2a">PF2a.</a> Proof format supports arbitrary proofs such as Proof
of Work, Timestamp Proofs, and Proof of Stake.
                    </td>
                    <td class="supported">✓</td>
                    <td class="supported">✓</td>
                    <td class="supported">✓</td>
                </tr>
                <tr>
                    <td>
<a href="#pf3a">PF3a.</a> Based on existing official standards.
                    </td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                    <td class="missing">✖</td>
                </tr>
                <tr>
                    <td>
<a href="#pf4a">PF4a.</a> Designed to be small in size.
                    </td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                    <td class="missing">✖</td>
                </tr>
                <tr>
                    <td>
<a href="#pf5a">PF5a.</a> Offline support without further processing.
                    </td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                    <td class="missing">✖</td>
                </tr>
                <tr>
                    <td>
<a href="#pf6a">PF6a.</a> Wide adoption in other existing standards.
                    </td>
                    <td class="supported">✓</td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                </tr>
                <tr>
                    <td>
<a href="#pf7a">PF7a.</a> No type ambiguity.
                    </td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                    <td class="missing">✖</td>
                </tr>
                <tr>
                    <td>
<a href="#pf8a">PF8a.</a> Broad library support.
                    </td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                    <td class="missing">✖</td>
                </tr>
                <tr>
                    <td>
<a href="#pf9a">PF9a.</a> Easy to understand what is signed.
                    </td>
                    <td class="supported">✓</td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                </tr>
                <tr>
                    <td>
<a href="#pf10a">PF10a.</a> Ability to be used as authn/authz token with existing systems.
                    </td>
                    <td class="supported">✓</td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                </tr>
                <tr>
                    <td>
<a href="#pf11a">PF11a.</a> No additional canonicalization required.
                    </td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                    <td class="missing">✖</td>
                </tr>
                <tr>
                    <td>
<a href="#pf12a">PF12a.</a> No Internet PKI required.
                    </td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                    <td class="missing">✖</td>
                </tr>
                <tr>
                    <td>
<a href="#pf13a">PF13a.</a> No resolution of external documents needed.
                    </td>
                    <td class="supported">✓</td>
                    <td class="missing">✖</td>
                    <td class="missing">✖</td>
                </tr>

              </tbody>
            </table>

            <p class="note">
Some of the features listed in the table above are debateable, since a feature
can always be added to a particular syntax or digital proof format. The table
is intended to identify native features of each combination such that no
additional language design or extension is required to achieve the identified
feature. Features that all languages provide, such as the ability to express
numbers, have not been included for the purposes of brevity. Find more information
about different proof formats in the next section.
            </p>

