From 7b64772ce3a370b670fce3f8bef26a60a17eb134 Mon Sep 17 00:00:00 2001
From: Michael Jones <michael_b_jones@hotmail.com>
Date: Sun, 18 Aug 2024 17:57:36 -0700
Subject: [PATCH 1/2] Describe encrypting secured credentials and presentations

---
 index.html | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/index.html b/index.html
index 4161085..e3327bb 100644
--- a/index.html
+++ b/index.html
@@ -263,6 +263,14 @@ <h2 id="securing-with-jose">Securing JSON-LD Verifiable Credentials with JOSE</h
                 A [=conforming JWS verifier implementation=] MUST use [[RFC7515]] to verify [=conforming JWS documents=]
                 that use this media type.
             </p>
+	    <p>
+	      To encrypt the secured [=verifiable credential=]
+	      when transmitted over an insecure channel,
+	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
+	      by nesting the secured [=verifiable credential=]
+	      as the plaintext payload of a JWE,
+	      per the description of Nested JWTs in [[RFC7519]].
+	    </p>
             <pre class="example nohighlight vc" data-vc-tabs="jose" title="A simple example of a verifiable credential secured with JOSE">
 {
   "@context": [
@@ -333,6 +341,14 @@ <h2 id="securing-vps-with-jose">Securing JSON-LD Verifiable Presentations with J
                 Credentials in verifiable presentations MUST be secured.
                 These credentials are secured using JWS in this case.
             <p>
+	    <p>
+	      To encrypt the secured [=verifiable presentation=]
+	      when transmitted over an insecure channel,
+	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
+	      by nesting the secured [=verifiable presentation=]
+	      as the plaintext payload of a JWE,
+	      per the description of Nested JWTs in [[RFC7519]].
+	    </p>
 
             <pre class="example nohighlight vc" data-vc-tabs="jose"
                  title="A simple example of a verifiable presentation secured with JOSE with the EnvelopedVerifiableCredential type">
@@ -476,6 +492,14 @@ <h2 id="securing-with-sd-jwt">Securing JSON-LD Verifiable Credentials with SD-JW
                 limited to <a data-cite="VC-DATA-MODEL-2.0#status"><code>credentialStatus</code></a>
                 and <a data-cite="VC-DATA-MODEL-2.0#data-schemas"><code>credentialSchema</code></a>.
             </p>
+	    <p>
+	      To encrypt the secured [=verifiable credential=]
+	      when transmitted over an insecure channel,
+	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
+	      by nesting the secured [=verifiable credential=]
+	      as the plaintext payload of a JWE,
+	      per the instructions in Section 11.2 of [[SD-JWT]].
+	    </p>
 
             <pre class="example nohighlight vc" data-vc-tabs="sd-jwt"
                  title="A simple example of a verifiable credential secured with SD-JWT">
@@ -555,6 +579,15 @@ <h2 id="securing-vps-sd-jwt">Securing JSON-LD Verifiable Presentations with SD-J
                 limited to <a data-cite="VC-DATA-MODEL-2.0#status"> <code>credentialStatus</code></a>
                 and <a data-cite="VC-DATA-MODEL-2.0#data-schemas"> <code>credentialSchema</code></a>.
             </p>
+	    <p>
+	      To encrypt the secured [=verifiable presentation=]
+	      when transmitted over an insecure channel,
+	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
+	      by nesting the secured [=verifiable presentation=]
+	      as the plaintext payload of a JWE,
+	      per the instructions in Section 11.2 of [[SD-JWT]].
+	    </p>
+
             <pre class="example nohighlight vc" data-vc-tabs="sd-jwt"
                  title="A simple example of a verifiable presentation secured with SD-JWT using the EnvelopedVerifiableCredential type">
 {
@@ -630,6 +663,15 @@ <h2 id="securing-vcs-with-cose">Securing JSON-LD Verifiable Credentials with COS
                 A [=conforming COSE verifier implementation=] MUST use COSE_Sign1 as specified in [[RFC9052]] to verify
                 [=conforming COSE documents=] that use this media type.
             </p>
+	    <p>
+	      To encrypt the secured [=verifiable credential=]
+	      when transmitted over an insecure channel,
+	      implementers MAY use COSE encryption,
+	      as defined in Section 5 of [[RFC9052]],
+	      by nesting the secured [=verifiable credential=]
+	      as the plaintext payload of an encrypted COSE object.
+	    </p>
+
             <pre class="example nohighlight vc" data-vc-tabs="cose"
                  title="A simple example of a verifiable credential secured with COSE">
 {
@@ -699,6 +741,15 @@ <h2 id="securing-vps-with-cose">Securing JSON-LD Verifiable Presentations with C
                 Credentials in verifiable presentations MUST be secured.
                 These credentials are secured using COSE in this case.
             <p>
+	    <p>
+	      To encrypt the secured [=verifiable presentation=]
+	      when transmitted over an insecure channel,
+	      implementers MAY use COSE encryption,
+	      as defined in Section 5 of [[RFC9052]],
+	      by nesting the secured [=verifiable presentation=]
+	      as the plaintext payload of an encrypted COSE object.
+	    </p>
+
             <pre class="example nohighlight vc" data-vc-tabs="cose"
                  title="A simple example of a verifiable presentation secured with COSE using the EnvelopedVerifiableCredential type">
 {

