index.html

<!DOCTYPE html>
<html>
<head>
    <title>Data Integrity 1.0</title>
    <meta http-equiv='Content-Type' content='text/html;charset=utf-8'/>
    <!--
      === NOTA BENE ===
      For the three scripts below, if your spec resides on dev.w3 you can check them
      out in the same tree and use relative links so that they'll work offline,
     -->
    <script src='//www.w3.org/Tools/respec/respec-w3c' class='remove'></script>
    <script class='remove' src="./common.js"></script>

    <script type="text/javascript" class="remove">
      var respecConfig = {
          // specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
          specStatus:           "ED",

          // the specification's short name, as in http://www.w3.org/TR/short-name/
          shortName:            "data-integrity",

          // if you wish the publication date to be other than today, set this
          // publishDate:  "2009-08-06",

          // if there is a previously published draft, uncomment this and set its YYYY-MM-DD date
          // and its maturity status
          // previousPublishDate:  "1977-03-15",
          // previousMaturity:  "WD",

          // if there a publicly available Editor's Draft, this is the link
          edDraftURI:           "https://w3c.github.io/data-integrity/",

          // if this is a LCWD, uncomment and set the end of its review period
          // lcEnd: "2009-08-05",

          // if you want to have extra CSS, append them to this list
          // it is recommended that the respec.css stylesheet be kept
          //extraCSS:             ["spec.css", "prettify.css"],

          // editors, add as many as you like
          // only "name" is required
          editors:  [
              { name: "Manu Sporny", url: "https://digitalbazaar.com/",
                company: "Digital Bazaar", companyURL: "http://digitalbazaar.com/" },
              { name: "Mike Prorock", url: "https://www.linkedin.com/in/mprorock",
                company: "Mesur.io", companyURL: "https://mesur.io/" },
              { name: "Dave Longley", url: "https://digitalbazaar.com/",
                company: "Digital Bazaar", companyURL: "http://digitalbazaar.com/",
                note: "2014-2022"
              }
          ],

          // authors, add as many as you like.
          // This is optional, uncomment if you have authors as well as editors.
          // only "name" is required. Same format as editors.

          authors:  [
              { name: "Dave Longley", url: "http://digitalbazaar.com/",
                company: "Digital Bazaar", companyURL: "http://digitalbazaar.com/" },
              { name: "Manu Sporny", url: "http://digitalbazaar.com/",
                company: "Digital Bazaar", companyURL: "http://digitalbazaar.com/" }
          ],

          // extend the bibliography entries
          //localBiblio: webpayments.localBiblio,

          // name of the WG
          group:           "vc",

          // name (with the @w3c.org) of the public mailing to which comments are due
          wgPublicList: "public-credentials",

          github: "w3c/data-integrity",

          // URI of the patent status for this WG, for Rec-track documents
          // !!!! IMPORTANT !!!!
          // This is important for Rec-track documents, do not copy a patent URI from a random
          // document unless you know what you're doing. If in doubt ask your friendly neighbourhood
          // Team Contact.
          wgPatentURI:  "",
          maxTocLevel: 4,
          /*preProcess: [ webpayments.preProcess ],
          alternateFormats: [ {uri: "diff-20111214.html", label: "diff to previous version"} ],
          */
          localBiblio:  {
            "RDF-DATASET-C14N": {
              title:    "RDF Dataset Normalization",
              href:     "https://json-ld.github.io/normalization/spec/",
              authors:  ["David Longley", "Manu Sporny"],
              status:   "CGDRAFT",
              publisher:  "JSON-LD Community Group"
            },
            "SECURITY-VOCABULARY": {
              title:    "The Security Vocabulary",
              href:     "https://w3c-ccg.github.io/security-vocab/",
              authors:  ["Manu Sporny","David Longley"],
              status:   "CGDRAFT",
              publisher:  "Credentials Community Group"
            },
            "ZCAP": {
              title:    "Authorization Capabilities for Linked Data",
              href:     "https://w3c-ccg.github.io/zcap-ld/",
              status:   "CGDRAFT",
              publisher:  "Credentials Community Group"
            },
            "MULTIBASE": {
              title: "The Multibase Encoding Scheme",
              date: "February 2021",
              href: "https://datatracker.ietf.org/doc/html/draft-multiformats-multibase-03",
              authors: [
                "Juan Benet",
                "Manu Sporny"
              ],
              status: "Internet-Draft",
              publisher: "IETF"
            },
            "MULTICODEC": {
              title: "The Multi Codec Encoding Scheme",
              date: "February 2022",
              href: "https://github.com/multiformats/multicodec/blob/master/table.csv",
              authors: [
                "The Multiformats Community"
              ],
              status: "Internet-Draft",
              publisher: "IETF"
            }
          },
          postProcess: [restrictRefs]
      };
    </script>
    <style>
ol.algorithm { counter-reset:numsection; list-style-type: none; }
ol.algorithm li { margin: 0.5em 0; }
ol.algorithm li:before { font-weight: bold; counter-increment: numsection; content: counters(numsection, ".") ") "; }
    </style>
</head>
<body>
    <section id='abstract'>
      <p>
This specification describes mechanisms for ensuring the authenticity and
integrity of structured digital documents using cryptography, such as digital
signatures and other digital mathematical proofs.
      </p>
    </section>

    <section id='sotd'>
      <p>
This is an experimental specification and is undergoing regular revisions. It
is not fit for production deployment.
      </p>
    </section>

    <section>
      <h2>Introduction</h2>
      <p>
Cryptographic proofs enable functionality that is useful to implementors of
distributed systems. For example, proofs can be used to:
      </p>

<ul>
<li>
Make statements that can be shared without loss of trust, because their
authorship can be verified by a third party, for example as part of Verifiable
Credentials [[VC-DATA-MODEL]] or social media posts.
</li>
<li>
Authenticate as an entity identified by a particular identifier, for example, as
the subject identified by a Decentralized Identifier (DID) [[DID-CORE]].
</li>
<li>
Delegate authorization for actions in a remote execution environment, via
mechanisms such as Authorization Capabilities [[ZCAP]].
</li>
<li>
Agree to contracts where the agreement can be verified by another party.
</li>
<li>
Additionally, many proofs that are based on cryptographic digital signatures
provide the benefit of integrity protection, making documents and data
tamper-evident.
</li>
</ul>

      <p>
The term Linked Data is used to describe a recommended best practice for
exposing, sharing, and connecting information on the Web using standards,
such as URLs, to identify things and their properties. When information
is presented as Linked Data, other related information can be easily discovered
and new information can be easily linked to it. Linked Data is extensible in a
decentralized way, greatly reducing barriers to large scale integration.
      </p>

      <p>
With the increase in usage of Linked Data for a variety of applications, there
is a need to be able to verify the authenticity and integrity of Linked Data
documents. This specification adds authentication and integrity protection to
data documents through the use of mathematical proofs without sacrificing
Linked Data features such as extensibility and
composability.
      </p>

      <p class="note" title="Use of Linked Data is an optional feature">
While  this specification provides mechanisms to digitally sign Linked Data, the
use  of Linked Data is not necessary to gain some of the advantages provided by
this specification.
      </p>

      <section>
        <h3>Design Goals and Rationale</h3>

        <p>
The Data Integrity specification achieves the following design goals:
        </p>

        <dl>
          <dt>Simple for Developers</dt>
          <dd>
The proof format is designed to be easy to use for developers that don't
have significant cryptography training. For example, <a>cryptographic suite</a>
identifiers are used instead of specific cryptographic parameters to ensure
that it is difficult to accidentally produce a weak digital proof.
          </dd>
          <dt>Layered Architecture</dt>
          <dd>
A number of historical digital signature mechanisms have had monolithic
designs which limited use cases by combining data normalization, syntax,
digital signature, and serialization into a single specification. This
specification layers each component such that a broader range of use cases,
such as generalized selective disclosure and serialization-agnostic signatures,
are enabled.
          </dd>
          <dt>Cryptographic Agility</dt>
          <dd>
Since digital proof mechanisms might be compromised without warning due to
technological advancements, it is important that <a>proof type</a>s can be
easily and quickly replaced. This specification provides algorithm agility
while still keeping the digital proof format easy for developers to understand.
          </dd>
          <dt>Extensibility</dt>
          <dd>
Creating and deploying new proof types is a fairly trivial undertaking
to ensure that the proof format increases the rate of innovation in the
digital proof space.
          </dd>
          <dt>Syntax Agnostic Proofs</dt>
          <dd>
Cryptographic proofs can be serialized in many different but equivalent ways and
have often been tightly bound to the original document syntax. This
specification enables one to create cryptographic proofs that are not
bound to the original document syntax, which enable more advanced use cases
such as being able to use a single digital signature across a variety of
RDF-based graph serialization syntaxes such as JSON-LD, N-Quads, and TURTLE,
without the need to regenerate the proof.
          </dd>
        </dl>
      </section>