            <dl>
              <dt id="pf1a">
PF1a: Proof format supports Zero-Knowledge Proofs.
              </dt>
                <dd>
JWTs can embed `proof` attributes for repudiable proofs such as Zero-Knowledge Proofs.
In that case, the JWS will not have an signature element.
                </dd>
                <dt id="pf2a">
PF2a: Proof format supports arbitrary proofs such as Proof of Work, Timestamp
Proofs, and Proof of Stake.
                </dt>
                <dd>
JWTs can embed `proof` attributes for any type of proofs such as Proof of Work, Timestamp,
Proofs, and Proof Stake.
                </dd>
                <dt id="pf3a">
PF3a: Based on existing official standards.
                </dt>
                <dd>
JSON and JWT are proposed and mature IETF standards. While JSON-LD 1.0 is in
REC state in W3C, JSON-LD 1.1 is still in WD state. LD-Proofs are not standardized at all.
                </dd>
                <dt id="pf4a">
PF4a: Designed to be small in size.
                </dt>
                <dd>
JSON was invented as a simple data format to be transmitted on the wire. A verifiable credential
can be expressed by its attributes only, without the necessity to introduce additional meta-information
such as @context. This makes the resulting JSON+JWT credential typically also smaller in size.
                </dd>
                <dt id="pf5a">
PF5a: Offline support without further processing.
                </dt>
                <dd>
A JWT can fully describe itself without the need to retrieve or verify any external documents.
JSON-LD requires the context to be queryable and requires further documents to be accessible
to check the prevalent document, e.g., LD-Proof. Additional caching needs to be implemented
to support offline use cases.
                </dd>
                <dt id="pf6a">
PF6a: Wide adoption in other existing standards.
                </dt>
                <dd>
JWT founds its application in many other existing standards, e.g., OAuth2, OpenID Connect.
This allows for backward compatibility with existing authentication and authorization
frameworks without or with only minor modifications to these legacy systems.
                </dd>
                <dt id="pf7a">
PF7a: No type ambiguity.
                </dt>
                <dd>
It is best practice that JSON data structures typically do not expect changing types of
their internal attributes. JSON-LD has implicit support for compact form serialization
which transforms arrays with a single element only to switch its data type. Developers
writing parsers have to implement special handling of these data types, which results in
more code, is more error-prone and sometimes does not allow parsers based on code
generation, which rely on static types.
                </dd>
                <dt id="pf8a">
PF8a: Broad library support.
                </dt>
                <dd>
JWT and JSON due to its maturity and standardization, have a lot of open-source library
support. While JSON-LD 1.0 is a standard and has support for different programming
languages, it is still behind JSON which is often part of the native platform
toolchain, e.g., JavaScript. For LD-Proofs, on the other hand, only a few scattered
libraries exist.
                </dd>
                <dt id="pf9a">
PF9a: Easy to understand what is signed.
                </dt>
                <dd>
JWT makes it visible what is signed in contrast to LD-Proofs, e.g., LD Signatures, that
are detached from the actual payload and contain links to external documents which makes
it not obvious for a developer to figure out what is part of the signature.
                </dd>
                <dt id="pf10a">
PF10a: Ability to be used as authn/authz token with existing systems.
                </dt>
                <dd>
Many existing applications rely on JWT for authentication and authorization purposes.
In theory, developers maintaining these applications could leverage JWT-based verifiable
presentations in their current systems with minor or no modifications. LD-Proofs represents
a new approach which would require more work to achieve the same result.
                </dd>
                <dt id="pf11a">
PF11a: No additional canonicalization required.
                </dt>
                <dd>
Beyond base64 URL encoding JSON and JWT don't require any canonicalization to be transmitted
on the wire. The JWS can be calculated on any data inside of the payload. This results in less
computation, less complexity, and light-weight libraries compared to JSON-LD and LD-Proofs where
canonicalization is required.
                </dd>
                <dt id="pf12a">
PF12a: No Internet PKI required.
                </dt>
                <dd>
JSON-LD and LD-Proofs rely on resolving external documents, e.g., <code>@context</code>. This means that
a verifiable credential system would rely on existing Internet PKI to a certain extend and
cannot be fully decentralized. A JWT-based system does not need to introduce this dependency.
                </dd>
                <dt id="pf13a">
PF13a: No resolution of external documents needed.
                </dt>
                <dd>
JSON-LD and LD-Proofs require the resolution of external documents, which leads to an
increased network load for the verifier of a verifiable presentation. This needs to be
mitigated through caching strategies.
                </dd>
            </dl>
        </section>
        <section>
          <h3>Benefits of JSON-LD and LD-Proofs</h3>

          <p>
The Verifiable Credentials Data Model is designed to be compatible with a
variety of existing and emerging syntaxes and digital proof formats. Each
approach has benefits and drawbacks. The following table is intended to
summarize a number of these native trade-offs.
          </p>

          <p>
The table below compares three syntax and proof format ecosystems; JSON+JWTs,
JSON-LD+JWTs, and JSON-LD+LD-Proofs. Readers should be aware that
Zero-Knowledge Proofs are currently proposed as a sub-type of LD-Proofs and
thus fall into the final column below.
          </p>

          <table class="simple" id="#pfbtable">
            <thead>
              <tr>
                <th style="text-align: center;">Feature</th>
                <th style="text-align: center;">JSON<br>+<br>JWTs</th>
                <th style="text-align: center;">JSON&#8209;LD<br>+<br>JWTs</th>
                <th style="text-align: center;">JSON&#8209;LD<br>+<br>LD&#8209;Proofs</th>
              </tr>
            </thead>

