This document describes the Security Vocabulary, i.e., the vocabulary used to ensure the authenticity and integrity of Verifiable Credentials and similar types of constrained digital documents using cryptography, especially through the use of digital signatures and related mathematical proofs .
Alternate versions of the vocabulary definition exist in Turtle and JSON-LD.
Comments regarding this document are welcome. Please file issues directly on GitHub, or send them to public-vc-comments@w3.org (subscribe, archives).
In general, the terms — i.e., the properties and classes — used in the VCDM are formally specified in Recommendation Track documents published by the W3C Verifiable Credentials Working Group or, for some deprecated or reserved terms, in Reports published by the W3C Credentials Community Group. In each case of such external definition, the term's description in this document contains a link to the relevant specification. Additionally, the `rdfs:definedBy` property in the RDFS representation(s) refers to the formal specification.
In some cases, a local explanation is necessary to complement, or to replace, the definition found in an external specification. For instance, this is so when the term is needed to provide a consistent structure to the RDFS vocabulary, such as when the term defines a common supertype for class instances that are used as objects of specific properties, or when RDF Graphs are involved. For such cases, the extra definition is included in the current document (and the `rdfs:comment` property is used to include them in the RDFS representations).
This specification makes use of the following namespaces:
sec
https://w3id.org/security#
cred
https://www.w3.org/2018/credentials#
dc
http://purl.org/dc/terms/
owl
http://www.w3.org/2002/07/owl#
rdf
http://www.w3.org/1999/02/22-rdf-syntax-ns#
rdfs
http://www.w3.org/2000/01/rdf-schema#
xsd
http://www.w3.org/2001/XMLSchema#
vs
http://www.w3.org/2003/06/sw-vocab-status/ns#
schema
http://schema.org/
jsonld
http://www.w3.org/ns/json-ld#
@context
filesThe following @context
files make use of the terms defined in this specification:
The following are property definitions in the sec
namespace.
verificationMethod
Verification method
See the formal definition of the term.
VerificationMethod
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
controller
Controller
See the formal definition of the term.
The property's value should be a URL, i.e., not a literal.
VerificationMethod
@contexts
:https://w3id.org/security/multikey/v1
, https://w3id.org/security/jwk/v1
, https://www.w3.org/ns/did/v1
proof
Proof sets
See the formal definition of the term.
ProofGraph
@contexts
:https://www.w3.org/ns/credentials/v2
, https://w3id.org/security/data-integrity/v2
domain
Domain of a proof
See the formal definition of the term.
xsd:string
Proof
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
challenge
Challenge of a proof
See the formal definition of the term.
xsd:string
Proof
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
previousProof
Previous proof
See the formal definition of the term.
Proof
Proof
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
proofPurpose
Proof purpose
See the formal definition of the term.
xsd:string
Proof
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
proofValue
Proof value
See the formal definition of the term.
multibase
Proof
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
created
Proof creation time
See the formal definition of the term.
xsd:dateTime
Proof
@context
:https://w3id.org/security/data-integrity/v2
expiration
Expiration time for a proof or verification method
See the formal definition of the term.
xsd:dateTime
Proof
VerificationMethod
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
nonce
Nonce supplied by proof creator
See the formal definition of the term.
xsd:string
Proof
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
authentication
Authentication method
See the formal definition of the term.
VerificationMethod
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
, https://www.w3.org/ns/did/v1
assertionMethod
Assertion method
See the formal definition of the term.
VerificationMethod
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
, https://www.w3.org/ns/did/v1
capabilityDelegationMethod
Capability delegation method
See the formal definition of the term.
VerificationMethod
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
, https://www.w3.org/ns/did/v1
capabilityInvocationMethod
Capability invocation method
See the formal definition of the term.
VerificationMethod
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
, https://www.w3.org/ns/did/v1
keyAgreementMethod
Key agreement protocols
See the formal definition of the term.
VerificationMethod
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
, https://www.w3.org/ns/did/v1
cryptosuite
Cryptographic suite
See the formal definition of the term.
cryptosuiteString
DataIntegrityProof
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
publicKeyMultibase
Public key multibase
See the formal definition of the term.
multibase
Multikey
@context
:https://w3id.org/security/multikey/v1
secretKeyMultibase
Secret key multibase
See the formal definition of the term.
multibase
Multikey
@context
:https://w3id.org/security/multikey/v1
publicKeyJwk
Public key JWK
See the formal definition of the term.
rdf:JSON
JsonWebKey
@context
:https://w3id.org/security/jwk/v1
secretKeyJwk
Secret key JWK
See the formal definition of the term.
rdf:JSON
JsonWebKey
@context
:https://w3id.org/security/jwk/v1
revoked
Revocation time
See the formal definition of the term.
xsd:dateTime
VerificationMethod
@context
:https://w3id.org/security/jwk/v1
digestMultibase
Digest multibase
See the formal definition of the term.
multibase
@context
:https://www.w3.org/ns/credentials/v2
The following are class definitions in the sec
namespace.