      <section id="conformance">
      </section>

      <section>
        <h3>Terminology</h3>

        <div data-include="./terms.html"></div>
      </section>
    </section>

    <section>
      <h2>Data Model</h2>

      <p>
This section specifies the data model that is used for expressing
<a>data integrity proofs</a> and <a>verification methods</a>.
      </p>

      <section>
        <h3>Proofs</h3>
        <p>
A <a>data integrity proof</a> is comprised of information about the proof,
parameters required to verify it, and the proof value itself. All of this
information is provided using Linked Data vocabularies such as
[[SECURITY-VOCABULARY]].
        </p>

        <p>
A <a>data integrity proof</a> typically includes at least the following
attributes:
        </p>

        <dl style="margin-left: 1em;">
          <dt><dfn>type</dfn><dt>
          <dd>
<em>Required</em>. The specific <a>proof type</a> used. For example, an
<code>Ed25519Signature2020</code> type indicates that the proof includes a
digital signature produced by an <code>ed25519</code> cryptographic key.
          </dd>

          <dt><dfn class="lint-ignore">proofPurpose</dfn><dt>
          <dd>
<em>Required</em>. The specific intent for the proof, the reason why an entity
created it. Acts as a safeguard to prevent the proof from being misused for a
purpose other than the one it was intended for. For example, a proof can be used
for purposes of <code>authentication</code>, for asserting control of a
Verifiable Credential (<code>assertionMethod</code>), and several others.
          </dd>

          <dt><dfn>verificationMethod</dfn><dt>
          <dd>
<em>Required</em>. A set of parameters required to independently verify the
proof, such as an identifier for a public/private key pair that would be used in
the proof.
          </dd>

          <dt><dfn>created</dfn><dt>
          <dd>
<em>Required</em>. The string value of an [[ISO8601]] combined date and time
string generated by the <a href="#proof-algorithm">Proof Algorithm</a>.
          </dd>

          <dt>domain<dt>
          <dd>
Optional. A string value specifying the restricted <a>domain</a> of the proof.
          </dd>

          <dt><dfn>proofValue</dfn><dt>
          <dd>
<em>Required</em>. One of any number of valid representations of <em>proof
value</em> generated by the <a href="#proof-algorithm">Proof Algorithm</a>.
          </dd>
        </dl>

        <p class="note">
The terms <a>type</a>, <a>created</a>, and <a>domain</a> above map to URLs.
The vocabulary where these terms are defined is the [[SECURITY-VOCABULARY]].
        </p>

        <p>
A proof can be added to a JSON document like the following:
        </p>

        <pre class="example highlight" title="A simple JSON data document">
  {
    "title": "Hello world!"
  };
        </pre>

        <p>
by adding the parameters outlined in this section:
        </p>

        <pre class="example highlight"
        style="overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;"
        title="A simple signed JSON data document">
  {
    "title": "Hello world!",
    "proof": {
      "type": "JcsSignature2020",
      "created": "2020-11-05T19:23:24Z",
      "verificationMethod": "https://di.example/issuer#z6MkjLrk3gKS2nnkeWcmcxi
        ZPGskmesDpuwRBorgHxUXfxnG",
      "proofPurpose": "assertionMethod",
      "proofValue": "zQeVbY4oey5q2M3XKaxup3tmzN4DRFTLVqpLMweBrSxMY2xHX5XTYV8nQA
        pmEcqaqA3Q1gVHMrXFkXJeV6doDwLWx"
    }
  }
        </pre>

        <p>
The proof example above uses the <code>JcsSignature2020</code>
<a>proof type</a> to produce a verifiable digital proof by canonicalizing the
input data using the JSON Canonicalization Scheme [[RFC8785]] and then
digitally signing it using an Ed25519 elliptic curve signature.
        </p>

        <p>
Similarly, a proof can be added to a JSON-LD data document like the following:
        </p>

        <pre class="example highlight" title="A simple JSON-LD data document">
  {
    "@context": {"title": "https://schema.org#title"},
    "title": "Hello world!"
  };
        </pre>

        <p>
by adding the parameters outlined in this section:
        </p>

        <pre class="example highlight"
        style="overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;"
        title="A simple signed JSON-LD data document">
  {
    "@context": [
      {"title": "https://schema.org#title"},
      "https://w3id.org/security/suites/ed25519-2020/v1"
    ],
    "title": "Hello world!",
    "proof": {
      "type": "Ed25519Signature2020",
      "created": "2020-11-05T19:23:24Z",
      "verificationMethod": "https://ldi.example/issuer#z6MkjLrk3gKS2nnkeWcmcxi
        ZPGskmesDpuwRBorgHxUXfxnG",
      "proofPurpose": "assertionMethod",
      "proofValue": "z4oey5q2M3XKaxup3tmzN4DRFTLVqpLMweBrSxMY2xHX5XTYVQeVbY8nQA
        VHMrXFkXJpmEcqdoDwLWxaqA3Q1geV6"
    }
  }
        </pre>

        <p>
The proof example above uses the <code>Ed25519Signature2020</code> <a>proof
type</a> to produce a verifiable digital proof by canonicalizing the input data
using the RDF Dataset Canonicalization algorithm [[RDF-DATASET-C14N]] and then
digitally signing it using an Ed25519 elliptic curve signature.
        </p>

<div class="issue">Create a separate section detailing an optional mechanism
for authenticating public key control via bi-directional links. How
to establish trust in controllers is out of scope but examples can
be given.</div>

<div class="issue">Specify algorithm agility mechanisms (additional attributes
from the security vocab can be used to indicate other signing and hash
algorithms). Rewrite algorithms to be parameterized on this basis and
move `Ed25519Signature2020` definition to a single supported
mechanism; specify its identifier as a URL. In order to make it easy to
specify a variety of combinations of algorithms, introduce a core
type `DataIntegrityProof` that allows for easy filtering/discover of
proof nodes, but that type on its own doesn't specify any default
proof or hash algorithms, those need to be given via other properties in the
nodes.</div>

      <p class="issue"
        title="Avoid signature format proliferation by using text-based suite value">
The pattern that Data Integrity Signatures use presently leads to a
proliferation in signature types and JSON-LD Contexts. This proliferation can be
avoided without any loss of the security characteristics of tightly binding a
cryptography suite version to one or more acceptable public keys. The
following signature suites are currently being contemplated: eddsa-2022,
nist-ecdsa-2022, koblitz-ecdsa-2022, rsa-2022, pgp-2022, bbs-2022, eascdsa-2022,
ibsa-2022, and jws-2022.
      </p>

      <pre class="example" title="A DataIntegritySignature example using a NIST ECDSA 2022 Cryptosuite">
{
  "@context": ["https://w3id.org/security/data-integrity/v1"],
  "type": "DataIntegritySignature",
  "cryptosuite": "ecdsa-2022",
  "created": "2022-11-29T20:35:38Z",
  "verificationMethod": "did:example:123456789abcdefghi#keys-1",
  "proofPurpose": "assertionMethod",
  "proofValue": "z2rb7doJxczUFBTdV5F5pehtbUXPDUgKVugZZ99jniVXCUpojJ9PqLYV
                 evMeB1gCyJ4HqpnTyQwaoRPWaD3afEZboXCBTdV5F5pehtbUXPDUgKVugUpoj"
}
      </pre>

<div class="issue">Add an explicit check on key type to prevent an
attacker from selecting an algorithm that could abuse how the key is
used/interpreted.</div>

<div class="issue">Add a note indicating that selective disclosure proof
mechanisms can be compatible with Data Integrity; for example,
an algorithm could produce a merkle tree from a canonicalized set of
N-Quads and then sign the root hash. Disclosure would involve including
the merkle paths for each N-Quad that is to be revealed. This mechanism
would merely consume the normalized output differently (this, and the
proof mechanism would be modifications to this core spec). It might also
be necessary to generate proof parameters such as a private key/seed
that can be used along with an algorithm to deterministically generate
nonces that are concatenated with each N-Quad to prevent rainbow
table or similar attacks.</div>