            <tbody>
              <tr>
                <td>
<a href="#pf1b">PF1b.</a> Support for open world data modelling.
                </td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf2b">PF2b.</a> Universal identifier mechanism for JSON objects via
the use of URIs.
                </td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf3b">PF3b.</a> A way to disambiguate properties shared among different
JSON documents by mapping them to IRIs via a context.
                </td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf4b">PF4b.</a> A mechanism to refer to data in an external document,
where the data may be merged with the local document without a merge conflict
in semantics or structure.
                </td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf5b">PF5b.</a> The ability to annotate strings with their language.
                </td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf6b">PF6b.</a> A way to associate arbitrary datatypes, such as dates
and times, with arbitrary property values.
                </td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf7b">PF7b.</a> A facility to express one or more directed graphs,
such as a social network, in a single document.
                </td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf8b">PF8b.</a> Supports signature sets.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf9b">PF9b.</a> Embeddable in HTML such that search crawlers will
index the machine-readable content.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf10b">PF10b.</a> Data on the wire is easy to debug and serialize to
database systems.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf11b">PF11b.</a> Nesting signed data does not cause data size to
double for every embedding.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf12b">PF12b.</a> Proof format supports Zero-Knowledge Proofs.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf13b">PF13b.</a> Proof format supports arbitrary proofs such as Proof
of Work, Timestamp Proofs, and Proof of Stake.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf14b">PF14b.</a> Proofs can be expressed unmodified in other data
syntaxes such as YAML, N-Quads, and CBOR.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf15b">PF15b.</a> Changing property-value ordering, or introducing
whitespace does not invalidate signature.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf16b">PF16b.</a> Designed to easily support experimental signature
systems.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf17b">PF17b.</a> Supports signature chaining.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf18b">PF18b.</a> Does not require pre-processing or post-processing.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
              <tr>
                <td>
<a href="#pf19b">PF19b.</a> Canonicalization requires only base-64 encoding.
                </td>
                <td class="missing">✖</td>
                <td class="missing">✖</td>
                <td class="supported">✓</td>
              </tr>
            </tbody>
          </table>

          <p class="note">
Some of the features listed in the table above are debateable, since a feature
can always be added to a particular syntax or digital proof format. The table
is intended to identify native features of each combination such that no
additional language design or extension is required to achieve the identified
feature. Features that all languages provide, such as the ability to express
numbers, have not been included for the purposes of brevity.
          </p>

