Credential Proof Format

A compact, URL-safe token format defined in RFC 7519, widely used for representing claims between two parties. JWTs are commonly used for Bearer Tokens in OAuth 2.0 and OpenID Connect flows.

• Structure: Header (algorithm & token type), Payload (claims), and Signature.
• Proof: Uses a JSON Web Signature (JWS) to cryptographically sign the header and payload.
• Example: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkaWQ6ZXhhbXBsZToxMjMiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjJ9.signature

An emerging IETF standard designed as a successor to JWT, offering enhanced security features like selective disclosure and unlinkability. It addresses limitations in JWT for more advanced credential use cases.

• Key Features: Supports batching of multiple signatures and key binding to prevent token replay.
• Structure: Similar to JWT but with a more flexible proof mechanism defined in a separate JWP Serialization.
• Status: Currently an Internet-Draft, building on the JOSE (JSON Object Signing and Encryption) suite.

A W3C-standardized suite of proof formats for use with Linked Data Verifiable Credentials. They enable cryptographic proofs to be embedded directly within JSON-LD documents.

• Common Types: Ed25519Signature2020, JsonWebSignature2020, BbsBlsSignature2020 (for zero-knowledge proofs).
• Framework: Part of the Verifiable Credentials Data Integrity specification.
• Interoperability: Designed for the Semantic Web, allowing credentials to be processed by machines with understood meaning.

The Concise Binary Object Representation (CBOR) equivalent of a JWT, defined in RFC 8392. It provides a more compact binary serialization, making it ideal for constrained environments like IoT devices.

• Encoding: Uses CBOR instead of JSON, and the signature is a COSE (CBOR Object Signing and Encryption) structure.
• Advantage: Smaller payload size compared to base64-encoded JWTs, leading to lower bandwidth and storage requirements.
• Use Case: Common in FIDO2 authentication and other low-power device protocols.

A zero-knowledge proof-based credential format originally developed for Hyperledger Indy. It enables selective disclosure of attributes and unlinkable presentations, providing strong privacy guarantees.

• Core Tech: Based on CL Signatures (Camenisch-Lysyanskaya) and BBS+ Signatures.
• Key Feature: A user can prove they hold a credential without revealing its entire contents, and multiple presentations cannot be linked back to the same credential issuance.
• Ecosystem: A core component of the Indy and Aries frameworks for decentralized identity.

An IETF-standardized format (RFC 9479) that extends JWTs to support selective disclosure of claims using hash digests. It allows a holder to reveal only specific claims from a signed JWT.

• Mechanism: The issuer provides a JWT with disclosed claims and a set of disclosure objects for hidden claims. The holder presents only the disclosures they wish to share.
• Proof: Integrity is maintained because each disclosure contains a digest that is signed in the original JWT.
• Application: Gaining traction for OpenID for Verifiable Credentials (OID4VC) and OpenID4VP.

The W3C Verifiable Credentials (VC) Data Model is the foundational standard for representing credentials in a cryptographically secure, privacy-respecting, and machine-verifiable manner. It defines the core data model using JSON-LD, specifying the structure of a Credential, Presentation, and the proofs that bind them to a Decentralized Identifier (DID).

• Core Components: issuer, credentialSubject, issuanceDate, proof.
• Proof Types: Supports multiple cryptographic suites (e.g., Ed25519Signature2020, BbsBlsSignature2020).
• Use Case: The standard underpins digital driver's licenses, educational certificates, and portable KYC proofs.

A JSON Web Token (JWT) can be used as a compact, URL-safe representation of a Verifiable Credential, defined in the W3C VC-JWT specification. It encodes claims in a JSON object as a JWS (JSON Web Signature) or JWE (JSON Web Encryption).

• Structure: Header (alg, typ), Payload (VC claims), Signature.
• Advantages: Ubiquitous library support, compact serialization, easy for HTTP-based APIs.
• Limitations: Less expressive for linked data than JSON-LD, though JWT-VC profiles exist for compliance.