Proof
Digital proof
See the formal definition of the term.
previousProof
domain
, challenge
, previousProof
, proofPurpose
, proofValue
, created
, nonce
expiration
@context
:https://w3id.org/security/data-integrity/v2
ProofGraph
An RDF Graph for a digital proof
proof
VerificationMethod
Verification method
See the formal definition of the term.
verificationMethod
, authentication
, assertionMethod
, capabilityDelegationMethod
, capabilityInvocationMethod
, keyAgreementMethod
controller
, revoked
expiration
@context
:https://w3id.org/security/data-integrity/v2
DataIntegrityProof
A Data Integrity Proof
See the formal definition of the term.
Proof
cryptosuite
@contexts
:https://w3id.org/security/data-integrity/v2
, https://www.w3.org/ns/credentials/v2
Multikey
Multikey Verification Method
See the formal definition of the term.
VerificationMethod
publicKeyMultibase
, secretKeyMultibase
@context
:https://w3id.org/security/multikey/v1
JsonWebKey
JSON Web Key Verification Method
See the formal definition of the term.
VerificationMethod
publicKeyJwk
, secretKeyJwk
@context
:https://w3id.org/security/jwk/v1
Ed25519VerificationKey2020
ED2559 Verification Key, 2020 version
See the formal definition of the term.
VerificationMethod
Ed25519Signature2020
Ed25519 Signature Suite, 2020 version
See the formal definition of the term.
Proof
ProcessingError
Processing error
See the formal definition of the term.
The following are datatype definitions in the sec
namespace.
cryptosuiteString
Datatype for cryptosuite Identifiers
See the formal definition of the term.
xsd:string
cryptosuite
@context
:https://w3id.org/security/data-integrity/v2
multibase
Datatype for multibase values
See the formal definition of the term.
xsd:string
proofValue
, publicKeyMultibase
, secretKeyMultibase
, digestMultibase
@context
:https://w3id.org/security/multikey/v1
The following are definitions for individuals in the sec
namespace.
PROOF_GENERATION_ERROR
Proof generation error
See the formal definition of the term.
ProcessingError
MALFORMED_PROOF_ERROR
Malformed proof
See the formal definition of the term.
ProcessingError
MISMATCHED_PROOF_PURPOSE_ERROR
Mismatched proof purpose
See the formal definition of the term.
ProcessingError
INVALID_DOMAIN_ERROR
Invalid proof domain
See the formal definition of the term.
ProcessingError
INVALID_CHALLENGE_ERROR
Invalid challenge
See the formal definition of the term.
ProcessingError
INVALID_VERIFICATION_METHOD_URL
Invalid verification method URL
See the formal definition of the term.
ProcessingError
INVALID_CONTROLLER_DOCUMENT_ID
Invalid controller document id
See the formal definition of the term.
ProcessingError
INVALID_CONTROLLER_DOCUMENT
Invalid controller document
See the formal definition of the term.
ProcessingError
INVALID_VERIFICATION_METHOD
Invalid verification method
See the formal definition of the term.
ProcessingError
INVALID_PROOF_PURPOSE_FOR_VERIFICATION_METHOD
Invalid proof purpose for verification method
See the formal definition of the term.
ProcessingError
All terms in this section are reserved. Implementers may use these properties, but should expect them and/or their meanings to change during the process to normatively specify them.
The following are reserved property definitions in the sec
namespace.
allowedAction
Allowed action (reserved)
See the formal definition of the term.
capabilityChain
Capability chain (reserved)
See the formal definition of the term.
capabilityAction
Capability action (reserved)
See the formal definition of the term.
caveat
Caveat (reserved)
See the formal definition of the term.
delegator
Delegator (reserved)
See the formal definition of the term.
invocationTarget
Invocation target (reserved)
See the formal definition of the term.
invoker
Invoker (reserved)
See the formal definition of the term.
All terms in this section are deprecated, and are only kept in this vocabulary for backward compatibility.
New applications should not use them.
The following are deprecated property definitions in the sec
namespace.
blockchainAccountId
Blockchain account ID (deprecated)
See the formal definition of the term.
xsd:string
ethereumAddress
Ethereum address (deprecated)
See the formal definition of the term.
xsd:string
publicKeyBase58
Base58-encoded Public Key (deprecated)
See the formal definition of the term.
xsd:string
publicKeyPem
Public key PEM (deprecated)
See the formal definition of the term.
xsd:string
publicKeyHex
Hex-encoded version of public Key (deprecated)
See the formal definition of the term.
xsd:string
jws
Json Web Signature (deprecated)
See the formal definition of the term.
The following are deprecated class definitions in the sec
namespace.
Key
Cryptographic key (deprecated)
EcdsaSecp256k1Signature2019
ecdsa-sep256k1, 2019 version (deprecated)
See the formal definition of the term.
EcdsaSecp256k1Signature2020
ecdsa-sep256k1, 2020 version (deprecated)
See the formal definition of the term.
EcdsaSecp256k1VerificationKey2019
ecdsa-secp256k1 verification key, 2019 version (deprecated)
See the formal definition of the term.