          <dl>
            <dt id="pf1b">
PF1b: Support for open world data modelling
            </dt>
            <dd>
An <em>open world data model</em> is one where any entity can make any
statement about anything while simultaneously ensuring that the semantics of
the statement are unambiguous. This specification is enabled by an open world
data model called Linked Data. One defining characteristic of supporting an open
world data model is the ability to specify the semantic context in which data
is being expressed. JSON-LD provides this mechanism via the
<code>@context</code> property. JSON has no such feature.
            </dd>
            <dt id="pf2b">
PF2b: Universal identifier mechanism for JSON objects via the use of URIs.
            </dt>
            <dd>
All entities in a JSON-LD document are identified either via an automatic URI,
or via an explicit URI. This enables all entities in a document to be
unambiguously referenced. JSON does not have a native URI type nor does it
require objects to have one, making it difficult to impossible to unambiguously
identify an entity expressed in JSON.
            </dd>
            <dt id="pf3b">
PF3b: A way to disambiguate properties shared among different JSON documents by
mapping them to IRIs via a context.
            </dt>
            <dd>
All object properties in a JSON-LD document, such as the property "homepage",
are either keywords or they are mapped to an IRI. This feature enables open
world systems to identify the semantic meaning of the property in an unambiguous
way, which enables seamless merging of data between disparate systems.
JSON object properties are not mapped to IRIs, which result in ambiguities with
respect to the semantic meaning of the property. For example, one JSON document
might use "title" (meaning "book title") in a way that is semantically
incompatible with another JSON document using "title" (meaning "job title").
            </dd>
            <dt id="pf4b">
PF4b: A mechanism to refer to data in an external document, where the data may
be merged with the local document without a merge conflict in semantics or
structure.
            </dt>
            <dd>
JSON-LD provides a mechanism that enables a data value to use a URL to refer
to data outside of the local document. This external data may then be
automatically merged with the local document without a merge conflict in
semantics or structure. This feature enables a system to apply the
"follow your nose" principle to discover a richer set of data that is
associated with the local document. While a JSON document can contain pointers
to external data, interpreting the pointer is often application specific and
usually does not support merging the external data to construct a richer data
set.
            </dd>
            <dt id="pf5b">
PF5b: The ability to annotate strings with their language.
            </dt>
            <dd>
JSON-LD enables a developer to specify the language, such as English, French,
or Japanese, in which a text string is expressed via the use of language tags.
JSON does not provide such a feature.
            </dd>
            <dt id="pf6b">
PF6b: A way to associate arbitrary datatypes, such as dates
and times, with arbitrary property values.
            </dt>
            <dd>
JSON-LD enables a developer to specify the data type of a property value,
such as Date, unsigned integer, or Temperature by specifying it in the
JSON-LD Context. JSON does not provide such a feature.
            </dd>
            <dt id="pf7b">
PF7b: A facility to express one or more directed graphs, such as a social
network, in a single document.
            </dt>
            <dd>
JSON-LD's abstract data model supports the expression of information
as a directed graph of labeled nodes and edges, which enables an open world
data model to be supported. JSON's abstract data model only supports the
expression of information as a tree of unlabeled nodes and edges, which
restricts the types of relationships and structures that can be natively
expressed in the language.
            </dd>
            <dt id="pf8b">
PF8b: Supports signature sets.
            </dt>
            <dd>
A signature set is an unordered set of signatures over a data payload. Use
cases, such as cryptographic signatures applied to a legal contract,
typically require more than one signature to be associated with the contract
in order to legally bind two or more parties under the terms of the contract.
Linked Data Proofs, including Linked Data Signatures, natively support sets of
signatures. JWTs only enable a single signature over a single payload.
            </dd>
            <dt id="pf9b">
PF9b: Embeddable in HTML such that search crawlers will index the
machine-readable content.
            </dt>
            <dd>
All major search crawlers natively parse and index information expressed as
JSON-LD in HTML pages. LD-Proofs enable the current data format that search
engines use to be extended to support digital signatures. JWTs have no mechanism
to express data in HTML pages and are currently not indexed by search crawlers.
            </dd>
            <dt id="pf10b">
PF10b: Data on the wire is easy to debug and serialize to database systems.
            </dt>
            <dd>
When developers are debugging software systems, it is beneficial for them to be
able to see the data that they are operating on using common debugging tools.
Similarly, it is useful to be able to serialize data from the network to a
database and then from the database back out to the network using a minimal
number of pre and post processing steps. LD-Proofs enable developers to use
common JSON tooling without having to convert the format into a different
format or structure. JWTs base-64 encode payload information, resulting in
complicated pre and post processing steps to convert the data into JSON data
while not destroying the digital signature. Similarly, schema-less databases,
which are typically used to index JSON data, cannot index information
that is expressed in an opaque base-64 encoded wrapper.
