derived proof from document with `urn:uuid` format id does not verify

[lemoustachiste]

So following this problem when verifying a derived document: mattrglobal/node-bbs-signatures#211,

I have found that the issue is coming from this piece of information from my initial document:

"id": "urn:uuid:bbba8553-8ec1-445f-82c9-a57251dd731c",

There are 2 levels to the issue.

If I remove the document id altogether, then my reveal document is properly formed and verifies - but I have mangled with potentially critical data in the system:

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://w3id.org/blockcerts/v3",
    "https://w3id.org/security/bbs/v1"
  ],
  "id": "urn:bnid:_:c14n1",
  "type": [
    "BlockcertsCredential",
    "VerifiableCredential"
  ],
  "display": {
    "id": "urn:bnid:_:c14n0",
    "content": "<div style=\"background-color:transparent;padding:6px;display:inline-flex;align-items:center;flex-direction:column\">Yo</div>",
    "contentMediaType": "text/html"
  },
  "metadata": "{\"classOf\":\"2021\"}",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "claim": {
      "id": "urn:bnid:_:c14n2",
      "description": "Awarded to those who rock",
      "name": "Master of Puppets"
    },
    "name": "Julien Fraichot"
  },
  "issuanceDate": "2022-11-29T15:06:26.017Z",
  "issuer": "https://www.blockcerts.org/samples/3.0/issuer-blockcerts.json",
  "proof": {
    "type": "BbsBlsSignatureProof2020",
    "created": "2022-11-29T15:06:26Z",
    "nonce": "VbzVit8eb94IloiG6xVJSCF1edlvQw61B1Sq9RVrHAufsoF6QCB9jfOJ9t9ELlRE/uo=",
    "proofPurpose": "assertionMethod",
    "proofValue": "ABMH/1+RjgN/ZfByVQOYvEGUqEPFHTt98WCNFi/CPEK1WJ0xal8PeOdse/hGdyygH5ARXiCKPliikO0pEPeBx694gePL3XPwzfjl6OmE1cUUCX4KbZUP7LrUAhDY9fcXUiMGjcq4ecUQYOnLwkRTaAQTKqKfDluj9U2o7dah0bIYk55nBCGb2RDMhpkh78gUVrV222oAAAB0pPpDskCCHGnQu+NEunnl1JpNxISRytVggxRln1uOIdjayT3OEylEtCPMg0cu6qqoAAAAAi1lWxyUNml1F1mTfqLb67H4TH03/0alvSte2gsVYMrgVlCYCGGaLJdIbIpv9HxfjUZonLrA1WY4LdtUL5irSjyYhKjUjq+b2mGiIJX8E0r/Cwg6VMuPgq/q9Caf/vvaft17Pnq7kOhF5QLpnKImCtcAAAAELf2BeBn1407f9isYBhYDRIfzhStpibEGj78KxvSyaKtWHPqD1H3DZtOtvi9hbj34qBIoqsMFlddGX6YKhzAsqU/lFwVSm+Xs/sumY3TIL+iIeVkYOmNRY2/wJ4eSAt6iRAlq7mdLTNwxRMeaG+elhBp7dQs6EgIOxmCK0sRWKYw=",
    "verificationMethod": "did:key:z5TcEmFDYKHmMkZCqXVf3eJpZxX6aZW6ubPAexjJGHyXAka521PspqyXZa58Eegw9nfaGJDnpLPJSyqYJHZ3wy6VCoTG1oucasdANZqmHef2yjE7qxYcLhrC9QxqwPFB7S82zuPdFxBRUJRFVic439idgG1moDSAfG1sZp9wGBzoPhmfgAUsZk2gKjt2bn6S9wGUWLDBv#zUC7J1cyYKfKeKbBc6pSkUnJZXy2ZYJVNZMofuQA4tYd9Be723SsLsbqxYBHXj7daHfQGrzSxZhxfFGpkgDAmMxmVQfRoEX4myw3vi5kKfnw1VXCzaU21c2qhT9F8BYfVheTo4C"
  }
}

If I remove the urn:uuid prefix, then the derived document verifies, but it lacks the expected information from the reveal document:

{
  '@context': [
    'https://www.w3.org/2018/credentials/v1',
    'https://w3id.org/blockcerts/v3',
    'https://w3id.org/security/bbs/v1'
  ],
  proof: {
    type: 'BbsBlsSignatureProof2020',
    created: '2022-11-29T14:38:59Z',
    nonce: 'GDiMYw2jHKBIS33NOPb2PEMEj5xwPlLAh3NaBH/UVLSmL2wMYKt06GElLhvzHjH6BaE=',
    proofPurpose: 'assertionMethod',
    proofValue: 'AAwAD6JEk9zQqLJhyx/dk+9datavpuzPanfiGGsOIJN0Wtw4FecXEwIFPggQ/hJosxt7jpfVxEcUNOPc5qVKg5U/njTUraPtk2Uc2gdA+e8RbCkxC9s+Ht8WkAVEZ8rwNehj4JSPSgKM0MihuVQkHpL0BPAIOC5DqGK4AA8bsC+UlxyLrtyvBvA39IYuZrJdSLWiIAAAAHSuLc4VeUJh8WSlvhB8klyUsIhIiOCdGrjWfMscwvh6CaA61qHWjgXAeHMcet5gYF4AAAACFQf7VuJzvkgJjNrnXUVwkBxcWi+coZe9h2Qbrm8ARykq/AdH1XEokrB2vk0Ng7GQ3sBnkSjUqP7WCwLzaBZBIo9ZcoSjFGGXvQazq2LScm7z/FsZXOzgS1fk81urp1+NKLCPDKNiAwVKI9tkykRZGgAAAAo9t9wUdJCAE8kQpNQ/DjvjJeWZV2ufrg7Q41oq5j+79RlpjTno7PyJ9h2mIDpv6MW++sFJSMJ8BT+oj4/aBnxCM41ly6SM2u4oh76tlJ7QIr9bv8E/Ef5G3neTV7avEgk8c8W54Gcq8obpgN52zY0ZhHO+uzUD5K0vGSX76jlno2vceuKADy03VIhyQhqucqHOtuvmyl2OP2a4w0YFbgZVOR3M9nyNhLL737DUhXI7yoABqaPKCgQ2rdOdbWIK6LdwuSiRpHZxupzUaVd5spD5DL1mn4J5WsdRZUjGPMBdMzvOFq+iYzrz5qig+T+cCW05d+sjsx1+18JtoH0pqCxAFCi/9MBzdrmVnZlDxXTCiXIBxvNUzD+EHEP8PTis5txwr42d4MktjMtrkbFSJ8hwdTxdaNmSCz+mcsfY+5sd6g==',
    verificationMethod: 'did:key:z5TcEopMsCofK3MGktQbNZJUj7Ts6QJMSJef3Uv6uXDZjxdPA9zkS87e7XJ5sDzcUUbxNYwy53wBbzSL3sPC7sKtVp4P6jhMvP2mVfzYQSv79Av8ZffXpMYZifXY7gtyNLx7JL8mpfc65KUm4z7ZTadmeQwCWWM4Ev8xfeaGr6dBgoTWJamiKeXRdR8PSS7qDsmc2eJpx#zUC7GGsNjWZskEizSQ2wqPgSGath5YSRCxGu6YAuEtgDfmAHoYDWRkQvPbLUpWFzxgni9AAbpbjBgPFbSyxGS7ovuH8nnv92yEPLboBBj8qXRsqAhGpvnSijTHm9MAsMfLTQ3AG'
  }
}

What put me on the trail to identify this problem is this line: https://github.com/mattrglobal/jsonld-signatures-bbs/blob/master/src/BbsBlsSignatureProof2020.ts#L131, however I am not sure this is the actual final culprit. From what I can see in the sample demo, https://github.com/mattrglobal/jsonld-signatures-bbs/blob/master/sample/ts-node/src/demo_single.ts, the original id of the initial document is preserved, so it does not seem to be expected that we should modify the id to essentially create a new document.

