From ca8fa18be19ec236473b6c75291e6f41775d64cf Mon Sep 17 00:00:00 2001
From: "Michael B. Jones" <michael_b_jones@hotmail.com>
Date: Tue, 27 Aug 2024 10:58:13 +1200
Subject: [PATCH] Describe encrypting secured credentials and presentations
 (#293)

* Describe encrypting secured credentials and presentations

* Apply suggestions from code review

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>

---------

Co-authored-by: Gabe <7622243+decentralgabe@users.noreply.github.com>
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
---
 index.html | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/index.html b/index.html
index 17f3389..ec30d54 100644
--- a/index.html
+++ b/index.html
@@ -263,6 +263,14 @@ <h2 id="securing-with-jose">Securing JSON-LD Verifiable Credentials with JOSE</h
                 A [=conforming JWS verifier implementation=] MUST use [[RFC7515]] to verify [=conforming JWS documents=]
                 that use this media type.
             </p>
+	    <p>
+	      To encrypt a secured [=verifiable credential=]
+	      when transmitting over an insecure channel,
+	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
+	      by nesting the secured [=verifiable credential=]
+	      as the plaintext payload of a JWE,
+	      per the description of Nested JWTs in [[RFC7519]].
+	    </p>
             <pre class="example nohighlight vc" data-vc-tabs="jose" title="A simple example of a verifiable credential secured with JOSE">
 {
   "@context": [
@@ -333,6 +341,14 @@ <h2 id="securing-vps-with-jose">Securing JSON-LD Verifiable Presentations with J
                 Credentials in verifiable presentations MUST be secured.
                 These credentials are secured using JWS in this case.
             <p>
+	    <p>
+	      To encrypt a secured [=verifiable presentation=]
+	      when transmitting over an insecure channel,
+	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
+	      by nesting the secured [=verifiable presentation=]
+	      as the plaintext payload of a JWE,
+	      per the description of Nested JWTs in [[RFC7519]].
+	    </p>
 
             <pre class="example nohighlight vc" data-vc-tabs="jose"
                  title="A simple example of a verifiable presentation secured with JOSE with the EnvelopedVerifiableCredential type">
@@ -476,6 +492,14 @@ <h2 id="securing-with-sd-jwt">Securing JSON-LD Verifiable Credentials with SD-JW
                 limited to <a data-cite="VC-DATA-MODEL-2.0#status"><code>credentialStatus</code></a>
                 and <a data-cite="VC-DATA-MODEL-2.0#data-schemas"><code>credentialSchema</code></a>.
             </p>
+	    <p>
+	      To encrypt a secured [=verifiable credential=]
+	      when transmitting over an insecure channel,
+	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
+	      by nesting the secured [=verifiable credential=]
+	      as the plaintext payload of a JWE,
+	      per the instructions in Section 11.2 of [[SD-JWT]].
+	    </p>
 
             <pre class="example nohighlight vc" data-vc-tabs="sd-jwt"
                  title="A simple example of a verifiable credential secured with SD-JWT">
@@ -555,6 +579,15 @@ <h2 id="securing-vps-sd-jwt">Securing JSON-LD Verifiable Presentations with SD-J
                 limited to <a data-cite="VC-DATA-MODEL-2.0#status"> <code>credentialStatus</code></a>
                 and <a data-cite="VC-DATA-MODEL-2.0#data-schemas"> <code>credentialSchema</code></a>.
             </p>
+	    <p>
+	      To encrypt a secured [=verifiable presentation=]
+	      when transmitting over an insecure channel,
+	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
+	      by nesting the secured [=verifiable presentation=]
+	      as the plaintext payload of a JWE,
+	      per the instructions in Section 11.2 of [[SD-JWT]].
+	    </p>
+
             <pre class="example nohighlight vc" data-vc-tabs="sd-jwt"
                  title="A simple example of a verifiable presentation secured with SD-JWT using the EnvelopedVerifiableCredential type">
 {
@@ -630,6 +663,15 @@ <h2 id="securing-vcs-with-cose">Securing JSON-LD Verifiable Credentials with COS
                 A [=conforming COSE verifier implementation=] MUST use COSE_Sign1 as specified in [[RFC9052]] to verify
                 [=conforming COSE documents=] that use this media type.
             </p>
+	    <p>
+	      To encrypt a secured [=verifiable credential=]
+	      when transmitting over an insecure channel,
+	      implementers MAY use COSE encryption,
+	      as defined in Section 5 of [[RFC9052]],
+	      by nesting the secured [=verifiable credential=]
+	      as the plaintext payload of an encrypted COSE object.
+	    </p>
+
             <pre class="example nohighlight vc" data-vc-tabs="cose"
                  title="A simple example of a verifiable credential secured with COSE">
 {
@@ -699,6 +741,15 @@ <h2 id="securing-vps-with-cose">Securing JSON-LD Verifiable Presentations with C
                 Credentials in verifiable presentations MUST be secured.
                 These credentials are secured using COSE in this case.
             <p>
+	    <p>
+	      To encrypt a secured [=verifiable presentation=]
+	      when transmitting over an insecure channel,
+	      implementers MAY use COSE encryption,
+	      as defined in Section 5 of [[RFC9052]],
+	      by nesting the secured [=verifiable presentation=]
+	      as the plaintext payload of an encrypted COSE object.
+	    </p>
+
             <pre class="example nohighlight vc" data-vc-tabs="cose"
                  title="A simple example of a verifiable presentation secured with COSE using the EnvelopedVerifiableCredential type">
 {