            </dd>
            <dt id="pf11b">
PF11b: Nesting signed data does not cause data size to double for every
embedding.
            </dt>
            <dd>
When a JWT is encapsulated by another JWT, the entire payload must be base-64
encoded in the initial JWT, and then base-64 encoded again in the encapsulating
JWT. This is often necessary when a cryptographic signature is required on a
document that contains a cryptographic signature, such as when a Notary
signs a document that has been signed by someone else seeking the Notary's
services. LD-Proofs do not require base-64 encoding the signed portion of a
document and instead rely on a canonicalization process that is just as
secure, and that only requires the cryptographic signature to be encoded
instead of the entire payload.
            </dd>
            <dt id="pf12b">
PF12b: Proof format supports Zero-Knowledge Proofs.
            </dt>
            <dd>
The LD-Proof format is capable of modifying the algorithm that generates
the hash or hashes that are cryptographically signed. This cryptographic
agility enables digital signature systems, such as Zero-Knowledge Proofs,
to be layered on top of LD-Proofs instead of an entirely new digital signature
container format to be created. JWTs are designed such that an entirely new
digital signature container format will be required to support Zero-Knowledge
Proofs.
            </dd>
            <dt id="pf13b">
PF13b: Proof format supports arbitrary proofs such as Proof of Work, Timestamp
Proofs, and Proof of Stake.
            </dt>
            <dd>
The LD-Proof format was designed with a broader range of proof types in mind
and supports cryptographic proofs beyond simple cryptographic signatures.
These proof types are in common usage in systems such as decentralized ledgers
and provide additional guarantees to
<a>verifiable credentials</a>, such as the ability to prove that a particular
claim was made at a particular time or that a certain amount of energy was
expended to generate a particular credential. The JWT format does not support
arbitrary proof formats.
            </dd>
            <dt id="pf14b">
PF14b: Proofs can be expressed unmodified in other data syntaxes such as XML,
YAML, N-Quads, and CBOR.
            </dt>
            <dd>
The LD-Proof format utilizes a canonicalization algorithm to generate a
cryptographic hash that is used as an input to the cryptographic proof
algorithm. This enables the bytes generated as the cryptographic proof to be
compact and expressible in a variety of other syntaxes such as XML,
YAML, N-Quads, and CBOR. Since JWTs require the use of JSON to be generated,
they are inextricably tied to the JSON syntax.
            </dd>
            <dt id="pf15b">
PF15b: Changing property-value ordering, or introducing whitespace does not
invalidate signature.
            </dt>
            <dd>
Since LD-Proofs utilize a canonicalization algorithm, the introduction of
whitespace that does not change the meaning of the information being expressed
has no effect on the final cryptographic hash over the information. This means
that simple changes in whitespace formatting, such as those changes made when
writing data to a schema-less database and then retrieving the same information
from the same database do not cause the digital signature to fail. JWTs
encode the payload using the base-64 format which is not resistant to
whitespace formatting that has no effect on the information expressed. This
shortcoming of JWTs make it challenging to, for example, express signed data in
web pages that search crawlers index.
            </dd>
            <dt id="pf16b">
PF16b: Designed to easily support experimental signature systems.
            </dt>
            <dd>
The LD-Proof format is naturally extensible, not requiring the format to be
extended in a formal international standards working group in order to
prevent namespace collisions. The JWT format requires entries in a centralized
registry in order to avoid naming collisions and does not support
experimentation as easily as the LD-Proof format does. LD-Proof format
extension is done through the decentralized publication of cryptographic
suites that are guaranteed to not conflict with other LD-Proof
extensions. This approach enables developers to easily experiment with new
cryptographic signature mechanisms that support selective disclosure,
zero-knowledge proofs, and post-quantum algorithms.
            </dd>
            <dt id="pf17b">
PF17b: Supports signature chaining.
            </dt>
            <dd>
A signature chain is an ordered set of signatures over a data payload. Use
cases, such as cryptographic signatures applied to a notarized document,
typically require a signature by the signing party and then an additional one
by a notary to be made after the original signing party has made their
signature. Linked Data Proofs, including Linked Data Signatures, natively
support chains of signatures. JWTs only enable a single signature over a
single payload.
            </dd>
            <dt id="pf18b">
PF18b: Does not require pre-processing or post-processing.
            </dt>
            <dd>
In order to encode a <a>verifiable credential</a> or a
<a>verifiable presentation</a> in a JWT, an extra set of steps
are required to convert the data to and from the JWT format. No such extra
converstion step are required for <a>verifiable credentials</a> and
<a>verifiable presentations</a> protected by LD-Proofs.
            </dd>
            <dt id="pf19b">
PF19b: Canonicalization requires only base-64 encoding.
            </dt>
            <dd>
The JWT format utilizes a simple base-64 encoding format to generate the
cryptographic hash of the data. The encoding format for LD-Proofs requires
a more complex canonicalization algorithm to generate the cryptographic
hash. The benefits of the JWT approach are simplicity at the cost of
encoding flexibility. The benefits of the LD-Proof approach are flexibility at
the cost of implementation complexity.
          </dd>
        </dl>