AnonCreds is a credential format and protocol, originally developed for Hyperledger Indy, optimized for privacy-preserving, zero-knowledge proof presentations. It uses CL signatures (Camenisch-Lysyanskaya) and link secrets to enable selective disclosure and predicate proofs.

• Key Feature: Supports issuer-independent correlation resistance; presentations reveal no persistent identifier.
• Data Model: Uses a Schema, Credential Definition, and Revocation Registry.
• Ecosystem: Native to Indy-based networks like Sovrin and forms the basis for the AnonCreds v2 W3C community standard.

Selective Disclosure for JWTs (SD-JWT) is an IETF draft standard that enables the selective disclosure of claims within a JWT-based Verifiable Credential. It allows a holder to reveal only specific claims from a signed credential, enhancing privacy.

• Mechanism: Uses cryptographic hashes in a disclosure array; the verifier receives only the disclosed claims and can verify their integrity against the signed SD-JWT.
• Use Case: Ideal for scenarios requiring granular data minimization, such as proving age without revealing birthdate or name.
• Interoperability: Designed to work alongside the W3C VC Data Model.

BBS+ (Boneh-Boyen-Shacham) Signatures are a core cryptographic primitive for zero-knowledge proof formats like BbsBlsSignature2020. They enable signature proof of knowledge, allowing a holder to create a derived proof from a single master signature, disclosing only a subset of claims.

• Linked Data Proofs: Used within JSON-LD signatures, defined by the Linked Data Proofs specification.
• Capability: Enables unlinkable presentations and complex predicate proofs (e.g., age > 21).
• Standardization: Part of the W3C VC Data Integrity specification suite.

EIP-712 is an Ethereum standard for typed structured data signing. While not a credential format per se, it is a critical proof format for off-chain agreements and credentials in the EVM ecosystem, providing human-readable signing requests.

• Structure: Defines a domain, types, and message to be signed, producing a verifiable Ethereum signature.
• Application: Used for Sign-In with Ethereum (SIWE), DAO governance votes, and verifiable off-chain attestations.
• Verification: Signatures can be verified on-chain by smart contracts or off-chain by any EIP-712 compatible verifier.

A Verifiable Credential is the foundational data model for digital credentials, standardized by the W3C. It is a tamper-evident credential with a cryptographically secure authorship that can be presented as proof.

• Structure: Contains claims (e.g., name, age), metadata, and proofs.
• Role: The Credential Proof Format is the specific mechanism used to sign and prove the authenticity of a VC.

A Decentralized Identifier is a globally unique identifier controlled by the subject (e.g., a person or organization) without reliance on a central registry. It is a core component of the decentralized identity stack.

• Function: DIDs are often the issuer or holder in a Verifiable Credential.
• Link to Proofs: DID Documents contain public keys used to create and verify credential proofs.

A Verifiable Presentation is the data format used to present one or more Verifiable Credentials to a verifier. It packages credentials and can include its own proof.

• Purpose: Enables selective disclosure and combines multiple credentials in a single response.
• Proof Layer: A VP uses a Credential Proof Format (like a JWT or Data Integrity proof) to cryptographically bind the presentation to the holder.

JSON Web Token is a compact, URL-safe token format defined in RFC 7519, commonly used as a Credential Proof Format for Verifiable Credentials (VC-JWT).

• Mechanism: Embeds the credential payload in a signed JWT structure.
• Common Use: A widely implemented standard for its simplicity and library support, though it lacks native support for advanced cryptographic suites like BBS+ signatures.

Data Integrity Proofs are a W3C standard for cryptographically linking a proof to the credential data itself, independent of the serialization format (JSON, CBOR).

• Core Concept: Uses Linked Data Signatures to create a cryptographic hash of the canonicalized credential data.
• Advantage: Enables cryptographic agility and supports advanced signature schemes like BBS+ for selective disclosure and zero-knowledge proofs.