N3 and Verifiable Claims

[bblfish]

I wonder if there is a mistake somewhere in the tool chain or in the modelling of Verifiable Claims.
Using the process described in issue 1 of Jen3 I took the Verfiable Claim Model example 6

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1"
  ],
  "id": "http://example.edu/credentials/3732",
  "type": [
    "VerifiableCredential",
    "UniversityDegreeCredential"
  ],
  "issuer": "https://example.edu/issuers/565049",
  "issuanceDate": "2010-01-01T00:00:00Z",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "degree": {
      "type": "BachelorDegree",
      "name": "Bachelor of Science and Arts"
    }
  },
  "proof": {
    "type": "Ed25519Signature2020",
    "created": "2022-02-25T14:58:43Z",
    "verificationMethod": "https://example.edu/issuers/565049#key-1",
    "proofPurpose": "assertionMethod",
    "proofValue": "zeEdUoM7m9cY8ZyTpey83yBKeBcmcvbyrEQzJ19rD2UXArU2U1jPGoEt
rRvGYppdiK37GU4NBeoPakxpWhAvsVSt"
  }
}

and translated it to the following N3

@prefix sec:     <https://w3id.org/security#> .
@prefix cred:    <https://www.w3.org/2018/credentials#> .
@prefix eg:      <https://example.org/examples#> .
@prefix rdf:     <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix xsd:     <http://www.w3.org/2001/XMLSchema#> .
@prefix dc:      <http://purl.org/dc/terms/> .
@prefix sch:     <https://schema.org/> .
        
<http://example.edu/credentials/3732>
    a   cred:VerifiableCredential ;
    a   eg:UniversityDegreeCredential ;
    cred:issuer <https://example.edu/issuers/565049> ;
    cred:issuanceDate "2010-01-01T00:00:00Z"^^xsd:dateTime ;
    cred:credentialSubject
        <did:example:ebfeb1f712ebc6f1c276e12ec21> ;
    sec:proof {
      []  dc:created "2022-02-25T14:58:43Z"^^xsd:dateTime ;
        rdf:type sec:Ed25519Signature2020 ;
        sec:proofPurpose sec:assertionMethod ;
        sec:proofValue "zeEdUoM7m9cY8ZyTpey83yBKeBcmcvbyrEQzJ19rD2UXArU2U1jPGoEtrRvGYppdiK37GU4NBeoPakxpWhAvsVSt"^^sec:multibase; 
        sec:verificationMethod
              <https://example.edu/issuers/565049#key-1> .        
    } .

<did:example:ebfeb1f712ebc6f1c276e12ec21>
    eg:degree [ 
      a   eg:BachelorDegree ;
      sch:name "Bachelor of Science and Arts"^^rdf:HTML .
    ].

I am doing this for the purpose of modeling access control using the says logic discussed in issue 203.

Anyway: it seems to me, looking at this, that the proof should not be inside the graph of the credential it is signing but outside of it because a signature must be about precisely specified content.

So I would have expected instead:

{
<http://example.edu/credentials/3732>
    a   cred:VerifiableCredential ;
    a   eg:UniversityDegreeCredential ;
    cred:issuer <https://example.edu/issuers/565049> ;
    cred:issuanceDate "2010-01-01T00:00:00Z"^^xsd:dateTime ;
    cred:credentialSubject [ id <did:example:ebfeb1f712ebc6f1c276e12ec21> 
            eg:degree [  a   eg:BachelorDegree ;
                   sch:name "Bachelor of Science and Arts"^^rdf:HTML ]
}  sec:proof [  dc:created "2022-02-25T14:58:43Z"^^xsd:dateTime ;
        rdf:type sec:Ed25519Signature2020 ;
        sec:proofPurpose sec:assertionMethod ;
        sec:proofValue "zeEdUoM7m9cY8ZyTpey83yBKeBcmcvbyrEQzJ19rD2UXArU2U1jPGoEtrRvGYppdiK37GU4NBeoPakxpWhAvsVSt"^^sec:multibase; 
        sec:verificationMethod
              <https://example.edu/issuers/565049#key-1> ]

or something along those lines where it is clear what the signed triples are.

That is, the graph to be signed must be a quoted graph, and the signature proof of it is an external description of that graph.

So it looks like we ended up with the opposite of what is logically needed.