      </section>

    </section>

    <section>
      <h2>Zero-Knowledge Proofs</h2>
      <em>This section is non-normative</em>
      <p>
The Verifiable Credentials Data Model is designed to be compatible with a
variety of existing and emerging digital proof formats. Each proof format has
benefits and drawbacks. Many proof formats cannot selectively reveal attribute
values from a verifiable credential; they can only reveal all (or none).
      </p>
      <p>
Zero-Knowledge Proofs (ZKPs) are a proof format that enables data-minimization
features in <a>verifiable presentations</a>, such as selective disclosure and
predicate proofs.
      </p>
      <h3>Full Disclosure</h3>
      <p>
Currently, disclosing data is an all or nothing process, whether online or off.
Many digital identity systems reveal all the attributes in a digital credential.
The simplest method for signing a <a>verifiable credential</a> signs the entire
credential and when presented, fully discloses all the attributes.
      </p>
      <p>
Along with a full disclosure of all the attributes in a
<a>verifiable credential</a>, standard <a>verifiable presentations</a> reveal
the actual signature. With both the data and signature in hand, a
<a>verifier</a> has a complete copy of the credential. Without care, this could
enable the <a>verifier</a> to impersonate the <a>holder</a>. Also, since the
signature is the same every time this credential is presented, the signature
itself is a unique identifier and becomes PII (personally identifiable
information).
      </p>
      <p>
It is also possible to fully disclose the attributes in a zero-knowledge
<a>verifiable credential</a>. Unlike non-ZKP methods, zero-knowledge methods do
not reveal the actual signature; instead, they only reveal a cryptographic proof
of a valid signature. Only the <a>holder</a> of the signature has the
information needed to present the <a>credential</a> to a <a>verifier</a>. This
means that zero-knowledge methods provide a <a>holder</a> additional protection
from impersonation. Because the signature is not revealed, it also cannot be
used as a unique identifier.
      </p>
      <h3>Selective Disclosure</h3>
      <p>
Selective disclosure means that a <a>holder</a> doesn't have to reveal all of
the attributes contained in a <a>verifiable credential</a>. This reduces the
liability of handling or holding data that it is not necessary to share or
collect.
      </p>
      <p>
Non-ZKP methods for selective disclosure often require the credential issuer to
create a unique <a>credential</a> for each individual attribute, or possible
combination of attributes. This could quickly become impractical as the number
of <a>credentials</a> or combinations thereof exponentially explodes. Atomic
<a>credentials</a> (which only contain a single attribute) may also not
guarantee that the data is properly paired when used in a <a>verifiable
presentation</a>. For example, a <a>holder</a> has two vehicle credentials, one
for a 2018 Mazda with 15,000 miles and the other for a 1965 Lincoln with 350,000
miles. With atomic credentials it may be possible to claim the user has a 1965
Lincoln with 15,000 miles.
      </p>
      <p>
Zero-knowledge methods allow a <a>holder</a> to choose which attributes to
reveal and which attributes to withhold on a case-by-case basis without
involving the <a>issuer</a>. The <a>credential</a> <a>issuer</a> only needs to
provide a single <a>verifiable credential</a> that contains all of the
attributes. Each attribute is individually incorporated into the signature.
This enables two options: to reveal the attribute or to prove that you know the
value of the attribute without revealing it. For example, a credential with
attributes for name, birthdate, and address can be used in a presentation to
reveal only your name.
      </p>
      <p>
Non-ZKP methods implementing selective disclosure often requires the cooperation
of the <a>issuer</a>. Selective disclosure using zero-knowledge methods gives
the <a>holder</a> personal control over what to reveal. A <a>verifiable
presentation</a> based on zero-knowledge proof mechanisms only contains those
attributes and associated values that are required to satisfy the presentation
requirements.
        </p>
        <h3> Predicate Proofs</h3>
      <p>
A predicate proof is a proof that answers a true-or-false question. For example,
"Are you over the age of 18?" Using non-ZKP methods, predicate proofs must be
provided by the <a>issuer</a> as one of the attributes of a <a>verifiable
credential</a>. This means that in order for a non-ZKP <a>credential</a> to be
used to prove age-over-18, it would need to contain the attribute age-over-18.
This <a>credential</a> could not be used to reveal your birthdate, unless it
also included a birthdate <a>claim</a>. It also couldn't be used to prove
age-over-25. To prove age-over-25, the <a>holder</a> would need to have received
a <a>credential</a> with an age-over-25 <a>claim</a>.
      </p>
      <p>
Using zero-knowledge methods, predicate proofs can be generated by the
<a>holder</a> at the time of <a>presentation</a> without <a>issuer</a>
involvement. For example, a <a>verifiable credential</a> with the <a>claim</a>
birthdate can be used in a <a>verifiable presentation</a> to prove age-over-18.
The same <a>credential</a> could then be used in another <a>presentation</a> to
prove age-over-25, all without revealing the <a>holder's</a> birthdate.
      </p>
      <h3>Revocation</h3>
      <p>
<a>Verifiable credentials</a> may need to be revocable. If an <a>issuer</a> can
revoke a <a>credential</a>, <a>verifiers</a> must be able to determine a
<a>credential's</a> revocation status.
      </p>
      <p>
Non-ZKP methods for checking revocation status may require the <a>verifier</a>
to directly contact the <a>issuer</a>. Less restrictive checks could be made
against a list of revoked credential identifiers posted in a public registry.
The <a>holder</a> is required to disclose the <a>credential</a> identifier to
the <a>verifier</a> so that it can be checked. The <a>verifier</a> is then
responsible for doing the work to check revocation.
      </p>
      <p>
Using zero-knowledge methods, the <a>credential</a> identifier can be checked
against a list of revoked credential identifiers without revealing the
identifier. This reduces the ability of network monitors to correlate a
<a>holder's</a> credential presentations, and removes the ability of an
<a>issuer</a> to be made aware of the presentation of <a>verifiable
credentials</a> they have issued.
      </p>
      <h3>Correlation</h3>
      <p>
Correlation is the ability to link data from multiple interactions to a single
user. Correlation can be performed by a <a>verifier</a>, by <a>issuers</a> and
<a>verifiers</a> working together, or by a third party observing interactions on
the network. Correlation is a way to collect data about a <a>holder</a> without
the <a>holder's</a> consent or knowledge. It is also a way to deanonymize
private transactions. For example, a <a>holder</a> might use a <a>verifiable
credential</a> to prove they are authorized to vote, then submit a secret
ballot. If it is possible to correlate the <a>holder's</a> <a>credential</a>
with the secret ballot, thereby linking a specific vote to a specific voter, it
would be detrimental to the democratic process and could enable retaliation.
      </p>
      <p>
One way to reduce correlation is through data minimization, by sharing only the
information required to complete a transaction. Another way to reduce
correlation is to make each interaction look unique. When interactions disclose
unique identifiers, an observer can link multiple interactions to a single user.
Non-ZKP methods with only a single identifier per user create correlation
opportunities by embedding that identifier in multiple credentials or
interactions. Zero-knowledge proofs remove this linkability between interactions.
      </p>
      <p>
Non-ZKP methods that reveal all attributes and use unique identifiers are
completely correlatable. Zero-knowledge methods enable data minimization and
allow <a>holders</a> to have trusted interactions with <a>verifiers</a> without
dependence on unique identifiers.
      </p>
      <p>
Although correlation can never be eliminated completely, the goal of
zero-knowledge methods is to reduce the probability of correlation and to put
control over the level of correlation into the hands of the <a>verifiable
credential</a> <a>holder</a>.
      </p>
      <h3>Drawbacks</h3>
      <p>
Zero-knowledge methods are more complex than non-ZKP methods. Cryptographic
engineers must understand complicated protocols and write code to create
libraries that support zero-knowledge methods. System implementers can then use
these libraries without being exposed to the underlying complexity, but must
trust that the implementation was done correctly. They can utilize the features
of selective disclosure and bring the benefits of the method to their customers
without a significant increase in effort over using non-ZKP methods.
      </p>
      <p>
Due to the underlying complexity, zero-knowledge methods require more CPU and
memory to use. This also adds to the time required to create and verify proofs.
This should be considered when using less capable devices such as IOT devices or
older phones.
      </p>
      <p>
Another drawback of zero-knowledge proofs is that they tend to be larger than
simple signatures.
      </p>
      <p>
There is a perception that zero-knowledge methods are new and untested.
Zero-knowledge methods were first introduced in 1989 as a way to guard secrets.
Although they may not be well understood by the general public, they have
received considerable review and scrutiny in the cryptographic community. They
are considered just as secure as many common cryptographic techniques in use
today.
      </p>
    </section>

