Add annex for SD-JWT VC format

examples/client_metadata/sd_jwt_vc_verifier_metadata.json

@@ -0,0 +1,8 @@
+{
+  "vp_formats": {
+    "vc+sd-jwt": {
+      "sd-jwt_alg_values": ["ES256", "ES384"],
+      "kb-jwt_alg_values": ["ES256", "ES384"]
+    }
+  }
+}

examples/credentials/sd_jwt_vc.json

@@ -0,0 +1,25 @@
+{
+  "_sd": [
+    "3oUCnaKt7wqDKuyh-LgQozzfhgb8gO5Ni-RCWsWW2vA",
+    "8z8z9X9jUtb99gjejCwFAGz4aqlHf-sCqQ6eM_qmpUQ",
+    "Cxq4872UXXngGULT_kl8fdwVFkyK6AJfPZLy7L5_0kI",
+    "TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo",
+    "jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4",
+    "sFcViHN-JG3eTUyBmU4fkwusy5I1SLBhe1jNvKxP5xM",
+    "tiTngp9_jhC389UP8_k67MXqoSfiHq3iK6o9un4we_Y",
+    "xsKkGJXD1-e3I9zj0YyKNv-lU5YqhsEAF9NhOr8xga4"
+  ],
+  "iss": "https://example.com/issuer",
+  "iat": 1683000000,
+  "exp": 1883000000,
+  "vct": "https://credentials.example.com/identity_credential",
+  "_sd_alg": "sha-256",
+  "cnf": {
+    "jwk": {
+      "kty": "EC",
+      "crv": "P-256",
+      "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
+      "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
+    }
+  }
+}

examples/request/pd_sd_jwt_vc.json

@@ -0,0 +1,29 @@
+{
+  "id": "example_sd_jwt_vc_request",
+  "input_descriptors": [
+    {
+      "id": "identity_credential",
+      "format": {
+        "vc+sd-jwt": {}
+      },
+      "constraints": {
+        "limit_disclosure": "required",
+        "fields": [
+          {
+            "path": ["$.vct"],
+            "filter": {
+              "type": "string",
+              "const": "https://credentials.example.com/identity_credential"
+            }
+          },
+          {
+            "path": ["$.family_name"]
+          },
+          {
+            "path": ["$.given_name"]
+          }
+        ]
+      }
+    }
+  ]
+}

examples/response/ps_sd_jwt_vc.json

@@ -0,0 +1,11 @@
+{
+  "definition_id": "example_sd_jwt_vc_request",
+  "id": "example_sd_jwt_vc_presentation_submission",
+  "descriptor_map": [
+    {
+      "id": "identity_credential",
+      "path": "$",
+      "format": "vc+sd-jwt"
+    }
+  ]
+}

examples/response/token_response_vp_token_sd_jwt_vc.txt

@@ -0,0 +1,23 @@
+eyJhbGciOiAiRVMyNTYiLCAidHlwIjogInZjK3NkLWp3dCIsICJraWQiOiAiZG9jLXNp
+Z25lci0wNS0yNS0yMDIyIn0.eyJfc2QiOiBbIjNvVUNuYUt0N3dxREt1eWgtTGdRb3p6
+ZmhnYjhnTzVOaS1SQ1dzV1cydkEiLCAiOHo4ejlYOWpVdGI5OWdqZWpDd0ZBR3o0YXFs
+SGYtc0NxUTZlTV9xbXBVUSIsICJDeHE0ODcyVVhYbmdHVUxUX2tsOGZkd1ZGa3lLNkFK
+ZlBaTHk3TDVfMGtJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3Ja
+emZVYW9tTG8iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3
+TFVLNCIsICJzRmNWaUhOLUpHM2VUVXlCbVU0Zmt3dXN5NUkxU0xCaGUxak52S3hQNXhN
+IiwgInRpVG5ncDlfamhDMzg5VVA4X2s2N01YcW9TZmlIcTNpSzZvOXVuNHdlX1kiLCAi
+eHNLa0dKWEQxLWUzSTl6ajBZeUtOdi1sVTVZcWhzRUFGOU5oT3I4eGdhNCJdLCAiaXNz
+IjogImh0dHBzOi8vZXhhbXBsZS5jb20vaXNzdWVyIiwgImlhdCI6IDE2ODMwMDAwMDAs
+ICJleHAiOiAxODgzMDAwMDAwLCAidmN0IjogImh0dHBzOi8vY3JlZGVudGlhbHMuZXhh
+bXBsZS5jb20vaWRlbnRpdHlfY3JlZGVudGlhbCIsICJfc2RfYWxnIjogInNoYS0yNTYi
+LCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6
+ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInki
+OiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.
+IwR3Wi_6oQPfD-kCKckaexh3iJ0wepZG25YHZIjyM5-uGBKCxKmkTzNEyDe3orM2kO0k
+Kr40_8XTD83JWyQKKg~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uY
+W1lIiwgIkRvZSJd~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUi
+LCAiSm9obiJd~eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImtiK2p3dCJ9.eyJub25jZS
+I6ICIxMjM0NTY3ODkwIiwgImF1ZCI6ICJodHRwczovL2V4YW1wbGUuY29tL3ZlcmlmaW
+VyIiwgImlhdCI6IDE3MDg2MjA3OTcsICJzZF9oYXNoIjogImdtMXhTY3R1cEdJc2YwNH
+RYNHlyN1ZoVEdGZHJNSk1JYlZudnhtVnVsTnMifQ.iISn2w1LTc-7sSexoXio92yr9Nk
+WV_4ItUCM38qVJkQgBZ5vjrJQuhN4mbpstOfcbSni-HwXqrobfcQhalEKjg