      </section>

      <section>
        <h3>Proof Purposes</h3>

        <p>
A proof that describes its purpose helps prevent it from being misused for some
other purpose.
        </p>

        <div class="issue">Add a mention of JWK's <code>key_ops</code>
parameter and WebCrypto's <code>KeyUsage</code> restrictions; explain that
Proof Purpose serves a similar goal but allows for finer-grained restrictions.
        </div>

        <p>
The following is a list of commonly used <a>proof purpose</a> values.
        </p>

        <dl>
          <dt>authentication</dt>
          <dd>
Indicates that a given proof is only to be used for the purposes of an
authentication protocol.
          </dd>
          <dt>assertionMethod</dt>
          <dd>
Indicates that a proof can only be used for making assertions, for example
signing a Verifiable Credential.
          </dd>
          <dt>keyAgreement</dt>
          <dd>
Indicates that a proof is used for for key agreement protocols, such as
Elliptic Curve Diffie Hellman key agreement used by popular encryption
libraries.
          </dd>
          <dt>capabilityDelegation</dt>
          <dd>
Indicates that the proof can only be used for delegating capabilities. See the
Authorization Capabilities [[ZCAP]] specification for more detail.
          </dd>
          <dt>capabilityInvocation</dt>
          <dd>
Indicates that the proof can only be used for invoking capabilities. See the
Authorization Capabilities [[ZCAP]] specification for more detail.
          </dd>
        </dl>

        <p>
Note: The Authorization Capabilities [[ZCAP]] specification defines additional
proof purposes for that use case, such as <code>capabilityInvocation</code> and
<code>capabilityDelegation</code>.
        </p>
      </section>

      <section>
        <h3>Controller Documents</h3>

        <p>
A <a>controller document</a> is a set of data that specifies one or more
relationships between a <a>controller</a> and a set of data, such as a set of
public cryptographic keys. The <a>controller document</a> SHOULD
contain <a>verification relationships</a> that explicitly permit the use of
certain <a>verification methods</a> for specific purposes.
        </p>

        <div class="issue">Add examples of common Controller documents, such as
controller documents published on a ledger-based registry, or on a mutable medium in
combination with an integrity protection mechanism such as Hashlinks.
        </div>

        <section>
          <h2>Verification Methods</h2>
          <p>
A <a>controller document</a> can express <a>verification methods</a>, such as
cryptographic public keys, which can be used to <a>authenticate</a> or authorize
interactions with the <a>controller</a> or associated parties. For example, a
cryptographic public key can be used as a <a>verification method</a> with
respect to a digital signature; in such usage, it verifies that the signer
could use the associated cryptographic private key. <a>Verification methods</a>
might take many parameters. An example of this is a set of five cryptographic
keys from which any three are required to contribute to a cryptographic
threshold signature.
          </p>

          <dl>
            <dt><a>verificationMethod</a></dt>
            <dd>
              <p>
The <code>verificationMethod</code> property is OPTIONAL. If present, the value
MUST be a <a data-cite="INFRA#ordered-set">set</a> of <a>verification
methods</a>, where each <a>verification method</a> is expressed using a <a
data-cite="INFRA#ordered-map">map</a>. The <a>verification method</a> <a
data-cite="INFRA#ordered-map">map</a> MUST include the <code>id</code>,
<code>type</code>, <code>controller</code>, and specific verification material
properties that are determined by the value of <code>type</code> and are defined
in <a href="#verification-material"></a>. A <a>verification method</a> MAY
include additional properties. <a>Verification methods</a> SHOULD be registered
in the Data Integrity Specification Registries [TBD - DIS-REGISTRIES].
              </p>

              <dl>
                <dt>id</dt>
                <dd>
                  <p>
The value of the <code>id</code> property for a <a>verification
method</a> MUST be a <a data-cite="INFRA#string">string</a> that conforms to the
[[URL]] syntax.
                  </p>
                </dd>
                <dt>type</dt>
                <dd>
The value of the <code>type</code> property MUST be a <a
data-cite="INFRA#string">string</a> that references exactly one <a>verification
method</a> type. In order to maximize global interoperability, the
<a>verification method</a> type SHOULD be registered in the Data Integrity Specification
Registries [TBD -- DIS-REGISTRIES].
                </dd>
                <dt>controller</dt>
                <dd>
The value of the <code>controller</code> property MUST be a <a
data-cite="INFRA#string">string</a> that conforms to the [[URL]] syntax.
                </dd>
              </dl>
            </dd>
          </dl>

          <pre class="example" title="Example verification method structure">
    {
      "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/jws-2020/v1"
        "https://w3id.org/security/suites/ed25519-2020/v1"
      ]
      "id": "did:example:123456789abcdefghi",
      <span class="comment">...</span>
      "verificationMethod": [{
        "id": <span class="comment">...</span>,
        "type": <span class="comment">...</span>,
        "controller": <span class="comment">...</span>,
        "publicKeyJwk": <span class="comment">...</span>
      }, {
        "id": <span class="comment">...</span>,
        "type": <span class="comment">...</span>,
        "controller": <span class="comment">...</span>,
        "publicKeyMultibase": <span class="comment">...</span>
      }]
    }
          </pre>

          <p class="note"
            title="Verification method controller(s) and controller(s)">
The semantics of the <code>controller</code> property are the same when the
subject of the relationship is the <a>controller document</a> as when the subject of
the relationship is a <a>verification method</a>, such as a cryptographic public
key. Since a key can't control itself, and the key controller cannot be inferred
from the <a>controller document</a>, it is necessary to explicitly express the identity
of the controller of the key. The difference is that the value of
<code>controller</code> for a <a>verification method</a> is <em>not</em>
necessarily a <a>controller</a>. <a>controllers</a> are expressed
using the <code><a>controller</a></code> property at the highest level of the
<a>controller document</a>.
          </p>

          <section>
            <h3>Verification Material</h3>

            <p>
Verification material is any information that is used by a process that applies
a <a>verification method</a>. The <code>type</code> of a <a>verification
method</a> is expected to be used to determine its compatibility with such
processes. Examples of verification material properties are
<code><a>publicKeyJwk</a></code> or <code><a>publicKeyMultibase</a></code>. A
<a>cryptographic suite</a> specification is responsible for specifying the
<a>verification method</a> <code>type</code> and its associated verification
material. For example, see <a href="https://w3c-ccg.github.io/lds-jws2020/">JSON
Web Signature 2020</a> and <a
href="https://w3c-ccg.github.io/lds-ed25519-2020/">Ed25519 Signature 2020</a>.
For all registered <a>verification method</a> types and associated verification
material available for <a>controllers</a>, please see the Data Integrity
Specification Registries [TBD - DIS-REGISTRIES].
            </p>

            <p class=issue>
Ensuring that cryptographic suites are versioned and tightly scoped to a very
small set of possible key types and signature schemes (ideally one key type and
size and one signature output type) is a design goal for most Data Integrity
cryptographic suites. Historically, this has been done by defining both the
key type and the cryptographic suite that uses the key type in the same
specification. The downside of doing so, however, is that there might be a
proliferation of different key types in multikey that result in different
cryptosuites defining the same key material differently. For example, one
cryptosuite might use compressed Curve P-256 keys while another uses
uncompressed values. If that occurs, it will harm interoperability. It will be
important in the coming months to years to ensure that this does not happen
by fully defining the multikey format in a separate specification so
cryptosuite specifications, such as this one, can refer to the multikey
specification, thus reducing the chances of multikey type proliferation and
improving the chances of maximum interoperability for the multikey format.
            </p>

            <p>
To increase the likelihood of interoperable implementations, this specification
limits the number of formats for expressing verification material in a <a>controller
document</a>. The fewer formats that implementers have to
implement, the more likely it will be that they will support all of them. This
approach attempts to strike a delicate balance between ease of implementation
and supporting formats that have historically had broad deployment.
Two supported verification material properties are listed below:
            </p>