    <section>
      <h2>Progressive Trust</h2>
      <em>This section is non-normative.</em>

      <p>
Entities that use <a>verifiable credentials</a> and
<a>verifiable presentations</a> should follow protocols that enable progressive
trust. Progressive trust refers to enabling individuals to share information
about themselves only on an as needed basis, slowing building up more trust as
more information is shared with another party.
      </p>
      <p>
Progressive trust is strongly related to the principle of data minimization, and
enabled by technologies such as selective disclosure and predicate proofs. We
encourage the use of progressive trust as a guiding principle for implementers
as they develop protocols for <a>issuers</a>, <a>holders</a>, and
<a>verifiers</a>.

      </p>

      <section>
        <h3>Data Minimization</h3>
        <p>
Data minimization is a principle that encourages <a>verifiers</a> to request the
minimum amount of data necessary from <a>holders</a>, and for <a>holders</a> to
only provide the minimum amount of data to <a>verifiers</a>. This "minimum
amount of data" depends on the situation and may change over the course of a
<a>holder</a>'s interaction with a <a>verifier</a>.
        </p>
        <p>
For example, a <a>holder</a> may apply for a loan, with a bank acting as the
<a>verifier</a>. There are several points at which the bank may want to determine
whether the <a>holder</a> is qualified to continue in the process of applying for
the loan; for instance, the bank may have a policy of only providing loans to
existing account holders. A protocol that follows the principle of data
minimization would allow the <a>holder</a> to reveal to the <a>verifier</a> only
that they are an existing account holder, before the bank requests any additional
information, such as account balances or employment status. In this way, the
applicant may progressively entrust the bank with more information, as the data
needed by the bank to make its determinations is requested a piece at a time, as
needed, rather than as a complete set, up front.
        </p>
      </section>

      <section>
        <h3>Selective Disclosure</h3>

        <p>
Selective disclosure is the ability of a <a>holder</a> to select some elements
of a <a>verifiable credential</a> to share with a <a>verifier</a>, without
revealing the rest. There are several different methods which support selective
disclosure, we provide three examples:
        </p>
        <ul>
          <li>
<b>Atomic Credentials</b> - These are <a>verifiable credentials</a> which
consist of a single claim. An <a>issuer</a> may provide a set of atomic
credentials that duplicates the claims of a standard credential. This atomicity
allows a <a>holder</a> to disclose only those claims which need to be revealed
to a <a>verifier</a>, rather than requiring all of the claims of a standard
credential to be revealed.
          </li>
          <li>
<b>Selective Disclosure Signatures</b> - Certain signature schemes natively
support selective disclosure of <a>verifiable credential</a> claims. One
example of these is
<a href="https://cs.brown.edu/~alysyans/papers/camlys02b.pdf">Camenisch-Lysyanskaya
signatures</a>. Such Signatures allow a <a>holder</a> to disclose only those
claims which need to be revealed to a <a>verifier</a>, rather than requiring
all of the credential's claims to be revealed.