Key
EcdsaSecp256k1RecoverySignature2020
ecdsa-secp256k1 recovery signature, 2020 version (deprecated)
See the formal definition of the term.
EcdsaSecp256k1RecoveryMethod2020
ecdsa-secp256k1 recovery method, 2020 version (deprecated)
See the formal definition of the term.
MerkleProof2019
Merkle Proof (deprecated)
See the formal definition of the term.
X25519KeyAgreementKey2019
X25519 Key Agreement Key, 2019 version (deprecated)
See the formal definition of the term.
Ed25519VerificationKey2018
ED2559 Verification Key, 2018 version (deprecated)
See the formal definition of the term.
JsonWebKey2020
JSON Web Key, 2020 version (deprecated)
See the formal definition of the term.
JsonWebSignature2020
JSON Web Signature, 2020 version (deprecated)
See the formal definition of the term.
BbsBlsSignature2020
BBS Signature, 2020 version (deprecated)
See the formal definition of the term.
BbsBlsSignatureProof2020
BBS Signature Proof, 2020 version (deprecated)
See the formal definition of the term.
Bls12381G1Key2020
BLS 12381 G1 Signature Key, 2020 version (deprecated)
See the formal definition of the term.
Bls12381G2Key2020
BLS 12381 G2 Signature Key, 2020 version (deprecated)
See the formal definition of the term.
The diagram uses boxes, ellipses, and connecting lines with different "styles" (border color, end marker, line type) to differentiate their semantic meaning; these styles identify Property, Class, or Datatype, via the shapes used for the graph nodes, and Superclass, Domain Of, Range, or Contains, via the styles of the connecting lines. These style names are used in the explanation text that follows, below.
The diagram is roughly divided into left and right sections (although there are some common nodes; see later). To make this description easier to understand, these will be referred to as the "Proof Section" and the "Verification Section". Each of these sections has an ellipse at the top, styled as Class, and respectively labeled as "Proof" and "VerificationMethod".
The left side of the Proof Section contains another ellipse, styled as Class and labeled as "ProofGraph", and connected to the ellipse labeled as "Proof" with a connecting line styled as Contains. There is also a box, styled as Property and labeled as "proof", connected to the ellipse labeled as "ProofGraph" with a connecting line styled as Range.
There are two more ellipses in this section, styled as Class and labeled as "Ed25519Signature2020" and "DataIntegrityProof", each connected to the ellipse labeled as "Proof" with connecting lines styled as Superclass. The ellipse labeled as "DataIntegrityProof" is also connected to a box styled as Property, and labeled as "cryptosuite", with a connecting line styled as Domain Of. The "cryptosuite" Property box is connected to a shape styled as Datatype and labeled as "cryptosuiteString", with a connecting line styled as Range.
The right side of the Section contains a column of labeled boxes, all styled as Property. The labels, from top to bottom, are "previousProof", "domain", "challenge", "proofPurpose", "nonce", "created", "proofValue". The ellipse labeled as "Proof" is connected to all of these with connecting lines styled as Domain Of. The box labeled as "previousProof" is also connected to the ellipse labeled as "Proof" with a connecting line styled as Range. The box labeled as "proofValue" is connected to a shape styled as Datatype and labeled as "multibase", with a connecting line styled as Range. Finally, another box, styled as Property and labeled as "digestMultibase", is connected to the same "multibase" Datatype shape with a connecting line styled as Range.
The right side of this Section contains a column of labeled boxes, all styled as Property. The labels, from top to bottom, are "verificationMethod", "authentication", "assertionMethod", "capabilityDelegation", "capabilityInvocation", and "keyAgreement". Each of these boxes is connected to the ellipse labeled "VerificationMethod", with a connecting line styled as Range.
The left side of this Section contains a column of three labeled boxes, all styled as Property. The labels, from top to bottom, are "expires", "controller", and "revoked". Each of these is connected to the ellipse labeled "VerificationMethod", with connecting lines styled as Domain Of. The "expires" Property box is also connected to the ellipse labeled "Proof" in the Proof Section, with a connecting line styled as Domain Of.
The middle of this section contains three ellipses, styled as Class, and labeled as "Multikey, "Ed25519VerificationKey2020", and "JsonWebKey". Each of these is connected to the ellipse labeled as "VerificationMethod" with a connecting line styled as Superclass.
Two boxes, styled as Property and labeled as "secretKeyMultibase" and "publicKeyMultibase", are connected to the ellipse labeled as "Multikey" with a connecting line styled as Domain Of. Each of these boxes is also connected to the shape in the Proof section styled as Datatype and labeled as "multibase", with connecting lines styled as Range.
Finally, two boxes, styled as Property and labeled "secretKeyJwk" and "publicKeyJwk", are connected to the ellipse labeled "JsonWebKey" with a connecting line styled as Domain Of. Each of these boxes is also connected to a shape styled as Datatype and labeled as "rdf:JSON", with connecting lines styled as Range.