[bblfish]

Another way of thinking in terms of the logic of saying that. The signed entity is a claim that someone - the issuer- says. The claim must be quoted (as a statement) because it should only be agreed to if the proof accompanying it is verified.

[bblfish]

Here is the result of doing this with Example 1 from the VC Data Model, for which I

1. placed the Jsonld online here https://bblfish.net/tmp/2023/08/vcdm.ex1.jsonld
2. transformed the Jsonld to NQuads
   https://bblfish.net/tmp/2023/08/vcdm.ex1.nq
   doing that we notice that
   • a number of relations are in the format <sec:jws>, <sec:proofPurpose>, and <sec:verificationMethod>. The
     json-ld playground gives a similar result, so there likely some error in the jsonld
   • there are two blank nodes instead of the typed literal
     <did:example:c276e12ec21ebfeb1f712ebc6f1> <http://schema.org/name> _:B52010219273f9988e88de78875c6268a .
3. grouping the triples with the same name in a context, adding the needed namespace, fixing the relations and the literal gives this simple n3
   https://bblfish.net/tmp/2023/08/vcdm.ex1.step1.n3
4. Then, after compiling jen3 as as shown in issue jen3 issue 1

$ mvn install -Drat.skip=true

one can run a local version of the nqish2n3.sc scala-cli script

import org.apache.jen3.rdf.model.Model
import org.apache.jen3.rdf.model.ModelFactory
import org.apache.jen3.sys.JenaSystem
import org.apache.jen3.n3.N3ModelSpec.Types.N3_MEM_FP_INF
import org.apache.jen3.n3.N3ModelSpec
import java.io.FileInputStream
import org.apache.jen3.n3.io.N3JenaWriterFull

val spec = N3ModelSpec.get(N3_MEM_FP_INF)
val m = ModelFactory.createN3Model(spec)
m.read(new FileInputStream(args(0)), null)

m.setNsPrefix("sec","https://w3id.org/security#")
m.setNsPrefix("cred","https://www.w3.org/2018/credentials#")
m.setNsPrefix("eg","https://example.org/examples#")
val wr = new org.apache.jen3.n3.io.N3JenaWriterFull(true)
wr.write(m, System.out, null)

with the following command

$ scala-cli run -r m2Local --dependency org.apache.jena:jen3-core:3.14.0-SNAPSHOT nqish2n3.sc -- vcdm.ex1.step1.n3

which results in the following easier to read n3

@prefix sec:     <https://w3id.org/security#> .
@prefix cred:    <https://www.w3.org/2018/credentials#> .
@prefix eg:      <https://example.org/examples#> .
@prefix rdf:     <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix log:     <http://www.w3.org/2000/10/swap/log#> .
@prefix in:      <http://n3.w3c.org/builtin/input#> .
@prefix xsd:     <http://www.w3.org/2001/XMLSchema#> .
@prefix rdfs:    <http://www.w3.org/2000/01/rdf-schema#> .
@prefix math:    <http://www.w3.org/2000/10/swap/math#> .
@prefix list:    <http://www.w3.org/2000/10/swap/list#> .

<did:example:c276e12ec21ebfeb1f712ebc6f1>
    <http://schema.org/name>
        "Exemple d'Université"@fr ;
    <http://schema.org/name>
        "Example University"@en .

<did:example:ebfeb1f712ebc6f1c276e12ec21>
    <http://schema.org/alumniOf>
        <did:example:c276e12ec21ebfeb1f712ebc6f1> .

<http://example.edu/credentials/1872>
    cred:issuer <https://example.edu/issuers/565049> ;
    a   eg:AlumniCredential ;
    a   cred:VerifiableCredential ;
    cred:issuanceDate "2010-01-01T19:23:24Z"^^xsd:dateTime ;
    cred:credentialSubject
        <did:example:ebfeb1f712ebc6f1c276e12ec21> ;
    sec:proof {
            _:b1  rdf:type sec:RsaSignature2018 .
            _:b1  <http://purl.org/dc/terms/created>
                    "2017-06-18T21:19:10Z"^^xsd:dateTime .
            _:b1  sec:jws "eyJhbGciOiJSUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM" .
            _:b1  sec:proofPurpose sec:assertionMethod .
            _:b1  sec:verificationMethod
                    <https://example.edu/issuers/565049#key-1> .        } .

This again seems to indicate that the signature is wrongly in the context where it should be a blank node, and that some part of the rest of the description should be in an n3 context { ... } namely that part that is being signed.