Verifiable Credentials
TrackVision DPPs are issued as W3C Verifiable Credentials v2 with Ed25519 Data Integrity Proofs.
Standard
TrackVision uses the eddsa-jcs-2022 cryptosuite, which combines:
- Ed25519 — a fast, secure elliptic curve signature algorithm
- JCS (JSON Canonicalization Scheme, RFC 8785) — ensures consistent serialization before signing
- SHA-256 — hashes the canonicalized document before signing
- Base58btc — encodes the signature bytes as a string
Signing Algorithm
When TrackVision issues a DPP, it follows these steps:
- Prepare the document — assemble the credential with all
credentialSubjectfields but without theproofblock - Canonicalize — apply JCS (RFC 8785) to produce a deterministic byte sequence regardless of key ordering
- Hash — compute SHA-256 of the canonicalized bytes
- Sign — sign the SHA-256 hash using the Ed25519 private key
- Encode — encode the signature bytes using base58btc multibase
- Attach proof — add the
proofblock to the credential document
Proof Structure
{
"proof": {
"type": "DataIntegrityProof",
"cryptosuite": "eddsa-jcs-2022",
"created": "2024-01-15T10:00:00Z",
"verificationMethod": "did:web:acme.trackvision.ai#key-1",
"proofPurpose": "assertionMethod",
"proofValue": "z5h5KzDHcLXwDLNHqRv8..."
}
}
| Field | Description |
|---|---|
type | Always DataIntegrityProof |
cryptosuite | Always eddsa-jcs-2022 |
created | ISO 8601 UTC timestamp of signing |
verificationMethod | DID URL pointing to the specific public key used |
proofPurpose | Always assertionMethod for DPPs |
proofValue | Base58btc-encoded Ed25519 signature, prefixed with z |
Verification Algorithm
Any party can verify a TrackVision DPP:
- Resolve the DID — fetch
https://acme.trackvision.ai/.well-known/did.jsonto obtain the public key forkey-1 - Extract the proof — remove the
proofblock from the document - Canonicalize — apply JCS to the document without the proof
- Hash — compute SHA-256 of the canonicalized bytes
- Verify — verify the
proofValuesignature against the hash using the Ed25519 public key - Check dates — verify
issuanceDateand any expiry fields
Key Management
Each TrackVision account has a unique Ed25519 key pair:
- The private key is stored securely in the account's cloud environment and never exposed via the API
- The public key is published at
/.well-known/did.json(see DID Web)
Verifying with Libraries
JavaScript (Node.js)
import { verifyCredential } from "@digitalcredentials/vc";
import { Ed25519VerificationKey2020 } from "@digitalcredentials/ed25519-verification-key-2020";
const result = await verifyCredential({
credential: dppDocument,
documentLoader: customDocumentLoader, // resolves did:web and JSON-LD contexts
});
console.log(result.verified); // true or false
Python
from pyld import jsonld
# Use a library such as PyNaCl for Ed25519 verification
import nacl.signing
# Resolve the DID document to get the public key bytes
# Canonicalize the credential (without proof) using JCS
# Verify signature using Ed25519 public key