Skip to content

Add Verifiable Credential (W3C VC) profile for CAL assessments and evidence #65

Description

@github-actions

Motivation

ISO/SAE PAS 8475 CAL assessments and control evidence are sensitive, authoritative artifacts that need strong provenance, issuer identity and selective disclosure for regulated workflows (audits, supplier attestations, vulnerability disclosures). RDX already requires signing and provenance (RDX-060, RDX-061) but lacks a standard, machine-verifiable credential profile for assessment evidence that is interoperable with modern supply-chain attestation ecosystems (W3C Verifiable Credentials, CycloneDX Attestations). Providing a W3C VC profile enables: issuer authentication (DID or PKI), selective disclosure of evidence, and standard verification flows across organizations and regulators.

Proposed change

Add an optional, backwards-compatible "verifiableCredentials" mechanism for assessment/evidence objects (initial scope: calAssessments, tafAssessments, calAssuranceLevels, and controls). Changes required:

  1. Schema additions
  • Add a top-level optional array at riskSet level: verifiableCredentials[] (global registry of VCs included in the document).

  • Add an optional verifiableCredentialRefs[] (array of VC id strings) to the following objects: calAssessments, tafAssessments, controls, calAssuranceLevels.

  • New VC object (example JSON Schema fragment):

    {
    "id": "VC-001",
    "type": ["VerifiableCredential","RDXCalAssessmentCredential"],
    "issuer": "did:web:example.com",
    "issuanceDate": "2026-06-01T12:00:00Z",
    "credentialSubject": { "calAssessmentId": "CAL-ASSESS-001", "controlId": "CTRL-AUTH-001", "assessmentResult": "sufficient" },
    "proof": { /* JSON-LD or JWT proof object; opaque to validator */ }
    }

  • proof MUST allow commonly used proof suites (LD Proof / JWS / JWT) and may be recorded as an opaque object in the RDX package. The schema SHOULD allow either proof.jwt (compact/JWT) or proof.ldProof (object) but MUST NOT require specific crypto suites (so validators focus on structure, not cryptographic verification unless environment supports it).

  1. JSON-LD context and optional profile
  • Provide a minimal JSON-LD context file spec/json/rdx-vc.context.json describing RDX VC types and mapping to W3C VC terms.
  1. CycloneDX embedding guidance
  • Document how to include VCs inside CycloneDX BOMs: either embed the VC JSON as a property under metadata.properties (minified) or include as separate attachments and reference by bom-ref (preserving CycloneDX compatibility).
  1. Examples and tests
  • Add an example examples/rdx-cal-vc-example.json demonstrating a calAssessment referencing one or more VCs (both LD-proof and JWT variants).

  • Validation behavior: existing JSON Schema validation SHOULD accept the structure of verifiableCredentials[] and references, but cryptographic proof validation is out-of-band (CI may optionally run a verifier if tooling is available).

  1. Documentation
  • Update methodology docs to include: VC profile, recommended minimal fields (issuer identity, issuanceDate, credentialSubject.calAssessmentId, evidenceRef), example verification flows, and guidance on selective disclosure and redaction for sharing.

Compatibility and governance notes

  • Backwards compatible: absence of verifiableCredentials leaves existing RDX documents unchanged.

  • New requirement ID: RDX-114 (new requirement): "Support embedding/verifying assessment evidence as W3C Verifiable Credentials on assessment and control objects." (Add to REQUIREMENTS.md)

References

Acceptance criteria

  • Schema: spec/json/rdx.schema.json and spec/xml/rdx.xsd accept verifiableCredentials[] and verifiableCredentialRefs[] fields and validate example documents.
  • Example: examples/rdx-cal-vc-example.json demonstrates at least one calAssessment referencing a verifiableCredentials entry with issuer, issuanceDate, credentialSubject and proof (JWT or LD-proof variant).
  • Documentation: methodology/CAL-TAF-Integration.md updated with a VC profile section and CycloneDX-embedding guidance.
  • CI: ./tools/validate.sh validates new examples; cryptographic verification of proofs is optional and not required by CI.
  • REQUIREMENTS.md updated to include RDX-114 and justification.

Generated by tools/ai_idea_scout.py via the AI Idea Scout workflow.
Review the proposal, refine the title/body/labels, and close if not desired.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-proposalProposed by the AI idea scout; needs human reviewenhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions