Try   HackMD

Adding W3C Standard Verifiable Credentials support to ACA-Py

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Table Of Contents

What we're looking for

  • AATH Issue Credential video.
  • AATH JSON-LD Issue Credential
  • AATH BBS+ Issue Credential
  • Standalone non-Aries proof with JSON-LD + BBS
  • Merge into separate ACA-Py branch
  • Documentation has been implemented in code for the API to use the new credential types, and a summary markdown file with API documentation will be added

Status

  • VC / Linked Data Proofs
    • Sign document / Verify document
    • Issue credentail / Verify credentail
    • Create presentation / verify presentation
    • Ed25519Signature2018 Suite
    • Still needed
      • BbsBlsSignature2020
      • BbsBlsSignatureProof2020
  • Issue Credential
    • API finished
    • Initial AATH test working
      • AATH needs some restructure to work nicely with the new format
    • Credentials stored in memory or using indy-sdk (Andrew)
    • Still needed
      • Some consistency checks (e.g. issuer sends credential that doesn't match request)
      • Unit tests
      • Issuing BBS signatures (however this is mostly lower level stuff)
      • [Opt.] Issue and receive did:sov credentials.
        • Wont do this until the SICPA resolver is merged
    • Records can be queried from the admin API (SKlump)
  • DID Key support
    • Ed25519 DID key resolver added
    • Admin API extendend to support creating did:key dids
    • Still needed
      • Creating and retrieving Bls did keys
  • BBS
    • Basic FFI wrapper done
    • Still needs
      • Python idiomatic layer on top of ffi wrapper
      • Bls key management
  • Present Proof
    • Presentation Exchange PR open (Shaanjot)
    • No AATH work yet
      • V2 missing in AATH
    • Still needs Aries integration

Scope & Requirements

The goal of this opportunity is to add full JSON-LD VC support to ACA-Py. ACA-Py already includes a, by default disabled, admin interface to sign and verify JSON-LD documents (and thus credentials). This support is limited to the Ed25519 signature type, and doesn't integrate with the credential exchange protocols.

The work will include:

  • Issue JSON-LD credentials using the Issue Credential v2 protocol
  • Present JSON-LD credentials using the Present Proof v2 protocol
  • Support Ed25519Signature2018 signature suite to issue and verify non-zkp credentials
  • Support BbsBlsSignature2020 / BbsBlsSignatureProof2020 signature suites to issue and verify zkp credentials
  • Extend did:key support to the admin api, adding BBS BLS key types
  • Leverage ACA-Py storage to store, query and retrieve JSON-LD credentials
  • Extend AATH to test credential exchange between different ACA-Py (and other) agents

Out of scope

Interoperability testing with Aries Framework Go using AATH

The backchannel for Aries Framework Go (AFGO) only supports DID exchange at the moment, therefore we cannot test JSON-LD based credential exchange with AFGO. Extending the test harness and ACA-Py backchannel to support JSON-LD based credentials is in scope. If AFGO makes enough progress on their backchannel during the time span of this oppurtunity, we will make our best efforts to complete interoperability testing with AFGO using AATH.

In addition to the AFGO backchannel supporting the issue-credential and present-proof protocols, the following features can have an impact on the scope of interoperability testing:

Presentation Exchange attachment format

The goal is to integrate with the presentation exchange format. However, as the work on presentation exchange has not started yet and because of the lack of a clear timeline, we're unsure we'll be able to accomplish this task in the given time frame. If presentation exchange isn't ready in the course of this project, a very simple workaround will be implemented to show agent-to-agent communication regarding JSON-LD credentials.

Indy Storage

Because only Aries Askar has support for multiple tag values, the Indy non-secrets storage requires a different implementation. In order to complete the project in the given time frame the Indy implementation will be omitted for now. Andrew will look into this further.

Unified Admin API

Because it's hard to foresee the possible barriers when it comes to providing a unified issuance and verification API for both Indy and JSON-LD credentials, our implementation will initially focus on separate payload formats for the credential types. However, we will investigate this topic as part of this opportunity.

