ISCC Signature#
| IEP: | 0019 |
|---|---|
| Title: | ISCC Signature |
| Author: | Titusz Pan tp@iscc.io |
| Comments: | https://github.com/iscc/iscc-ieps/issues/26 |
| Status: | Draft |
| Type: | Core |
| Standard: | IEP |
| License: | CC-BY-4.0 |
| Created: | 2026-07-03 |
| Updated: | 2026-07-03 |
Note
This document is a DRAFT intended as input to ISO TC 46/SC 9/WG 18 for a future revision of ISO 24138.
1. Introduction#
This proposal defines the ISCC signature format (ISCC-SIG), a compact JSON signature format that provides cryptographic integrity and optional identity attribution for JSON documents.
An ISCC signature is a plain JSON object embedded as the signature member of the document it
signs. The format is built from two primitives — Ed25519 signatures (RFC 8032) and the JSON
Canonicalization Scheme (RFC 8785) — and is implementable without JSON-LD processing or JOSE
libraries. Three signature types support use cases ranging from bare integrity proofs to standalone
offline verification and full identity attribution via W3C DIDs or Controlled Identifier Documents.
ISCC signatures authenticate the messages of the ISCC Discovery Protocol (IEP-0013) and can sign any JSON document, including ISCC metadata.
2. Terminology#
Controller : The entity that controls a signing key, identified by a DID or HTTPS URL.
Controller document : A W3C Controlled Identifier Document or DID document that lists the verification methods authorized by a controller.
Verification method : An entry in a controller document that expresses an authorized public key
as a Multikey (publicKeyMultibase).
JCS : JSON Canonicalization Scheme as defined in RFC 8785.
Multibase : Self-describing base-encoding format. In this specification, multibase strings use
the z prefix indicating base58-btc encoding.
Multicodec : Self-describing binary prefix that identifies the type of encoded key material.
3. Signature Format#
An ISCC signature shall be a JSON object carried as the top-level signature member of the JSON
document it signs:
Table 1 – ISCC signature members
| Member | Presence | Type | Definition |
|---|---|---|---|
version |
mandatory | string | Shall equal ISCC-SIG v1.0 |
proof |
mandatory | multibase | Ed25519 signature over the canonical document |
pubkey |
conditional | multibase | Ed25519 public key with multicodec prefix 0xed01 |
controller |
optional | URI | DID or HTTPS URL identifying the key controller |
keyid |
optional | string | Verification method identifier within the controller document |
An ISCC signature shall satisfy the following constraints:
pubkey, if present, shall decode to 34 bytes: the multicodec prefix0xed01followed by a 32-byte Ed25519 public key.proofshall decode to a 64-byte Ed25519 signature value.- If
controlleris present,pubkeyshall be present. - If
keyidis present,controllershall be present. - Members not listed in Table 1 shall not be present.
ISCC signature example (SELF_VERIFYING)
3.1 Signature Types#
The signature type is not encoded explicitly; it follows from member presence:
Table 2 – ISCC signature types
| Type | Members present | Verification |
|---|---|---|
| PROOF_ONLY | version, proof |
Requires a public key obtained out of band |
| SELF_VERIFYING | version, pubkey, proof |
Standalone |
| IDENTITY_BOUND | version, controller, pubkey, proof, optionally keyid |
Standalone, with identity attribution |
NOTE: Protocols that embed ISCC signatures can restrict the permitted types. The ISCC Discovery
Protocol (IEP-0013) requires pubkey and does not accept PROOF_ONLY signatures.
4. Signing#
A signing party shall create an ISCC signature as follows:
- Verify that the JSON document to be signed has no
signaturemember. - Add a
signatureobject containingversionand the members of the selected signature type, without aproofmember. - Canonicalize the complete document with JCS and encode as UTF-8.
- Compute the Ed25519 signature over the canonical bytes in accordance with RFC 8032.
- Encode the signature value as multibase and set it as
signature.proof.
If verification in step 1 fails, the signing party shall not create a signature and shall report an error.
NOTE: The proof member is absent — not empty — during canonicalization. The signed scope covers
the complete document including version, pubkey, controller, and keyid; none of these
members can be substituted after signing without invalidating the proof.
5. Verification#
A verifier shall verify an ISCC signature as follows:
- Verify that
signature.versionequalsISCC-SIG v1.0. - Obtain the verification key from
signature.pubkeyor, if absent, from an out-of-band source. - Create a copy of the signed document and remove
signature.proof; all other members remain. - Canonicalize the copy with JCS and encode as UTF-8.
