The information contained in this page will be applicable to future versions. Currently, the credential securing mechanisms are defined by the specifications of VCDM 1.1 given by W3C and can be found here.
JAdES signature profile using DIDs and VCs
Introduction
This document defines JSON Advanced Electronic Signature (JAdES) profiles designed to achieve varying levels of assurance. The profiles inherit numerous features from JAdES, while adapting X.509 concepts to work with Decentralised Identifiers (DIDs) and Verifiable Credentials (VCs). These profiles ensure full compliance with JAdES standards.
Generic format
The profile incorporates JSON Web Signature (JWS) Serialisation and header parameters typ
, alg
, cty
, kid
, crit
and b64
defined in IETF RFC 7515 and IETF RFC 7797. The crit
and typ
header parameters delineate the signature profile, where crit
indicates the utilised extensions and typ
defines the requirements.
JWS Protected Header parameters encompass information relevant to the signature and the signer, while the payload can be any JSON object. The signed header parameters must be located in the JWS Protected Header section.
Media types
The profile is compatible with all JWS serialisation formats, though Compact Serialisation is suggested for the JAdES D-Zero signature profile. The JWS Payload should exclusively contain the original payload, with the media type determined by the cty
header parameter. For example, if a VCDM 2.0 data model is incorporated into the JWS Payload, the cty
property should be vc+ld+json
.
The serialised output is identified with a media type, depending on the serialisation used. JWS Compact serialisation has a media type of application/jose
, while Flattened and General JWS JSON serialisation have a media type of application/jose+json
.
typ
is defined as jades-d-{profile name}
. jades
denotes that the profile is based on JAdES, d
indicates support for DIDs, and {profile name}
specifies a profile that further defines rules and policies. This document defines the JAdES D-Zero signature profile, denoted by the profile name z
.
Generic Signed Header Parameters
This outline provides a breakdown of the Generic Signed Header Parameters:
alg
: A signed header parameter that specifies the signature aglorithm, with syntax and semantics defined in IETF RFC 7515.cty
: A signed header parameter that specifies the media type of the JWS Payload, with syntax and semantics defined in IETF RFC 7515.kid
: A signed header parameter that specifies the key ID, with syntax and semantics defined in IETF RFC 7515. The content of the parameter must be a DID URI identifying a public key.crit
: A signed header parameter that specifies critical extensions, with syntax and semantics defined in IETF RFC 7515. The parameter must contain all JAdES D defined signed header parameters and optionallyb64
, while excludingalg
,cty
,kid
andcrit
.b64
: An optional signed header parameter, with syntax and semantics defined in IETF RFC 7515.
JAdES D-Zero Signed Header Parameters
JAdES D-Zero defines a minimalistic signature profile, which does not contain additional proofs beyond the signature time.
The following Signed Header Parameters are added on top of the Generic Signed Header Parameters:
typ
: Must bejades-d-z
.sigT
: A signed header parameter that specifies the signature time. The value must specify the time at which the signer claims to have performed the signing process. The value must be formatted according to IETF RFC 3339, include UTC time, and must not contain fractional seconds. For example:2023-11-04T10:16:12Z
.sigPl
: A signed header parameter that specifies the signer's address. The value must be a JSON object with syntax and semantics from schema.org's definition of thePostalAddress type, where at least one property must be defined.
"sigPl": {
"type": "object",
"properties":{
"addressCountry": {"type": "string"},
"addressLocality": {"type": "string"},
"addressRegion": {"type": "string"},
"postOfficeBoxNumber": {"type": "string"},
"postalCode": {"type": "string"},
"streetAddress": {"type": "string"}
},
"minProperties": 1,
"additionalProperties": false
}
JAdES D-Zero example
eyJhbGciOiJFUzI1NiIsInR5cCI6ImphZGVzLWQteiIsImtpZCI6ImRpZDplYnNpOnp2SFdYMzU5QTNDdmZKbkNZYUFpQWRlI0YwcjVPeXRfbGFodnZ6Nk1XbFlzM21jWU5LWmlpUWRVZnF2OHRzaEhOOXciLCJjcml0IjpbInNpZ1QiLCJzaWdQbCJdLCJzaWdUIjoiMjAyMy0xMS0wNFQxMDoxNjoxMloiLCJzaWdQbCI6eyJhZGRyZXNzQ291bnRyeSI6IkZJIn0sImN0eSI6InZjK2xkK2pzb24ifQ.eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvbnMvY3JlZGVudGlhbHMvdjIiXSwiaWQiOiJ1cm46dXVpZDowMDNhMWRkOC1hNWQyLTQyZWYtODE4Mi1lOTIxYzBhOWYzMmEiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIl0sImlzc3VlciI6ImRpZDplYnNpOnp2SFdYMzU5QTNDdmZKbkNZYUFpQWRlIiwidmFsaWRGcm9tIjoiMjAyMy0xMS0wNVQwMDowMDowMFoiLCJ2YWxpZFVudGlsIjoiMjAyNS0xMS0xMFQwMDowMDowMFoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDprZXk6ejJkbXpEODFjZ1B4OFZraTdKYnV1TW1GWXJXUGdZb3l0eWtVWjNleXFodDFqOUticmt2dWNGRTQyZWhnajhRRXdpUmN1VTlhdVg0b2puN3E3MUhtdFRNVExpMUUycERQenR5RjRRNlNYTHZSb0J3RDR6enhoQXo5dWkyaDlOYVNDU000TVhSS3ZXeEZyV2lZNWh1UDZFMlpiN3FQekFiUW4zbzJHaXRMY1k5VkhKWjE3SiJ9LCJjcmVkZW50aWFsU2NoZW1hIjpbeyJ0eXBlIjoiSnNvblNjaGVtYSIsImlkIjoiaHR0cHM6Ly9hcGktdGVzdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92My9zY2hlbWFzLzB4ZmY0ZjFmYTRmMGVmZDQzMDZhMjE4ZjY2OWM3NDgyZDhjZmNjN2ExM2JhNDRmMzRhZjY5ZjQxODg5NzA0MDAyYSJ9XSwicmVsYXRlZFJlc291cmNlIjpbeyJpZCI6Imh0dHBzOi8vd3d3LnczLm9yZy9ucy9jcmVkZW50aWFscy92MiIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL2xkK2pzb24iLCJkaWdlc3RTUkkiOiJzaGEzODQtbEhLREhoMG1zYzZwUng4UGhET01rTnRTSThiT2ZzcDRnaU5iVXJ3NzFuWFhMZjEzblRxTkpvUnAzTngrQXJWSyIsImRpZ2VzdE11bHRpYmFzZSI6Im1vTGF5MHV0N0JVTDVJZnZQVGFFMlFocXJ0SDVjVTNtcmY0ZlFiL01ockg1TmhHaCtvRHdkb3FFMEF5bkdSakZKIn1dfQ.EOH0Y0GQFk_PvMZWumOFMFcOSNxTHFlCU1_u0CQHJaPNrcfxhLT7OSqrfFYtgZxRWzpO6PMRRpiYZMqszV0hXg