w3c · msporny · Jun 27, 2023 · Jun 2, 2023 · Jun 2, 2023 · Jun 2, 2023
@@ -2595,6 +2595,119 @@ <h3>Data Schemas</h3>
 
  </section>
 
+ <section>
+ <h2>External Resource Integrity</h2>
+ <p>
+ When including a link to an external resource in a VC, it is 
+ desirable to know whether the resource that is pointed to is the
+ same at signing time as at verification time. This applies
+ to cases where there is an external resource that is
+ remotely retrieved as well as to cases where the issuer and/or
+ verifier may have local cached copies of a resource.
+ </p>
+ <p>
+ It is also desirable to know that the contents of the
+ context(s) used in the verifiable credential are the same when
+ used by both the issuer and verifier. 
+ </p>
+ <p>
+ To validate that a resource referenced by a Verifiable Credential is
+ the same at verification time as at issuing time, an implementer
+ MAY include a property named <code>resourceIntegrity</code> that
+ stores an array of objects that describe additional integrity
+ metadata about each resource referenced by the VC. If
+ <code>resourceIntegrity</code>
+ is present, there MUST be an object in the array for each remote
+ resource.
+ </p>
+ <p>
+ Each object in the
+ <code>resourceIntegrity</code> array MUST contain the following:
+ the URL to the resource named <code>id</code>, a
+ <code>timestamp</code>
+ that indicates the time at which the hash was computed, the
+ <code>digest</code>
+ of the resource, and the <code>method</code> which indicates what
+ hashing algorithm was used as listed as the 'Hash Name String'
+ property from the <a
+ href="https://www.iana.org/assignments/named-information/named-information.xhtml">IANA
+ Named Information Hash Algorithm Registry</a>. 
+ The <code>digest</code> property MUST be the base64url [[RFC 4648]]
+ encoded digest of the hash.
+ The <code>timestamp</code> property MUST be a string value of an
+ [[XMLSCHEMA11-2]] combined date-time string. An implementer MAY
+ include other fields in each object.
+ </p>
+ <p>
+ An object in the <code>resourceIntegrity</code> array MAY contain
+ a property named <code>mediaType</code> that indicates the 
+ expected media type for the indicated <code>resource</code>.
+ If a <code>mediaType</code> is included it must be a valid
+ media type as listed in the 
+ <a href="https://www.iana.org/assignments/media-types/media-types.xhtml">
+ IANA Media Types
+ </a> registry.
+ </p>
+ <p>
+ An object in the <code>resourceIntegrity</code> array MAY contain
+ additional properties.
+ </p>
+ <p>
+ Implementers SHOULD consult appropriate sources, such as the <a
+ href="https://www.iana.org/assignments/named-information/named-information.xhtml">IANA
+ Named Information Hash Algorithm Registry</a> to ensure that they
+ are chosing a current and reliable hash algorithm. At the time of
+ this writing `sha-256` SHOULD be considered the minimum strength
+ hash algorithm for use by implemnters.
- are chosing a current and reliable hash algorithm. At the time of
- this writing `sha-256` SHOULD be considered the minimum strength
- hash algorithm for use by implemnters.
+ are chosing a current and reliable hash algorithm. At the time of
+ this writing `sha-256` SHOULD be considered the minimum strength
+ hash algorithm for use by implementers.
- are chosing a current and reliable hash algorithm. At the time of
- this writing `sha-256` SHOULD be considered the minimum strength
- hash algorithm for use by implemnters.
+ are chosing a current and reliable hash algorithm. At the time of
+ this writing `sha-256` SHOULD be considered the minimum strength
+ hash algorithm for use by implementers.
+ </p>
+ <p class="issue">
+ The working group is discussing if we will adopt subresource integrity as defined in [[SRI]] is
+ adopted into the [[JSON-LD]] specification as noted in that
+ specifications <a
+ href="https://www.w3.org/TR/json-ld11/#security">current security
+ considerations</a> of that specification, this hash in the VC can
+ serve as an additional check towards ensuring that a cached
+ context used when issuing the VC matches the remote resource.
+ </p>
+ <p>
+ <aside
+ class="example"
+ title="resource integrity"
+ >
+ <p>An example of a resource integrity object referencing contexts</p>
+ <pre>
+ "resourceIntegrity": [{
+ "id": "https://www.w3.org/ns/credentials/v2",
+ "timestamp": "2023-06-07T19:23:24Z", 
+ "digest": "zMxXZRc9wGRgtsdFaCaqluKtZbyEz-emTp4Y1k1wBvgKNYguD7qTACwjWOTUgB-A", 
+ "method": "sha3-384" 
+ },{
+ "id": "https://www.w3.org/ns/credentials/examples/v2",
+ "timestamp": "2023-06-07T17:32:15Z", 
+ "digest": "STCt_TVvy-QH6PCA8IDH7tw0dsBsgkewEl9VjCDwvUCVPz5M10dUhrMG9f2Q82MA", 
+ "method": "sha2-256" 
+ }]
+ </pre>
+ </aside>
+ </p>
+ <p>
+ <aside
+ class="example"
+ title="resource integrity over image"
+ >
+ <p>An example of a resource integrity object refering to an image</p>
+ <pre>
+ "resourceIntegrity": [{
+ "id": "https://www.w3.org/Icons/w3c_home.png",
+ "timestamp": "2023-06-05T19:23:24Z", 
+ "digest": "1yfsvHgO9SsCngATZ3r6NsFODzGzDfttlGc5gA3Qkm_08yJb4fepTXbAK6IRZ2C-", 
+ "method": "sha3-384" 
+ }]
+ </pre>
+ </aside>
+ </p>
+ </section>
+
  <section>
  <h3>Refreshing</h3>