            <dl>
              <dt><dfn>publicKeyJwk</dfn></dt>
              <dd>
                <p>
The <code>publicKeyJwk</code> property is OPTIONAL. If present, the value MUST
be a <a data-cite="INFRA#ordered-map">map</a> representing a JSON Web Key that
conforms to [[RFC7517]]. The <a data-cite="INFRA#ordered-map">map</a> MUST NOT
contain "d", or any other members of the private information class as described
in <a href="https://tools.ietf.org/html/rfc7517#section-8.1.1">Registration
Template</a>. It is RECOMMENDED that verification methods that use JWKs
[[RFC7517]] to represent their public keys use the value of <code>kid</code> as
their fragment identifier. It is RECOMMENDED that JWK
<code>kid</code> values are set to the public key fingerprint [[RFC7638]]. See
the first key in <a href="#example-various-verification-method-types"></a> for
an example of a public key with a compound key identifier.
                </p>
              </dd>
              <dt><dfn>publicKeyMultibase</dfn></dt>
              <dd>
                <p>
The <code>publicKeyMultibase</code> property is OPTIONAL. This feature is
non-normative. If present, the value MUST be a <a
data-cite="INFRA#string">string</a> representation of a [[?MULTIBASE]] encoded
public key.
                </p>
                <p class="advisement">
Note that the [[?MULTIBASE]] specification is not yet a standard and is
subject to change. There might be some use cases for this data format
where <code><b>public</b>KeyMultibase</code> is defined, to allow for
expression of public keys, but <code><b>private</b>KeyMultibase</code>
is not defined, to protect against accidental leakage of secret keys.
                </p>
              </dd>
          </dl>

            <p>
A <a>verification method</a> MUST NOT contain multiple verification material
properties for the same material. For example, expressing key material in a
<a>verification method</a> using both <code>publicKeyJwk</code> and
<code>publicKeyMultibase</code> at the same time is prohibited.
            </p>

            <p>
An example of a <a>controller document</a> containing <a>verification methods</a> using
both properties above is shown below.
            </p>

            <pre id="example-various-verification-method-types"
              class="example nohighlight"
              title="Verification methods using publicKeyJwk and publicKeyMultibase">
    {
      "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/jws-2020/v1",
        "https://w3id.org/security/suites/ed25519-2020/v1"
      ]
      "id": "did:example:123456789abcdefghi",
      <span class="comment">...</span>
      "verificationMethod": [{
        "id": "did:example:123#_Qq0UL2Fq651Q0Fjd6TvnYE-faHiOpRlPVQcY_-tA4A",
        "type": "JsonWebKey2020", <span class="comment">// external (property value)</span>
        "controller": "did:example:123",
        "publicKeyJwk": {
          "crv": "Ed25519", <span class="comment">// external (property name)</span>
          "x": "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ", <span class="comment">// external (property name)</span>
          "kty": "OKP", <span class="comment">// external (property name)</span>
          "kid": "_Qq0UL2Fq651Q0Fjd6TvnYE-faHiOpRlPVQcY_-tA4A" <span class="comment">// external (property name)</span>
        }
      }, {
        "id": "did:example:123456789abcdefghi#keys-1",
        "type": "Ed25519VerificationKey2020", <span class="comment">// external (property value)</span>
        "controller": "did:example:pqrstuvwxyz0987654321",
        "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
      }],
      <span class="comment">...</span>
    }
            </pre>
          </section>

          <section>
            <h3>Multikey</h3>
            <p>
The Multikey data model is a specific type of <a>verification method</a> that
utilizes the [[MULTICODEC]] specification to encode key types into a single
binary stream that is then encoded using the [[MULTIBASE]] specification.
To encode a Multikey, the <a>verification method</a> `type` MUST be set to
`Multikey` and the `publicKeyMultibase` value MUST be a [[MULTIBASE]] encoded
[[MULTICODEC]] value. An example of a Multikey is provided below:
            </p>

            <pre class="example nohighlight"
              title="Multikey encoding of a Ed25519 public key">
{
  "@context": ["https://w3id.org/security/suites/multikey/v1"],
  "id": "did:example:123456789abcdefghi#keys-1",
  "type": "Multikey",
  "controller": "did:example:123456789abcdefghi",
  "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
}
            </pre>

            <p>
In the example above, the `publicKeyMultibase` value starts with the letter `z`,
which is the [[MULTIBASE]] header that conveys that the binary data is
base58-encoded using the Bitcoin base-encoding alphabet. The decoded binary data
[[MULTICODEC]] header is `0xed`, which specifies that the remaining data
is a 32-byte raw Ed25519 public key.
            </p>

            <p>
The Multikey data model is also capable of encoding secret keys, sometimes
referred to as <em>private keys</em>.
            </p>

            <pre class="example nohighlight"
              title="Multikey encoding of a Ed25519 secret key">
{
  "@context": ["https://w3id.org/security/suites/secrets/v1"],
  "id": "did:example:123456789abcdefghi#keys-1",
  "type": "Multikey",
  "controller": "did:example:123456789abcdefghi",
  "secretKeyMultibase": "z3u2fprgdREFtGakrHr6zLyTeTEZtivDnYCPZmcSt16EYCER"
}
            </pre>

            <p>
In the example above, the `secretKeyMultibase` value starts with the letter `z`,
which is the [[MULTIBASE]] header that conveys that the binary data is
base58-encoded using the Bitcoin base-encoding alphabet. The decoded binary data
[[MULTICODEC]] header is `0x1300`, which specifies that the remaining data
is a 32-byte raw Ed25519 private key.
            </p>

          </section>

          <section>
            <h3>Referring to Verification Methods</h3>
            <p>
<a>Verification methods</a> can be embedded in or referenced from properties
associated with various <a>verification relationships</a> as described in <a
href="#verification-relationships"></a>. Referencing <a>verification methods</a>
allows them to be used by more than one <a>verification relationship</a>.
            </p>

            <p>
If the value of a <a>verification method</a> property is a <a
data-cite="INFRA#ordered-map">map</a>, the <a>verification method</a> has been
embedded and its properties can be accessed directly. However, if the value is a
URL <a data-cite="INFRA#string">string</a>, the <a>verification method</a> has
been included by reference and its properties will need to be retrieved from
elsewhere in the <a>controller document</a> or from another <a>controller document</a>. This
is done by dereferencing the URL and searching the resulting <a>resource</a> for a
<a>verification method</a> <a data-cite="INFRA#ordered-map">map</a> with an
<code>id</code> property whose value matches the URL.
            </p>

            <pre class="example nohighlight"
            title="Embedding and referencing verification methods">
    {
<span class="comment">...</span>

      "authentication": [
        <span class="comment">// this key is referenced and might be used by</span>
        <span class="comment">// more than one verification relationship</span>
        "did:example:123456789abcdefghi#keys-1",
        <span class="comment">// this key is embedded and may *only* be used for authentication</span>
        {
          "id": "did:example:123456789abcdefghi#keys-2",
          "type": "Ed25519VerificationKey2020", <span class="comment">// external (property value)</span>
          "controller": "did:example:123456789abcdefghi",
          "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
        }
      ],

<span class="comment">...</span>
    }
            </pre>
          </section>
        </section>

        <section>
          <h2>Verification Relationships</h2>

          <p>
A <a>verification relationship</a> expresses the relationship between the
<a>controller</a> and a <a>verification method</a>.
          </p>
          <p>
Different <a>verification relationships</a> enable the associated
<a>verification methods</a> to be used for different purposes. It is up to a
<em>verifier</em> to ascertain the validity of a verification attempt by
checking that the <a>verification method</a> used is contained in the
appropriate <a>verification relationship</a> property of the
<a>controller document</a>.
          </p>
          <p>
The <a>verification relationship</a> between the <a>controller</a> and the
<a>verification method</a> is explicit in the <a>controller document</a>.
<a>Verification methods</a> that are not associated with a particular
<a>verification relationship</a> cannot be used for that <a>verification
relationship</a>. For example, a <a>verification method</a> in the value of
the <code><a>authentication</a></code> property cannot be used to engage in
key agreement protocols with the <a>controller</a>&mdash;the value of the
<code><a>keyAgreement</a></code> property needs to be used for that.
          </p>
          <p>
The <a>controller document</a> does not express revoked keys using a <a>verification
relationship</a>. If a referenced verification method is not in the latest
<a>controller document</a> used to dereference it, then that verification method is
considered invalid or revoked.
          </p>
          <p>
The following sections define several useful <a>verification relationships</a>.
A <a>controller document</a> MAY include any of these, or other properties, to
express a specific <a>verification relationship</a>. In order to maximize global
interoperability, any such properties used SHOULD be registered in the
Data Integrity Specification Registries [TBD: DIS-REGISTRIES].
          </p>