- Verify the Ed25519 signature decoded from
signature.proofover the canonical bytes against the verification key.
If any step fails, the verifier shall reject the signature.
A verifier that expects a specific signing key shall verify that signature.pubkey, if present,
equals the expected key.
6. Identity Verification#
When controller is present, a verifier may additionally verify that the signing key is authorized
by the identified controller:
- Obtain the controller document by dereferencing
controller:did:keyanddid:webURIs in accordance with their DID method specifications; HTTPS URLs by fetching the Controlled Identifier Document published at the URL. - Verify that the controller document lists a verification method that satisfies all of the
following:
- its
controllerproperty equalssignature.controller; - its
publicKeyMultibaseproperty equalssignature.pubkey; - if
keyidis present: itsidproperty, or the fragment of itsidproperty, equalskeyid.
- its
The signature is attributed to the controller if and only if both steps succeed.
NOTE: When keyid is absent, the public key itself acts as the key identifier.
7. Security Considerations#
Implementations shall use a well-reviewed Ed25519 library and shall reject signatures with malleable encodings (RFC 8032). The JCS-canonicalized bytes are the integrity anchor: implementations should verify their JCS implementation against the test vectors of RFC 8785. An ISCC signature proves possession of the secret key over the signed content; it does not by itself prove freshness or prevent replay. Protocols that embed ISCC signatures shall add nonces or timestamps where replay matters (see IEP-0013). A PROOF_ONLY signature does not commit to a public key; the signed document alone does not identify the signer. Controller documents are mutable: identity verification reflects the controller document at resolution time, and controllers revoke or rotate keys by updating the document.
8. Test Vectors#
All test vectors use the following Ed25519 keypair. The secret key is multibase-encoded with the
multicodec prefix 0x8026 (Ed25519 secret key). The keypair is published for testing and shall not
be used operationally.
public key: z6MkpFpVngrAUTSY6PagXa1x27qZqgdmmy3ZNWSBgyFSvBSx
secret key: z3u2So9EAtuYVuxGog4F2ksFGws8YT7pBPs4xyRbv3NJgrNA
controller: did:web:crypto.iscc.codes:alice
Ed25519 signature generation is deterministic. Conforming implementations shall reproduce the
following signatures for the document {"hello": "world"}, where payload is the JCS-canonical
UTF-8 signing input and proof is the resulting signature value:
PROOF_ONLY
payload: {"hello":"world","signature":{"version":"ISCC-SIG v1.0"}}
proof: z5mGkSPsC8bSah37m7RfPsBDYSCWnJQbQYBAZQD9r2THDhSJqN5uzsXD2fvnKMswjCs6rMgwS4QK9z712GgdDceSu
SELF_VERIFYING
payload: {"hello":"world","signature":{"pubkey":"z6MkpFpVngrAUTSY6PagXa1x27qZqgdmmy3ZNWSBgyFSvBSx","version":"ISCC-SIG v1.0"}}
proof: z5D274u1mgx4zgWgDZb2iJJJMGTPwDh6EgJjFdcTSwyXMH13Sb4HqmBF9JJRFTr7NJnpxHb2d4uvLZngdAoMeFDnk
IDENTITY_BOUND
payload: {"hello":"world","signature":{"controller":"did:web:crypto.iscc.codes:alice","pubkey":"z6MkpFpVngrAUTSY6PagXa1x27qZqgdmmy3ZNWSBgyFSvBSx","version":"ISCC-SIG v1.0"}}
proof: z52f1T5wnmgAWVFz84PmCzF74s6PQRaSFZxo4GzBfEaZ95P4nMgvJVN37BHNxjjyxuUmGmptoAP8kBDxZ3C7XhoJP
9. References#
9.1 Normative#
- RFC 8032 - Edwards-Curve Digital Signature Algorithm (EdDSA)
- RFC 8785 - JSON Canonicalization Scheme (JCS)
- W3C Controlled Identifiers v1.0: https://www.w3.org/TR/cid-1.0/
- did:key Method: https://w3c-ccg.github.io/did-method-key/
- did:web Method: https://w3c-ccg.github.io/did-method-web/
9.2 Informative#
- ISO 24138:2024 - International Standard Content Code
- IEP-0013 - ISCC Discovery Protocol
- IEP-0015 - ISCC DID Method
- W3C Decentralized Identifiers (DIDs) v1.0: https://www.w3.org/TR/did-1.0/
- ISCC Signature Specification: https://crypto.iscc.codes/iscc-sig-spec/
- Multicodec registry: https://github.com/multiformats/multicodec
- Reference implementation: https://github.com/iscc/iscc-crypto