From f00e0d0880442fbd36012b1c21b736b08b141f88 Mon Sep 17 00:00:00 2001
From: Gabe <7622243+decentralgabe@users.noreply.github.com>
Date: Mon, 26 Aug 2024 15:57:12 -0700
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
---
 index.html | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/index.html b/index.html
index e3327bb..4ec0e0d 100644
--- a/index.html
+++ b/index.html
@@ -264,8 +264,8 @@ <h2 id="securing-with-jose">Securing JSON-LD Verifiable Credentials with JOSE</h
                 that use this media type.
             </p>
 	    <p>
-	      To encrypt the secured [=verifiable credential=]
-	      when transmitted over an insecure channel,
+	      To encrypt a secured [=verifiable credential=]
+	      when transmitting over an insecure channel,
 	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
 	      by nesting the secured [=verifiable credential=]
 	      as the plaintext payload of a JWE,
@@ -342,8 +342,8 @@ <h2 id="securing-vps-with-jose">Securing JSON-LD Verifiable Presentations with J
                 These credentials are secured using JWS in this case.
             <p>
 	    <p>
-	      To encrypt the secured [=verifiable presentation=]
-	      when transmitted over an insecure channel,
+	      To encrypt a secured [=verifiable presentation=]
+	      when transmitting over an insecure channel,
 	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
 	      by nesting the secured [=verifiable presentation=]
 	      as the plaintext payload of a JWE,
@@ -493,8 +493,8 @@ <h2 id="securing-with-sd-jwt">Securing JSON-LD Verifiable Credentials with SD-JW
                 and <a data-cite="VC-DATA-MODEL-2.0#data-schemas"><code>credentialSchema</code></a>.
             </p>
 	    <p>
-	      To encrypt the secured [=verifiable credential=]
-	      when transmitted over an insecure channel,
+	      To encrypt a secured [=verifiable credential=]
+	      when transmitting over an insecure channel,
 	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
 	      by nesting the secured [=verifiable credential=]
 	      as the plaintext payload of a JWE,
@@ -580,8 +580,8 @@ <h2 id="securing-vps-sd-jwt">Securing JSON-LD Verifiable Presentations with SD-J
                 and <a data-cite="VC-DATA-MODEL-2.0#data-schemas"> <code>credentialSchema</code></a>.
             </p>
 	    <p>
-	      To encrypt the secured [=verifiable presentation=]
-	      when transmitted over an insecure channel,
+	      To encrypt a secured [=verifiable presentation=]
+	      when transmitting over an insecure channel,
 	      implementers MAY use JSON Web Encryption (JWE) [[RFC7516]]
 	      by nesting the secured [=verifiable presentation=]
 	      as the plaintext payload of a JWE,
@@ -664,8 +664,8 @@ <h2 id="securing-vcs-with-cose">Securing JSON-LD Verifiable Credentials with COS
                 [=conforming COSE documents=] that use this media type.
             </p>
 	    <p>
-	      To encrypt the secured [=verifiable credential=]
-	      when transmitted over an insecure channel,
+	      To encrypt a secured [=verifiable credential=]
+	      when transmitting over an insecure channel,
 	      implementers MAY use COSE encryption,
 	      as defined in Section 5 of [[RFC9052]],
 	      by nesting the secured [=verifiable credential=]
@@ -742,8 +742,8 @@ <h2 id="securing-vps-with-cose">Securing JSON-LD Verifiable Presentations with C
                 These credentials are secured using COSE in this case.
             <p>
 	    <p>
-	      To encrypt the secured [=verifiable presentation=]
-	      when transmitted over an insecure channel,
+	      To encrypt a secured [=verifiable presentation=]
+	      when transmitting over an insecure channel,
 	      implementers MAY use COSE encryption,
 	      as defined in Section 5 of [[RFC9052]],
 	      by nesting the secured [=verifiable presentation=]