          <section>
            <h2>Authentication</h2>

            <p>
The <code>authentication</code> <a>verification relationship</a> is used to
specify how the <a>controller</a> is expected to be <a>authenticated</a>, for
purposes such as logging into a website or engaging in any sort of
challenge-response protocol.
            </p>

            <dl>
              <dt><dfn>authentication</dfn></dt>
              <dd>
The <code>authentication</code> property is OPTIONAL. If present, the associated
value MUST be a <a data-cite="INFRA#ordered-set">set</a> of one or more
<a>verification methods</a>. Each <a>verification method</a> MAY be embedded or
referenced.
              </dd>
            </dl>

            <pre class="example nohighlight" title="Authentication property
                          containing three verification methods">
    {
      "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/ed25519-2020/v1"
      ],
      "id": "did:example:123456789abcdefghi",
      <span class="comment">...</span>
      "authentication": [
        <span class="comment">// this method can be used to authenticate as did:...fghi</span>
        "did:example:123456789abcdefghi#keys-1",
        <span class="comment">// this method is *only* approved for authentication, it may not</span>
        <span class="comment">// be used for any other proof purpose, so its full description is</span>
        <span class="comment">// embedded here rather than using only a reference</span>
        {
          "id": "did:example:123456789abcdefghi#keys-2",
          "type": "Ed25519VerificationKey2020",
          "controller": "did:example:123456789abcdefghi",
          "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
        }
      ],
      <span class="comment">...</span>
    }
            </pre>

            <p>
If authentication is established, it is up to the application to decide what to
do with that information.
            </p>
            <p>
This is useful to any <em>authentication verifier</em> that needs to check to
see if an entity that is attempting to <a>authenticate</a> is, in fact,
presenting a valid proof of authentication. When a <em>verifier</em> receives
some data (in some protocol-specific format) that contains a proof that was made
for the purpose of "authentication", and that says that an entity is identified
by the `id`, then that <em>verifier</em> checks to ensure that the proof can be
verified using a <a>verification method</a> (e.g., public key) listed under
<code><a>authentication</a></code> in the <a>controller document</a>.
            </p>
            <p>
Note that the <a>verification method</a> indicated by the
<code><a>authentication</a></code> property of a <a>controller document</a> can
only be used to <a>authenticate</a> the <a>controller</a>. To
<a>authenticate</a> a different <a>controller</a>, the entity associated with
the value of <code>controller</code> needs to <a>authenticate</a> with its
<em>own</em> <a>controller document</a> and associated
<code><a>authentication</a></code> <a>verification relationship</a>.
            </p>
          </section>

          <section>
            <h2>Assertion</h2>

            <p>
The <code>assertionMethod</code> <a>verification relationship</a> is used to
specify how the <a>controller</a> is expected to express claims, such as for
the purposes of issuing a Verifiable Credential [[?VC-DATA-MODEL]].
            </p>

            <dl>
              <dt><dfn>assertionMethod</dfn></dt>
              <dd>
The <code>assertionMethod</code> property is OPTIONAL. If present, the
associated value MUST be a <a data-cite="INFRA#ordered-set">set</a> of
one or more <a>verification methods</a>. Each <a>verification method</a> MAY be
embedded or referenced.
              </dd>
            </dl>

            <p>
This property is useful, for example, during the processing of a <a>verifiable
credential</a> by a verifier. During verification, a verifier checks to see if a
<a>verifiable credential</a> contains a proof created by the <a>controller</a>
by checking that the <a>verification method</a> used to assert the proof is
associated with the <code><a>assertionMethod</a></code> property in the
corresponding <a>controller document</a>.
            </p>

            <pre class="example nohighlight" title="Assertion method property
                        containing two verification methods">
    {
      "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/ed25519-2020/v1"
      ],
      "id": "did:example:123456789abcdefghi",
      <span class="comment">...</span>
      "assertionMethod": [
        <span class="comment">// this method can be used to assert statements as did:...fghi</span>
        "did:example:123456789abcdefghi#keys-1",
        <span class="comment">// this method is *only* approved for assertion of statements, it is not</span>
        <span class="comment">// used for any other verification relationship, so its full description is</span>
        <span class="comment">// embedded here rather than using a reference</span>
        {
          "id": "did:example:123456789abcdefghi#keys-2",
          "type": "Ed25519VerificationKey2020", <span class="comment">// external (property value)</span>
          "controller": "did:example:123456789abcdefghi",
          "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
        }
      ],
      <span class="comment">...</span>
    }
            </pre>
          </section>

          <section>
            <h2>Key Agreement</h2>

            <p>
The <code>keyAgreement</code> <a>verification relationship</a> is used to
specify how an entity can generate encryption material in order to transmit
confidential information intended for the <a>controller</a>, such as for
the purposes of establishing a secure communication channel with the recipient.
            </p>

            <dl>
              <dt><dfn>keyAgreement</dfn></dt>
              <dd>
The <code>keyAgreement</code> property is OPTIONAL. If present, the associated
value MUST be a <a data-cite="INFRA#ordered-set">set</a> of one or more
<a>verification methods</a>. Each <a>verification method</a> MAY be embedded or
referenced.
              </dd>
            </dl>

            <p>
An example of when this property is useful is when encrypting a message intended
for the <a>controller</a>. In this case, the counterparty uses the
cryptographic public key information in the <a>verification method</a> to wrap a
decryption key for the recipient.
            </p>

            <pre class="example nohighlight" title="Key agreement property
                          containing two verification methods">
    {
      "@context": "https://www.w3.org/ns/did/v1",
      "id": "did:example:123456789abcdefghi",
      <span class="comment">...</span>
      "keyAgreement": [
        <span class="comment">// this method can be used to perform key agreement as did:...fghi</span>
        "did:example:123456789abcdefghi#keys-1",
        <span class="comment">// this method is *only* approved for key agreement usage, it will not</span>
        <span class="comment">// be used for any other verification relationship, so its full description is</span>
        <span class="comment">// embedded here rather than using only a reference</span>
        {
          "id": "did:example:123#zC9ByQ8aJs8vrNXyDhPHHNNMSHPcaSgNpjjsBYpMMjsTdS",
          "type": "X25519KeyAgreementKey2019", <span class="comment">// external (property value)</span>
          "controller": "did:example:123",
          "publicKeyMultibase": "z6LSn6p3HRxx1ZZk1dT9VwcfTBCYgtNWdzdDMKPZjShLNWG7"
        }
      ],
      <span class="comment">...</span>
    }
            </pre>
          </section>

          <section>
            <h2>Capability Invocation</h2>

            <p>
The <code>capabilityInvocation</code> <a>verification relationship</a> is used
to specify a <a>verification method</a> that might be used by the
<a>controller</a> to invoke a cryptographic capability, such as the
authorization to update the <a>controller document</a>.
            </p>

            <dl>
              <dt><dfn>capabilityInvocation</dfn></dt>
              <dd>
The <code>capabilityInvocation</code> property is OPTIONAL. If present, the
associated value MUST be a <a data-cite="INFRA#ordered-set">set</a> of
one or more <a>verification methods</a>. Each <a>verification method</a> MAY be
embedded or referenced.
              </dd>
            </dl>

            <p>
An example of when this property is useful is when a <a>controller</a> needs to
access a protected HTTP API that requires authorization in order to use it. In
order to authorize when using the HTTP API, the <a>controller</a>
uses a capability that is associated with a particular URL that is
exposed via the HTTP API. The invocation of the capability could be
expressed in a number of ways, e.g., as a digitally signed
message that is placed into the HTTP Headers.
            </p>
            <p>
The server providing the HTTP API is the <em>verifier</em> of the capability and
it would need to verify that the <a>verification method</a> referred to by the
invoked capability exists in the <code><a>capabilityInvocation</a></code>
property of the <a>controller document</a>. The verifier would also check to make sure
that the action being performed is valid and the capability is appropriate for
the resource being accessed. If the verification is successful, the server has
cryptographically determined that the invoker is authorized to access the
protected resource.
            </p>