Credential Manifest attachment format

At the moment, interoperability with AFGO is more important than supporting the Credential Manifest standard. Therefore we will implement the issue credential format AFGO implemented.

BBS+ Features

Below a table is given showing what BBS+ related features are in scope for this project. ZKP and selective disclosure are definitely in the scope of this project. Revocation and ZKP predicates are definitely out of scope because these are still under development. Domain proof and required disclosure are to be determined based on the availability of these features in the BBS+ library. The table will be updated accordingly.

Capability In scope
ZKP YES
Selective Disclosure YES
Domain Proof MAYBE?
Revocation NO
Required Disclosure MAYBE?
Integer ZKP Predicates NO

Projects related to this opportunity

  • Issue Credential / Present Proof V2: Stephen Klump
  • Presentation Exchange Format: Shaanjot Gill
  • Aries Agent Test Harness: Sheldon Regular
  • JSON-LD Credential Storage / Search: Andrew Whitehead

Interop with Aries Framework Go

Part of this opportunity is to show interop with at least one other framework. Aries Framework Go doesn't support the BBS+ signature suite for the credential exchange protocols yet. ACA-Py also doesn't support the presentation exchange attachment format yet. This means interop can only be partly shown, based on the progress of these features.

Feature Interop
Presentation Exchange in ACA-Py Ed25519 based credential issuance and verification between ACA-Py and AFGO
BBS+ support for Presentation Exchange in AFGO BBS+ based credential issuance and verification between ACA-Py and AFGO

Requirements

  • Credential Storage
  • AATH Issue Credential / Present Proof v2
  • Presentation Exchange
  • Present Proof v2

Phases

The four phases can be divided into two main groups which focus on non-ZKP and ZKP credential support. Below are the tasks that will be executed for each of the phases. Tasks will be described in greater detail before starting on the task at hand.

Non-ZKP JSON-LD credential support for ACA-Py

Phase 2 / 3

  • Implement issue credential attachment format as implemented in AFGO
  • Add pluggable JSON-LD signature module to ACA-Py
  • Add Ed25519 signatue suite to JSON-LD signature module
  • Add present proof attachment format. Either by integrating with presentation exchange, or creating a simple workaround format.
  • Extend support for did:key in ACA-Py
  • Extend AATH to support new credential format
  • Documentation

BBS+ based JSON-LD credential support for ACA-Py

Phase 4 / 5

  • Add Python wrapper to ffi-bbs-signatures repo
  • Add BBS signature suite to JSON-LD signature module
  • Extend JSON-LD signature module to support selective disclosure using JSON-LD framing
  • Support BBSBLS keys for did:key
  • Extend AATH to support JSON-LD credentials using BBS+ signatures
  • Documentation

Present Proof

Present Proof still needs to be implemented in ACA-Py, however a lot of the work of the opportunity can be done in parallel to this work. The indy credential format and exchange protocol can only accommodate indy based credentials. To support the exchange of JSON-LD based credentials with support for predicates and selective disclosure the DIF Presentation Exchange will be used as described in RFC 0510: Presentation-Exchange Attachment format for requesting and presenting proofs

As part of the V2 version of the present proof protocol, the Admin API will extendend to support the new dif (Presentation Exchange) format. This will mostly be in line with the presentation exchange format, removing fields that can be provided by ACA-Py, simplifying parts that can be abstracted in ACA-Py.

By providing mulitple formats in the Admin API a proposal/request for multiple proof formats can be provided. This allows the prover/verifier to select the preferred format to use.

Issue Credential

  • Credential Manifest

    • Presentation Submission OR separate Present Proof protocol
    • AFGO doesn't support credential manifest yet, uses own implementation.

  • Issue Credential V2

    • Support for multiple formats
    • Format specific data is stored in separate record
    • Credential Preview is only one layer. Credential Manifest is also limited
    • DIF Format: Select keyType / DID to use

Credential Querying / Storage

With the addition for a new credential format some way to query and store JSON-LD based credentials need to be added to ACA-Py.