          </li>
          <li>
<b>Hashed Values</b> - With this method, the <a>issuer</a> issues a single
<a>verifiable credential</a> containing all the <a>issuer</a>'s <a>claims</a>
about the subject.
However, each <a>claim</a> value is created by hashing the actual value with
a different nonce so that the <a>verifier</a> cannot determine the actual value.
There are several different ways of modeling this, and
no standard way is currently defined. The <a>holder</a> includes the actual
values of the <a>claims</a> that are to be revealed to the <a>verifier</a> in
the <a>verifiable presentation</a>.

        </ul>
        <p>

        </p>

      </section>
      <section>
        <h3>Predicates</h3>
        <p>
Another technique which may be used to support progressive trust is to use
predicates as the values of revealed claims. Predicates allow a <a>holder</a> to
provide True/False values to a <a>verifier</a> rather than revealing claim
values.
        </p>
        <p>
Predicate proofs may be enabled by <a>verifiable credential</a> <a>issuers</a>
as claims, e.g., the <code>credentialSubject</code> may include an
<code>ageOver18</code> property rather than a <code>birthdate</code>
property. This would allow <a>holders</a> to provide proof that they are
over 18 without revealing their birthdates.
        </p>
        <p>
Certain signature types enable predicate proofs by allowing claims from a
standard <a>verifiable credential</a> to be presented as predicates. For
example, a <a href="https://cs.brown.edu/~alysyans/papers/camlys02b.pdf">
Camenisch-Lysyanskaya signed</a> <a>verifiable credential</a> that contains a
<code>credentialSubject</code> with a <code>birthdate</code> property may
be included in a <a>verifiable presentation</a> as a derived credential that
contains an <code>ageOver18</code> property.
        </p>
      </section>
      <section>
        <h3>Further Techniques</h3>
        <p>
The examples provided in this section are intended to illustrate some possible
mechanisms for supporting progressive trust, not provide an exhaustive or
comprehensive list of all the ways progressive trust may be supported. Research
in this area continues with the use of cutting-edge proof techniques such as
<a href="https://z.cash/technology/zksnarks/">zk-SNARKS</a> and
<a href="https://crypto.stanford.edu/bulletproofs/">Bulletproofs</a>, as well as
different signature protocols.
        </p>
        <p>
A draft report by the <a href="https://www.w3.org/community/credentials/">
Credentials Community Group</a> on
<a href="https://w3c-ccg.github.io/data-minimization/">data minimization</a> may
also be useful reading for implementers looking to enable progressive trust.
        </p>
      </section>
    </section>

    <section>
      <h2>Related Specifications</h2>

      <section>
        <h3>Web Authentication</h3>

        <p>
The W3C <a href="https://www.w3.org/TR/webauthn/">Web Authentication</a>
specification extends the capabilities of in-browser web applications by
enabling them to strongly authenticate users with the aid of scoped public
key-based credentials. It defines the idea of
<a href="https://www.w3.org/TR/webauthn/#authenticator">authenticators</a>,
which are cryptographic entities that can generate and store public key
credentials at the behest of a Relying Party, subject to user consent, mediated
by the web browser to preserve user privacy.
        </p>

        <p>
Since the key based credentials created by
<a href="https://www.w3.org/TR/webauthn/">Web Authentication Level 1</a>
authenticators are narrowly scoped to a particular Relying Party origin, they
are unsuited (in their current form) to general purpose signature and
verification operations. However, many web developers working with
<a>Verifiable Credentials</a> have expressed interest in leveraging the Web
Authentication API, since it provides a secure browser-mediated interface to
crucial key management infrastructure.
        </p>

        <p>
The Web Authentication Working Group has agreed to address this use case in
the WebAuthn Level 2 specification, and is currently working to enable the kind
of <a href="https://github.com/w3c/webauthn/issues/911">cross-origin usage</a>
that would allow the WebAuthn API to be used for
<a>verifiable presentations</a>. For example, verifiable credential wallets
could allow authentication based on verifiable presentations, by using
WebAuthn authenticators to sign those presentations with challenges from
verifier websites.
      </section>
    </section>

    <section>
      <h2>Test suite</h2>

      <em>This section is non-normative.</em>

      <p>
        The W3C Verifiable Claims Working Group has produced a
        <a href="https://github.com/w3c/vc-test-suite/">test suite</a> in order
        for implementers to confirm their conformance with the current specifications.
      </p>
      <p>
        You can review the <a href="https://w3c.github.io/vc-test-suite/implementations/">current
        implementation report</a>, which contains conformance testing results for submitted
        implementations supporting the Verifiable Credentials Data Model specification.
      </p>
    </section>

  </body>
</html>