openid-4-verifiable-presentations-1_0.md

@@ -1549,6 +1549,90 @@ Note: The reason hashes of the user claims are included in the `issuerAuth` item
 
 The example in this section is also applicable to the electronic identification Verifiable Credentials expressed using data models defined in ISO/IEC TR 23220-2.
 
+## IETF SD-JWT VC
+
+This section defines how credentials complying with [@!I-D.ietf-oauth-sd-jwt-vc] can be presented to the Verifier using this specification.
+
+### Format Identifier
+
+The Credential format identifier is `vc+sd-jwt`.
+
+#### Example Credential
+
+The following is a non-normative example of the payload of an IETF SD-JWT VC that will be used throughout this section:
+
+<{{examples/credentials/sd_jwt_vc.json}}
+
+The following are disclosures belonging to the claims from the example above.
+
+__Claim `given_name`__:
+
+ * SHA-256 Hash: `jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4`
+ * Disclosure:\
+`WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9o`\
+`biJd`
+ * Contents:
+`["2GLC42sKQveCfGfryNRN9w", "given_name", "John"]`
+
+
+__Claim `family_name`__:
+
+ * SHA-256 Hash: `TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo`
+ * Disclosure:\
+`WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRv`\
+`ZSJd`
+ * Contents:
+`["eluV5Og3gSNII8EYnsxA_A", "family_name", "Doe"]`
+
+
+__Claim `birthdate`__:
+
+ * SHA-256 Hash: `tiTngp9_jhC389UP8_k67MXqoSfiHq3iK6o9un4we_Y`
+ * Disclosure:\
+`WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImJpcnRoZGF0ZSIsICIxOTQw`\
+`LTAxLTAxIl0`
+ * Contents:
+`["6Ij7tM-a5iVPGboS5tmvVA", "birthdate", "1940-01-01"]`
+
+### Verifier Metadata
+
+The Verifier SHOULD add a `vp_formats` element to its metadata (e.g. in the `client_metadata` authorization request parameter) to let the wallet know what protection algorithms it supports in conjunction with SD-JWT VCs. The format element MUST have the key `vc+sd-jwt`, the value is an object consisting of the following elements:
+
+* `sd-jwt_alg_values`: OPTIONAL. A JSON array containing identifiers of cryptographic algorithms the verifier supports for protection of a SD-JWT. If present, the `alg` JOSE header (as defined in [@!RFC7515]) of the presented SD-JWT MUST match one of the array values.
+* `kb-jwt_alg_values`: OPTIONAL. A JSON array containing identifiers of cryptographic algorithms the verifier supports for protection of a KB-JWT. If present, the `alg` JOSE header (as defined in [@!RFC7515]) of the presented KB-JWT MUST match one of the array values.
+
+The following is a non-normative example of `client_metadata` request parameter value in a request to present a SD-JWT VC.
+
+<{{examples/client_metadata/sd_jwt_vc_verifier_metadata.json}}
+
+### Presentation Request
+
+The following is a non-normative example of an Authorization Request:
+
+<{{examples/request/request.txt}}
+
+The following is a non-normative example of the contents of a presentation_definition parameter that contains the requirements regarding the Credential to be presented:
+
+<{{examples/request/pd_sd_jwt_vc.json}}>
+
+The presentation of a SD-JWT VC is requested by adding an object named `vc+sd-jwt` to the `format` object of an `input_descriptor`. The object is empty.
+
+Setting `limit_disclosure` property defined in [@!DIF.PresentationExchange] to `required` enables selective release by instructing the Wallet to submit only the disclosures for the claims specified in the fields array.
+
+### Presentation Response
+
+A non-normative example of the Authorization Response would look the same as in the examples of other Credential formats in this Annex.
+
+The following is a non-normative example of the content of the `presentation_submission` parameter:
+
+<{{examples/response/ps_sd_jwt_vc.json}}
+
+The following is a non-normative example of the `vp_token` parameter provided in the same response and referred to by the `presentation_submission` above:
+
+<{{examples/response/token_response_vp_token_sd_jwt_vc.txt}}
+
+In this example the `vp_token` contains only the disclosures for the claims specified in the `presentation_submission`, along with a Key Binding JWT.
+
 ## Combining this specification with SIOPv2
 
 This section shows how SIOP and OpenID for Verifiable Presentations can be combined to present Verifiable Credentials and pseudonymously authenticate an end-user using subject controlled key material.