Standardizing PGP for Linked Data Integrity

[OR13]

https://w3id.org/security/suites/pgp-2021
https://w3id.org/security/suites/pgp-2021/v1

PGP / GPG are commonly used in software supply chain uses cases, and even in hardware thanks to Yubikey / Open PGP.

GitHub integrations with GPG

Signing Docker images with GPG

While PGP won't play nice with VC-JWT, it can play nice with LD Proofs, as shown the specs at the top of this issue.

You can even use GPG Agent to create verifiable credentials that are bound to hardware isolated keys (such as with yubikey).

Is there interest in standardizing support for PGP / GPG based Linked Data Integrity suites?

[mprorock]

Absolutely. This could be highly valuable to us

[OR13]

Here is an example CLI that works with these suites, https://github.com/OR13/lds-pgp2021/blob/main/bin/cli.js

it uses GPGAgent and Yubikey, and allows you to make a verifiable credential that is signed by a hardware isolated key on yubikey but verifiable to any DID that supports PGP. (or in the context of VCs any controller).

[OR13]

Open PGP supports most of the cryptography that is popular these days.

Checkout https://openpgpjs.org/

This project is maintained by ProtonMail.

https://github.com/openpgpjs/openpgpjs

See also: https://github.com/openpgpjs/openpgpjs#security-audit

[wyc]

+1, we are supporting PGP keys as well:
spruceid/ssi#373

[brentzundel]

I believe that merging PR #77 will fix this issue

[brentzundel]

I believe this issue has been addressed. Marking as pending close.
I will close this issue in 4 days if there are no objections.

[brentzundel]

no response since marked pending close, closing