From d0830e01b29cf613d883985f52aacc084eed7317 Mon Sep 17 00:00:00 2001 From: Eric Scouten Date: Tue, 8 Oct 2024 15:33:20 -0700 Subject: [PATCH] Add option to use RFC 3161 timestamp in ICA COSE signature (#192) Also specify credential revocation mechanism. --- docs/modules/ROOT/pages/index.adoc | 13 ++++++++----- docs/modules/ROOT/partials/version-history.adoc | 1 + 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc index b2a6a22..e8870d4 100644 --- a/docs/modules/ROOT/pages/index.adoc +++ b/docs/modules/ROOT/pages/index.adoc @@ -943,9 +943,6 @@ The `issuer` property MUST be present and MUST follow the format as specified in The `validFrom` field MUST exist and it MUST express the date and time when the credential becomes valid, as specified in link:++https://www.w3.org/TR/vc-data-model-2.0/#validity-period++[Section 4.8, “Validity period,”] of the Verifiable credentials data model. -[#issue-64] -NOTE: TO DO (link:https://github.com/creator-assertions/identity-assertion/issues/64[issue #64]): Consider stronger timestamping mechanism than W3C VC requires. - [#vc-credentialsubject-verifiedIdentities] ===== Verified identities @@ -1235,11 +1232,17 @@ NOTE: `identity-claims-aggregation.json` makes use of the `format` JSON Schema k ==== Verifiable credential proof mechanism -The `signature` field of an *<<_identity_assertion,identity assertion>>* using the identity claim aggregation mechanism MUST be secured as described by link:++https://www.w3.org/TR/vc-jose-cose/#securing-vcs-with-cose++[§3.3.1, “Securing JSON-LD verifiable credentials with COSE,”] of the W3C standard _Securing verifiable credentials using JOSE and COSE._ The `signature` payload MUST begin with the tagged `COSE_Sign1` structure. +The `signature` field of an *<<_identity_assertion,identity assertion>>* using the identity claim aggregation mechanism MUST be secured using a COSE signature as described by link:++https://www.w3.org/TR/vc-jose-cose/#securing-vcs-with-cose++[Section 3.3.1, “Securing JSON-LD verifiable credentials with COSE,”] of the W3C standard _Securing verifiable credentials using JOSE and COSE._ The `signature` payload MUST begin with the tagged `COSE_Sign1` structure. As described in that standard, the unsecured verifiable credential is the unencoded `COSE_Sign1` payload. + +The COSE signature MAY use a link:https://datatracker.ietf.org/doc/html/rfc3161[RFC 3161]-compliant time stamp to provide an additional, independent signal as to when the _<<_identity_claims_aggregator,identity claims aggregator>>_ generated the *<<_identity_assertion,identity assertion>>.* If so, this time stamp shall be generated as described by link:++https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_time_stamps++[Section 10.3.2.5, “Time-stamps,”] of the C2PA technical specification. + +IMPORTANT: If a timestamp is present, it MUST use a version 2 or later time-stamp as defined in link:++https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_choosing_the_payload++[Section 10.3.2.5.2, “Choosing the payload.”] A version 1 time stamp MUST NOT be used. + +If the _<<_identity_claims_aggregator,identity claims aggregator’s>>_ credential supports querying its online credential status, the _<<_identity_claims_aggregator,identity claims aggregator>>_ SHOULD include credential revocation information as described in link:++https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_credential_revocation_information++[Section 10.3.2.6, “Credential revocation information,”] of the C2PA technical specification. ===== Signature algorithms -The COSE signature MUST be secured using one of the signature algorithms defined in link:++https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_digital_signatures++[§13.2, “Digital signatures,”] in version 2.1 or any subsequent version of the C2PA technical specification. +The COSE signature MUST be secured using one of the signature algorithms defined in link:++https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_digital_signatures++[Section 13.2, “Digital signatures,”] in version 2.1 or any subsequent version of the C2PA technical specification. ===== DID methods diff --git a/docs/modules/ROOT/partials/version-history.adoc b/docs/modules/ROOT/partials/version-history.adoc index f8f5503..4db1511 100644 --- a/docs/modules/ROOT/partials/version-history.adoc +++ b/docs/modules/ROOT/partials/version-history.adoc @@ -113,3 +113,4 @@ _This section is non-normative._ * Consolidate wording about `cawg.` and other externally-defined labels * Remove `proof` entry from `verifiedIdentities[n]` structure +* Add option to use RFC 3161 timestamp in ICA COSE signature