            <pre class="example nohighlight" title="Capability invocation property
                          containing two verification methods">
    {
      "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/ed25519-2020/v1"
      ],
      "id": "did:example:123456789abcdefghi",
      <span class="comment">...</span>
      "capabilityInvocation": [
        <span class="comment">// this method can be used to invoke capabilities as did:...fghi</span>
        "did:example:123456789abcdefghi#keys-1",
        <span class="comment">// this method is *only* approved for capability invocation usage, it will not</span>
        <span class="comment">// be used for any other verification relationship, so its full description is</span>
        <span class="comment">// embedded here rather than using only a reference</span>
        {
        "id": "did:example:123456789abcdefghi#keys-2",
        "type": "Ed25519VerificationKey2020", <span class="comment">// external (property value)</span>
        "controller": "did:example:123456789abcdefghi",
        "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
        }
      ],
      <span class="comment">...</span>
    }
            </pre>
          </section>

          <section>
            <h2>Capability Delegation</h2>

            <p>
The <code>capabilityDelegation</code> <a>verification relationship</a> is used
to specify a mechanism that might be used by the <a>controller</a> to delegate
a cryptographic capability to another party, such as delegating the authority
to access a specific HTTP API to a subordinate.
            </p>

            <dl>
              <dt><dfn class="lint-ignore">capabilityDelegation</dfn></dt>
              <dd>
The <code>capabilityDelegation</code> property is OPTIONAL. If present, the
associated value MUST be a <a data-cite="INFRA#ordered-set">set</a> of
one or more <a>verification methods</a>. Each <a>verification method</a> MAY be
embedded or referenced.
              </dd>
            </dl>

            <p>
An example of when this property is useful is when a <a>controller</a> chooses
to delegate their capability to access a protected HTTP API to a party other
than themselves. In order to delegate the capability, the <a>controller</a>
would use a <a>verification method</a> associated with the
<code>capabilityDelegation</code> <a>verification relationship</a> to
cryptographically sign the capability over to another <a>controller</a>. The
delegate would then use the capability in a manner that is similar to the
example described in <a href="#capability-invocation"></a>.
            </p>

            <pre class="example nohighlight" title="Capability Delegation property
                          containing two verification methods">
    {
      "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/ed25519-2020/v1"
      ],
      "id": "did:example:123456789abcdefghi",
      <span class="comment">...</span>
      "capabilityDelegation": [
        <span class="comment">// this method can be used to perform capability delegation as did:...fghi</span>
        "did:example:123456789abcdefghi#keys-1",
        <span class="comment">// this method is *only* approved for granting capabilities; it will not</span>
        <span class="comment">// be used for any other verification relationship, so its full description is</span>
        <span class="comment">// embedded here rather than using only a reference</span>
        {
        "id": "did:example:123456789abcdefghi#keys-2",
        "type": "Ed25519VerificationKey2020", <span class="comment">// external (property value)</span>
        "controller": "did:example:123456789abcdefghi",
        "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
        }
      ],
      <span class="comment">...</span>
    }
            </pre>
          </section>
        </section>
      </section>

    </section>

    <section>
      <h2>Multiple Proofs</h2>
      <p>
The Data Integrity specification supports the concept of multiple
proofs in a single document. There are two types of multi-proof
approaches that are identified: Proof Sets (un-ordered) and Proof Chains
(ordered).
      </p>

      <section>
        <h3>Proof Sets</h3>
        <p>
A proof set is useful when the same data needs to be secured by multiple
entities, but where the order of proofs does not matter,
such as in the case of a set of signatures on a contract. A proof set,
which has no order, is represented by associating a set of proofs
with the <code>proof</code> key in a document.
        </p>
        <pre class="example highlight" title="A proof set in a data document">
{
  "@context": [
    {"title": "https://schema.org#title"},
    "https://w3id.org/security/suites/ed25519-2020/v1"
],
  "title": "Hello world!",
  "proof": [{
    "type": "Ed25519Signature2020",
    "created": "2020-11-05T19:23:24Z",
    "verificationMethod": "https://ldi.example/issuer/1#z6MkjLrk3gKS2nnkeWcmcxi
      ZPGskmesDpuwRBorgHxUXfxnG",
    "proofPurpose": "assertionMethod",
    "proofValue": "z4oey5q2M3XKaxup3tmzN4DRFTLVqpLMweBrSxMY2xHX5XTYVQeVbY8nQA
      VHMrXFkXJpmEcqdoDwLWxaqA3Q1geV6"
  }, {
    "type": "Ed25519Signature2020",
    "created": "2020-11-05T13:08:49Z",
    "verificationMethod": "https://pfps.example/issuer/2#z6MkGskxnGjLrk3gKS2mes
      DpuwRBokeWcmrgHxUXfnncxiZP",
    "proofPurpose": "assertionMethod",
    "proofValue": "z5QLBrp19KiWXerb8ByPnAZ9wujVFN8PDsxxXeMoyvDqhZ6Qnzr5CG9876
      zNht8BpStWi8H2Mi7XCY3inbLrZrm95"
  }]
}
        </pre>

      </section>

      <section>
        <h3>Proof Chains</h3>
        <p>
A proof chain is useful when the same data needs to be signed by
multiple entities and the order of when the proofs occurred matters,
such as in the case of a notary counter-signing a proof that had been
created on a document. A proof chain, where order needs to be preserved, is
represented by associating an ordered list of proofs with the
<code>proofChain</code> key in a document.
        </p>
        <pre class="example highlight" title="A proof chain in a data document">
{
  "@context": [
    {"title": "https://schema.org#title"},
    "https://w3id.org/security/suites/ed25519-2020/v1"
],
  "title": "Hello world!",
  "proofChain": [{
    "type": "Ed25519Signature2020",
    "created": "2020-11-05T19:23:42Z",
    "verificationMethod": "https://ldi.example/issuer/1#z6MkjLrk3gKS2nnkeWcmcxi
      ZPGskmesDpuwRBorgHxUXfxnG",
    "proofPurpose": "assertionMethod",
    "proofValue": "zVbY8nQAVHMrXFkXJpmEcqdoDwLWxaqA3Q1geV64oey5q2M3XKaxup3tmzN4
      DRFTLVqpLMweBrSxMY2xHX5XTYVQe"
  }, {
    "type": "Ed25519Signature2020",
    "created": "2020-11-05T21:28:14Z",
    "verificationMethod": "https://pfps.example/issuer/2#z6MkGskxnGjLrk3gKS2mes
      DpuwRBokeWcmrgHxUXfnncxiZP",
    "proofPurpose": "assertionMethod",
    "proofValue": "z6Qnzr5CG9876zNht8BpStWi8H2Mi7XCY3inbLrZrm955QLBrp19KiWXerb8
      ByPnAZ9wujVFN8PDsxxXeMoyvDqhZ"
  }]
}
        </pre>

      </section>

    </section>

    <section class="normative">
      <h2>Proof Types</h2>

      <section>
        <h3>Signatures</h3>

        <p>
A <dfn>data integrity signature</dfn> is a type of cryptographic proof, and is
comprised of information about the signature, parameters required to verify
it, and the signature value itself. All of this information is provided using
Linked Data vocabularies such as the [[!SECURITY-VOCABULARY]].
        </p>

        <p>
          A <a>data integrity signature</a> typically includes at least the
          following attributes:
        </p>

        <dl style="margin-left: 1em;">
          <dt>type (required)<dt>
          <dd>
A URI that identifies the digital <a>cryptographic suite</a> that was used to create the
signature. For example: <code>Ed25519Signature2020</code>.</dd>
          <dt>created (required)<dt>
          <dd>
The string value of an [[!ISO8601]] combined date and time string generated
by the <a href="#proof-algorithm">Proof Algorithm</a>.
          </dd>

          <dt>domain (optional)<dt>
          <dd>
A string value specifying the restricted <a>domain</a> of the signature.
          </dd>
          <dt><dfn class="lint-ignore">nonce</dfn> (optional, but strongly recommended)<dt>
          <dd>
A string value that is included in the digital signature and MUST only be
used once for a particular <a>domain</a> and window of time. This
value is used to mitigate replay attacks.
          </dd>
          <dt><dfn class="lint-ignore">signature value</dfn> (required)<dt>
          <dd>
One of any number of valid representations of <em>signature value</em>
generated by the <a href="#proof-algorithm">Proof Algorithm</a>.
Example: <code>jws</code> for detached JSON Web Signatures.
</dd>
        </dl>

        <p class="note">
The terms <code>type</code>, <code>created</code>, <code>domain</code>,
<code>nonce</code>, and <code>jws</code> above map to URLs. The vocabulary where
these terms are defined is the [[SECURITY-VOCABULARY]].
        </p>