We can make use of tags to filter for credentials. Tags can include:

  • Schemas (Json Schema / JSON-LD Context)
  • Attribute values (Normalize for nested values, )
  • Algorithm used

Multiple tag values can be used in Aries Askar, however not in the Indy non-secrets storage. This means the exact implementation of the query method / tag storage used is dependent on the underlying storage method.

JSON-LD VCs

To handle JSON-LD based credentials, we plan to create a few artifacts. The diagram below shows these components (shown in red) and how they relate to other, preexisting components (shown in green). A description of the components is given below.

Verifiable Credentials - Linked Data Proofs Module

This component holds the linked data proofs related functionality. Because ZKP requires additional functionality (e.g. framing), we've decided to split the functionalities of this component into two groups: ZKP and NON-ZKP (e.g. Ed25119).

Signature Suite

We plan to make the architecture in a way that it allows for pluggable signature suites. These suites can then vary in the canonicalization, digest and proof algorithms they use.

ffi-bss-signatures Python Wrapper

This component wraps Ursa's BBS+ related functionality so its accessible from withing Python. There is a repository ursa-bbs-py created by Andrew that wraps Ursa's BBS+ functionality, but it's slightly outdated and uses PyO3 to generate the Python bindings. MATTR Global has an ffi-bbs-signatures repository that currently holds fast-forward interface wrappers for both .NET and Objective-C. We think it would be best to add a Python wrapper to this repository and use that instead of the ursa-bbs-py repository.

The gap between JSON-LD Proofs and Verifiable Credentials

Whats missing:

Issue Credential

The issue credential method issues a credential by adding a linked data proof to the credential document. The steps include:

  • Verifying if all properties are present (credential, suite, document loader, verification method, purpose)
  • check credential method (port from vc.js and vc-js)
  • Check if any properties are present that are not defined in the context (port from jsonld-checker)
  • Sign

Additional tasks:

Verify Presentation

The verify presentation method verifies a verifiable presentation and its credentials. The steps include:

  • Verifying if all top level properties are present (document loader, presentation)
  • check presentation method (port from vc.js and vc-js)
  • verify all credentials
  • verify presentation
  • basic subject authentication?
Derive Proof

This is TBD. The derive proof will be used for BBS+ signatures. Important to note that no private key is needed to derive proof (at least for the unbound signature proof)

Input:

  • VC
  • Frame
  • Suite

Create Presentation

AATH

  • Focus on ACA-Py for now
  • Discussion: Multiple test suites vs same suites different inputs
  • Multiple test-suites to make implementation easier

DID:Key

  • Extend API to support multiple did methods
    • Keep sov default and without prefix?
      • {"method": "key", "options": {"keyType": "ed25519"}}
      • {"method": "key", "options": {"keyType": "bls12381g2"}}
      • {"method": "sov"} (default)
  • Add generic interface to map key to document and document to key
  • Integrate with SICPA uniresolver project?

Todo

  • Verify BBS+ flow (w/ Tobias)
  • Check w/ AFGO about:
    • Issue credential attachment format
    • BBS+ presentation exchange timeline
  • Aries attachment testing limitation
  • Task management platform

Resources

DID Key

Protocols

JSON-LD

BBS

Path for BBS inside AFGO: pkg/doc/signature/suite/{bbsblssignature2020, bbsblssignatureproof2020}

https://github.com/hyperledger/aries-framework-go/blob/1a3d640d581227fe5f6c629e71b66d12c365c0d0/pkg/doc/signature/suite/bbsblssignatureproof2020/signer_test.go

Ed25519

Last changed by 
Animo Solutions
0
1
2360

Read more

EIC Abstract

EIC Abstract

Jan 31, 2024
W3C AnonCreds in Aries Framework JavaScript

This document outlines the design of integrating W3C VC data model compliant AnonCreds credentials into Aries Framework JavaScript and Bifold.

Jan 24, 2024
Move to OWF Checklist

<input class="task-list-item-checkbox"type="checkbox"> Move repository to OWF organization

Dec 15, 2023
Project Name

Include the name of project being proposed.

Nov 16, 2023
Read more from Animo Solutions
Published on HackMD