For all intent and purposes, this derived document (with the original id) will not verify:

{
  '@context': [
    'https://www.w3.org/2018/credentials/v1',
    'https://w3id.org/blockcerts/v3',
    'https://w3id.org/security/bbs/v1'
  ],
  id: 'urn:uuid:bbba8553-8ec1-445f-82c9-a57251dd731c',
  type: [ 'BlockcertsCredential', 'VerifiableCredential' ],
  display: {
    id: 'urn:bnid:_:c14n0',
    content: '<div style="background-color:transparent;padding:6px;display:inline-flex;align-items:center;flex-direction:column">Yo</div>',
    contentMediaType: 'text/html'
  },
  metadata: '{"classOf":"2021"}',
  credentialSubject: {
    id: 'did:example:ebfeb1f712ebc6f1c276e12ec21',
    claim: {
      id: 'urn:bnid:_:c14n1',
      description: 'Awarded to those who rock',
      name: 'Master of Puppets'
    },
    name: 'Julien Fraichot'
  },
  issuanceDate: '2022-11-29T15:05:17.924Z',
  issuer: 'https://www.blockcerts.org/samples/3.0/issuer-blockcerts.json',
  proof: {
    type: 'BbsBlsSignatureProof2020',
    created: '2022-11-29T15:05:18Z',
    nonce: 'T6+bvFgTwIUxhUtkmhI9upP7d8sjDPE+TkTjJrZNcIsFk+KPh/VCeRo2s7ZoDz+Toog=',
    proofPurpose: 'assertionMethod',
    proofValue: 'ABMH/1+sdFZWgE6w2kbb7FM76CNSSiZuO1ozbBeFi6drPQ9vz3K586dTe5dceA0B7VmJoGywNT6Aqk7w2H5s4/fvfJypXQHyIk1cIcYLcDCK2EJN55O0tpd8m+wHiIS2v1MjAEGIihjTIK/SVEiHVYnQhd6B3r6OL2xmKwpIylyZLuZzwk5q1toPdkH0CFC7t+ddQq0AAAB0op8IPRDzY1aCqNviPJCJoAxBTHO6B3vSj9nsPnsPUBgqipCxmyQIwE0cBezEyBMxAAAAAmMbd0R9vmQxIAuCOLK2M0DMTeg5G6/gUD9ATlx8HxA/As+A+4tnJzj+bP5am0DkEK9nO/wIWwDmujDuxdVaDFe01pwrrzdasO8OfDfbMAnwv6NpntesRqGR29IhKFCrGKWWU6lBy28BaUafQYZDCwEAAAAEPiJsn2+H99WPzXqD2cSNfBqXRpxQ6Ai43JbJttgmJcJsDYhEhZGC09kFyxQcQnnyvVyZyEC3Js+DS5px1LxhFAl7PY7Jge2AO/MR9xI8LjA6+0vnNYKydm/8nai8OZ1VOryWeRTwgETYmKwFipbh2Tn/F1p4FCurYYgozH5Q8Jg=',
    verificationMethod: 'did:key:z5TcDJEMzpBv58yHMCtodFhA5acGe4r4wUkzDkX89MpsWNLAS12sNJgqYC1uPcr3ekk3z1tv82WFXAwgYiNqqMX8sf4AEB8hD3ccYti9uh5fakvnNy6NGb8NF4btHEuT7c3n6BwrLg5mMjzyxY6uEcTmNEzzkWtY98Ga7bQab5yaveP4j87Rec6tPGXi5t6i2i5szwstd#zUC76amoqWYCtj3SF5a9hoGKkqCofsL5QGV8WXujY87B7vTWJudkvo6N4Weg1ZvLD51whAgZ3fb2U32Rmq9aHHFMG7Y3CfuquBFAaiz82hPeTzMwcLQtW6VEBua4w1YCqAr1J4y'
  }
}

[tplooker]

Hi @lemoustachiste can you provide an example of the reveal document you are using?

[lemoustachiste]

sure,

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://w3id.org/blockcerts/v3",
    "https://w3id.org/security/bbs/v1"
  ],
  "type": [
    "VerifiableCredential",
    "BlockcertsCredential"
  ],
  "credentialSubject": {
    "@explicit": true,
    "name": {},
    "claim": {
      "@explicit": true,
      "name": {}
    }
  }
}

I've also noticed that credentialSubject keeps the original id in the derived document, is this expected?

[tplooker]

I've also noticed that credentialSubject keeps the original id in the derived document, is this expected?

Yes any node in the graph (JSON-LD document) that already has an ID will be preserved as you derive sub-graphs, if the node does not have an ID then one is assigned.