        <p>
A signature can be added to a data document like the following:
        </p>

        <pre class="example highlight" title="A simple data document">
{
  "@context": {"title": "https://schema.org#title"},
  "title": "Hello world!",
}
        </pre>

        <p>
by adding the parameters outlined in this section:
        </p>

        <pre class="example highlight" title="A simple signed data document">
{
  "@context": [
    {"title": "https://schema.org#title"},
    "https://w3id.org/security/suites/ed25519-2020/v1"
],
  "title": "Hello world!",
  "proof": {
    "type": "Ed25519Signature2020",
    "created": "2020-11-05T19:23:24Z",
    "verificationMethod": "https://ldi.example/issuer#z6MkjLrk3gKS2nnkeWcmcxi
      ZPGskmesDpuwRBorgHxUXfxnG",
    "proofPurpose": "assertionMethod",
    "proofValue": "z4oey5q2M3XKaxup3tmzN4DRFTLVqpLMweBrSxMY2xHX5XTYVQeVbY8nQA
      VHMrXFkXJpmEcqdoDwLWxaqA3Q1geV6"
  }
}
        </pre>

        <p>
The signature example above uses the <code>Ed25519Signature2020</code>
<a>cryptographic suite</a> to produce a verifiable digital signature.
        </p>

<div class="issue">Create a separate section detailing an optional mechanism
for authenticating public key control via bi-directional links. How
to establish trust in key controller entities is out of scope but examples can
be given.</div>

<div class="issue">Specify algorithm agility mechanisms (additional attributes
from the security vocab can be used to indicate other signing and hash
algorithms). Rewrite algorithms to be parameterized on this basis and
move `RsaSignature2018` definition to a single supported
mechanism; specify its identifier as a URL. In order to make it easy to
specify a variety of combinations of algorithms, introduce a core
type `LinkedDataSignature` that allows for easy filtering/discover of
signature nodes, but that type on its own doesn't specify any default
signature or hash algorithms, those must be given via other properties in the
nodes.</div>

<div class="issue">Add a note indicating that this specification should not
be construed to indicate that public key controllers should be restricted to a
single public key or that systems that use this spec and involve real people
should identify each person as only ever being a single entity rather than
perhaps N entities with M keys. There are no such restrictions and in many
cases those kinds of restrictions are ill-advised due to privacy
considerations.</div>

<div class="issue">Add an explicit check on key type to prevent an
attacker from selecting an algorithm that may abuse how the key is
used/interpreted.</div>

<div class="issue">Add a note indicating that selective disclosure signature
mechanisms can be compatible with data integrity signatures; for example,
an algorithm could produce a merkle tree from a canonicalized set of
N-Quads and then sign the root hash. Disclosure would involve including
the merkle paths for each N-Quad that is to be revealed. This mechanism
would merely consume the normalized output differently (this, and the
proof mechanism would be modifications to this core spec). It may also
be necessary to generate signature parameters such as a private key/seed
that can be used along with an algorithm to deterministically generate
nonces that are concatenated with each N-Quad to prevent rainbow
table or similar attacks.</div>

      </section>

      <section>
        <h3>Other Proof Types</h3>

        <div class="issue">TODO: Add links and examples to proof types that
are not data integrity signatures, such as proof of existence, proof of work,
proof of elapsed time, and proof of registration.</div>
      </section>
    </section>

    <section>
      <h2>Advanced Terminology</h2>
      <p>
These terms are relevant only to implementors of new <a>cryptographic suite</a>s.
      </p>

      <dl>
        <dt><dfn>canonicalization algorithm</dfn></dt>
        <dd>
An algorithm that takes an input document that has more than one possible
representation and always transforms it into a deterministic representation. For
example, alphabetically sorting a list of items is a type canonicalization. This
process is sometimes also called <em>normalization</em>.
        </dd>
        <dt><dfn>message digest algorithm</dfn></dt>
        <dd>
An algorithm that takes an input message and produces a cryptographic
output message that is often many orders of magnitude smaller than the
input message. These algorithms are often 1) very fast, 2)
non-reversible, 3) cause the output to change significantly when even one
bit of the input message changes, and 4) make it infeasible to find two
different inputs for the same output.
        </dd>
        <dt><dfn>proof algorithm</dfn></dt>
        <dd>
An algorithm that takes an input message and produces an output value where the
receiver of the message can mathematically verify that the message has not
been modified in transit and came from someone possessing a particular secret.
        </dd>
      </dl>
    </section>

    <section>
      <h2>Creating New Proof Types</h2>
      <p>
A data integrity proof is designed to be easy to use by developers and therefore
strives to minimize the amount of information one has to remember to generate a
proof. Often, just the <a>cryptographic suite</a> name (e.g.
<code>Ed25519Signature2020</code>) is required from developers to initiate the
creation of a proof. These <a>cryptographic suite</a>s are often created or
reviewed by people that have the requisite cryptographic training to ensure that
safe combinations of cryptographic primitives are used.
      </p>
      <p>
This section details the cryptographic primitives that are available to
<a>proof type</a> developers.
      </p>

      <p>
At a minimum, a <a>proof type</a> is expected have the following attributes:
      </p>

      <dl style="margin-left: 1em;">
        <dt>id</dt>
        <dd>
A URL that identifies the <a>cryptographic suite</a>.
For example: <code>https://w3id.org/security#Ed25519Signature2020</code>.
        </dd>
        <dt>type</dt>
        <dd>
The value <code>ProofSuite</code>.
        </dd>
        <dt>canonicalizationAlgorithm</dt>
        <dd>
A URL that identifies the <a>canonicalization algorithm</a> to use on the
<var>document</var>. For example:
<code>https://w3id.org/security#URDNA2015</code>.
        </dd>
        <dt>digestAlgorithm</dt>
        <dd>
A URL that identifies the <a>message digest algorithm</a> to use on the
<var>canonicalized document</var>. For example:
<code>https://www.ietf.org/assignments/jwa-parameters#SHA256</code>
        </dd>
        <dt>proofAlgorithm</dt>
        <dd>
A URL that identifies the <a>proof algorithm</a> to use on the
<var>data to be signed</var>. For example:
<code>https://w3id.org/security#ed25519</code>
        </dd>
      </dl>

      <p>
A complete example of a <a>proof type</a> is shown in the next example:
      </p>

      <pre class="example highlight">
{
  "id": "https://w3id.org/security#Ed25519Signature2020",
  "type": "Ed25519VerificationKey2020",
  "canonicalizationAlgorithm": "https://w3id.org/security#URDNA2015",
  "digestAlgorithm": "https://www.ietf.org/assignments/jwa-parameters#SHA256",
  "signatureAlgorithm": "https://w3id.org/security#ed25519"
}
      </pre>
    </section>

    <section>
      <h2>Algorithms</h2>

      <p>
The algorithms defined below are generalized in that they require a specific
<a>canonicalization algorithm</a>, <a>message digest algorithm</a>, and
<a>proof algorithm</a> to be used to achieve the algorithm's intended
outcome.
      </p>

      <section class="normative">
        <h3>Proof Algorithm</h3>

<div class="issue">The proof parameters should be included as headers
and values in the data to be signed.</div>

        <p>
The following algorithm specifies how to create a digital proof that can
be later used to verify the authenticity and integrity of a
<a>unsigned data document</a>. A <a>unsigned data document</a>,
<var>document</var>, <a>proof options</a>, <var>options</var>,
and a <a>private key</a>, <var>privateKey</var>, are required inputs.
The <a>proof options</a> MUST contain an identifier for the
public/private key pair, and an [[!ISO8601]] combined date and
time string, <var>created</var>, containing the current date and time,
accurate to at least one second, in Universal Time Code format. A <a>domain</a> might also be specified in the <var>options</var>. A
<a>signed data document</a> is produced as output. Whenever this
algorithm encodes strings, it MUST use UTF-8 encoding.
        </p>

        <ol class="algorithm">
          <li>
Create a copy of <var>document</var>, hereafter referred to as <var>output</var>.
          </li>
          <li>
Generate a <var>canonicalized document</var> by canonicalizing
<var>document</var> according to a <a>canonicalization algorithm</a>
(e.g. the <em>URDNA2015</em> [[!RDF-DATASET-C14N]] algorithm).
        </li>
          <li>
Create a value <var>tbs</var> that represents the data to be signed, and
set it to the result of running the
<a href="#create-verify-hash-algorithm">Create Verify Hash Algorithm</a>,
passing the information in <var>options</var>.
          </li>
          <li>
Digitally sign <var>tbs</var> using the <var>privateKey</var> and the
the <var>digital proof algorithm</var> (e.g. JSON Web Proof using
<em>RSASSA-PKCS1-v1_5</em> algorithm). The resulting string is the
<a>proofValue</a>.
          </li>
          <li>
Add a <code>proof</code> node to <var>output</var> containing
a <a>data integrity proof</a> using the appropriate
<var>type</var> and <a>proofValue</a> values as well as
all of the data in the <var>proof options</var> (e.g.
<var>created</var>, and if given, any additional proof
options such as <a>domain</a>).
          </li>
          <li>
Return <var>output</var> as the <a>signed data document</a>.
          </li>
        </ol>

      </section>

      <section>
        <h3>Proof Verification Algorithm</h3>
        <p class="issue">
This algorithm is highly specific to digital signatures and needs to be
generalized to other proof mechanisms such as Equihash.
        </p>

        <p>
The following algorithm specifies how to check the authenticity and
integrity of a <a>signed data document</a> by verifying its
digital proof. This algorithm takes a
<a>signed data document</a>, <var>signed document</var> and
outputs a <code>true</code> or <code>false</code> value based on whether or
not the digital proof on <var>signed document</var> was verified. Whenever
this algorithm encodes strings, it MUST use UTF-8 encoding.
        </p>

<div class="issue">Specify how the public key can be obtained, through
some out-of-band process and passed in or it can be retrieved by
derefencing its URL identifier, etc.</div>

        <ol class="algorithm">
          <li>
Get the <a>public key</a> by dereferencing its URL identifier in the
<code>proof</code> node of the default graph of <var>signed document</var>.
Confirm that the <a>unsigned data document</a> that describes the <a>public
key</a> specifies its controller and that its controllers's URL identifier can
be dereferenced to reveal a bi-directional link back to the key. Ensure that the
key's controller is a trusted entity before proceeding to the next step.
          </li>
          <li>
Let <var>document</var> be a copy of <var>signed document</var>.
          </li>
          <li>
Remove any <code>proof</code> nodes from the default graph in
<var>document</var> and save it as <var>proof</var>.
          </li>
          <li>
Generate a <var>canonicalized document</var> by canonicalizing
<var>document</var> according to the <a>canonicalization algorithm</a>
(e.g. the </var><em>URDNA2015</em> [[!RDF-DATASET-C14N]] algorithm).
          </li>
          <li>
Create a value <var>tbv</var> that represents the data to be verified, and
set it to the result of running the
<a href="#create-verify-hash-algorithm">Create Verify Hash Algorithm</a>,
passing the information in <var>proof</var>.
          </li>
          <li>
Pass the <a>proofValue</a>, <var>tbv</var>,
and the <a>public key</a> to the <a>proof algorithm</a>
(e.g. JSON Web Proof using <em>RSASSA-PKCS1-v1_5</em> algorithm).
Return the resulting boolean value.
          </li>
        </ol>
      </section>

      <section>
        <h3>Create Verify Hash Algorithm</h3>

        <p class="issue">
This algorithm is too specific to digital signatures and needs to be
generalized for algorithms such as Equihash.
        </p>
        <p>
The following algorithm specifies how to create the data that is used
to generate or verify a digital proof. It takes a canonicalized
<a>unsigned data document</a>, <var>canonicalized document</var>,
<a>canonicalization algorithm</a>, a <a>message digest algorithm</a>, and
<a>proof options</a>, <var>input options</var> (by reference).
The <a>proof options</a> MUST contain an identifier for the
public/private key pair, and an [[!ISO8601]] combined date and
time string, <var>created</var>, containing the current date and time,
accurate to at least one second, in Universal Time Code format. A <a>domain</a>
might also be specified in the <var>options</var>.
Its output is a data that can be used to generate or verify a
digital proof (it is usually further hashed as part of the
verification or signing process).
        </p>

        <ol class="algorithm">
          <li>
Let <var>options</var> be a copy of <var>input options</var>.
          </li>
          <li>
If the <a>proofValue</a> parameter, such as <code>jws</code>,
exists in <var>options</var>, remove the entry.
          </li>
          <li>
If <var>created</var> does not exist in <var>options</var>, add an
entry with a value that is an [[!ISO8601]] combined date and
time string containing the current date and time accurate to at least one
second, in Universal Time Code format. For example:
<code>2017-11-13T20:21:34Z</code>.
          </li>
          <li>
Generate <var>output</var> by:
            <ol class="algorithm">
              <li>
Creating a <var>canonicalized options document</var> by canonicalizing
<var>options</var> according to the <a>canonicalization algorithm</a>
(e.g. the <em>URDNA2015</em> [[!RDF-DATASET-C14N]] algorithm).
              </li>
              <li>
Hash <var>canonicalized options document</var> using the
<a>message digest algorithm</a> (e.g. SHA-256) and set <var>output</var>
to the result.
              </li>
              <li>
Hash <var>canonicalized document</var> using the <a>message digest algorithm</a>
(e.g. SHA-256) and append it to <var>output</var>.
              </li>
            </ol>
          </li>
          <li>
<div class="issue">This last step needs further clarification. Signing
implementations usually automatically perform their own integrated
hashing of an input message, i.e. signing algorithms are a combination
of a raw signing mechanism and a hashing mechanism such as
RS256 (RSA + SHA-256). Current implementations of RSA-based
data integrity proof suites therefore do not perform this last step
before passing the data to a signing algorithm as it will be performed
internally. The Ed25519Proof2018 algorithm also does not perform
this last step -- and, in fact, uses SHA-512 internally. In short,
this last step should better communicate that the 64 bytes produced
from concatenating the SHA-256 of the canonicalized options with the
SHA-256 of the canonicalized document are passed into the signing
algorithm with a presumption that the signing algorithm will include
hashing of its own.</div>
Note: It is presumed that the 64-byte <var>output</var> will be used
in a signing algorithm that includes its own hashing algorithm, such
as RS256 (RSA + SHA-256) or EdDsa (Ed25519 which uses SHA-512).
          </li>
          <li>
Return <var>output</var>.
          </li>
        </ol>
      </section>
    </section>

    <section>
      <h2>Security Considerations</h2>
      <p>
The following section describes security considerations that developers
implementing this specification should be aware of in order to create secure
software.
      </p>

<div class="issue">TODO: We need to add a complete list of security
considerations.</div>

      <section>
        <h3>Verification Method Binding</h3>

        <p class="issue">
Implementers must ensure that a verification method is bound to a particular
controller by going from the verification method to the controller document,
and then ensuring that the controller document also contains the verification
method.
        </p>
      </section>

      <section>
        <h3>Verification Relationship Validation</h3>

        <p class="issue">
Implementers need to ensure that when a verification method is used, that
it matches the verification relationship associated with it and that it lines
up with the proof purpose.
        </p>
      </section>

      <section>
        <h3>Canonicalization Method Correctness</h3>

        <p class="issue">
Canonicalization mechanisms utilized for normalizing input to hashing functions
need to have vetted mathematical proofs associted with them. Canonicalization
mechanisms that create collisions in hash functions can be used to attack
digital signatures.
        </p>
      </section>

    </section>

    <section>
      <h2>Privacy Considerations</h2>
      <p>
The following section describes privacy considerations that developers
implementing this specification should be aware of in order to create
privacy enhancing software.
      </p>

<div class="issue">TODO: We need to add a complete list of privacy
considerations.</div>

      <section>
        <h3>Unlinkability</h3>

        <p class="issue">
When the contents of a digitally signed payload contains correlatable
identifiers, those identifiers can be used to track individuals. A static
digital signature is a correlatable identifier. There are digital signature
schemes that provide uncorrelatable digital signatures.
        </p>
      </section>

      <section>
        <h3>Selective Disclosure</h3>

        <p class="issue">
When the contents of a digitally signed payload contains correlatable
identifiers, those identifiers can be used to track individuals. A static
digital signature is a correlatable identifier. There are selective
disclosure digital signature schemes, such as BBS+, that are capable of
not disclosing correlatable identifiers and ensuring that a different
but valid digital signature is re-created upon every presentation.
        </p>
      </section>

    </section>

</body>
</html>