Add SD-JWT VC Profile (#115)

8 approvals. open for more than a week. agreement to merge during WG calls, with a possibility of @paulbastian doing a PR adding examples of KB JWT. * Add annex for SD-JWT VC format * Fix formatting * Updated kb-jwt to include nonce and aud from the request * Clarify nonce and aud claims of kb-jwt as a note * Update presentation request to authorization request Co-authored-by: Brian Campbell <[email protected]> * Introduce unsecured sd-jwt vc payload to help explain how to match requested claims defined in PE * Add example of unsecured payload sd-jwt vc * Remove statement PD input_descriptor vc+sd-jwt format object to be empty * Add sd-jwt and kb-jwt algorithms to the PD example * Editorial: consistent use of IETF SD-JWT VC when mentioning the format * Capitalize Credentials Co-authored-by: Christian Bormann <[email protected]> * Simplify wording Co-authored-by: Christian Bormann <[email protected]> * Remove newlines from end of file * Remove .DS_Store file from credentials folder * Change protection of jwts into signing of jwts Co-authored-by: Kristina <[email protected]> * protection -> signing Co-authored-by: Paul Bastian <[email protected]> * verifier -> Verifier Co-authored-by: Oliver Terbu <[email protected]> * Small fix Co-authored-by: Oliver Terbu <[email protected]> * Apply suggestions from code review Co-authored-by: Oliver Terbu <[email protected]> --------- Co-authored-by: Brian Campbell <[email protected]> Co-authored-by: Christian Bormann <[email protected]> Co-authored-by: Kristina <[email protected]> Co-authored-by: Paul Bastian <[email protected]> Co-authored-by: Oliver Terbu <[email protected]>
openid · Apr 7, 2024 · e714728 · e714728
1 parent e6ebec4
commit e714728
Show file tree

Hide file tree

Showing 8 changed files with 195 additions and 0 deletions.
diff --git a/examples/.DS_Store b/examples/.DS_Store
diff --git a/examples/client_metadata/sd_jwt_vc_verifier_metadata.json b/examples/client_metadata/sd_jwt_vc_verifier_metadata.json
@@ -0,0 +1,8 @@
+{
+  "vp_formats": {
+    "vc+sd-jwt": {
+      "sd-jwt_alg_values": ["ES256", "ES384"],
+      "kb-jwt_alg_values": ["ES256", "ES384"]
+    }
+  }
+}
diff --git a/examples/credentials/sd_jwt_vc.json b/examples/credentials/sd_jwt_vc.json
@@ -0,0 +1,25 @@
+{
+  "_sd": [
+    "3oUCnaKt7wqDKuyh-LgQozzfhgb8gO5Ni-RCWsWW2vA",
+    "8z8z9X9jUtb99gjejCwFAGz4aqlHf-sCqQ6eM_qmpUQ",
+    "Cxq4872UXXngGULT_kl8fdwVFkyK6AJfPZLy7L5_0kI",
+    "TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo",
+    "jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4",
+    "sFcViHN-JG3eTUyBmU4fkwusy5I1SLBhe1jNvKxP5xM",
+    "tiTngp9_jhC389UP8_k67MXqoSfiHq3iK6o9un4we_Y",
+    "xsKkGJXD1-e3I9zj0YyKNv-lU5YqhsEAF9NhOr8xga4"
+  ],
+  "iss": "https://example.com/issuer",
+  "iat": 1683000000,
+  "exp": 1883000000,
+  "vct": "https://credentials.example.com/identity_credential",
+  "_sd_alg": "sha-256",
+  "cnf": {
+    "jwk": {
+      "kty": "EC",
+      "crv": "P-256",
+      "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
+      "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
+    }
+  }
+}
diff --git a/examples/credentials/sd_jwt_vc_unsecured.json b/examples/credentials/sd_jwt_vc_unsecured.json
@@ -0,0 +1,6 @@
+{
+  "vct": "https://credentials.example.com/identity_credential",
+  "given_name": "John",
+  "family_name": "Doe",
+  "birthdate": "1940-01-01"
+}
diff --git a/examples/request/pd_sd_jwt_vc.json b/examples/request/pd_sd_jwt_vc.json
@@ -0,0 +1,32 @@
+{
+  "id": "example_sd_jwt_vc_request",
+  "input_descriptors": [
+    {
+      "id": "identity_credential",
+      "format": {
+        "vc+sd-jwt": {
+          "sd-jwt_alg_values": ["ES256", "ES384"],
+          "kb-jwt_alg_values": ["ES256", "ES384"]
+        }
+      },
+      "constraints": {
+        "limit_disclosure": "required",
+        "fields": [
+          {
+            "path": ["$.vct"],
+            "filter": {
+              "type": "string",
+              "const": "https://credentials.example.com/identity_credential"
+            }
+          },
+          {
+            "path": ["$.family_name"]
+          },
+          {
+            "path": ["$.given_name"]
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/examples/response/ps_sd_jwt_vc.json b/examples/response/ps_sd_jwt_vc.json
@@ -0,0 +1,11 @@
+{
+  "definition_id": "example_sd_jwt_vc_request",
+  "id": "example_sd_jwt_vc_presentation_submission",
+  "descriptor_map": [
+    {
+      "id": "identity_credential",
+      "path": "$",
+      "format": "vc+sd-jwt"
+    }
+  ]
+}
diff --git a/examples/response/token_response_vp_token_sd_jwt_vc.txt b/examples/response/token_response_vp_token_sd_jwt_vc.txt
@@ -0,0 +1,23 @@
+eyJhbGciOiAiRVMyNTYiLCAidHlwIjogInZjK3NkLWp3dCIsICJraWQiOiAiZG9jLXNp
+Z25lci0wNS0yNS0yMDIyIn0.eyJfc2QiOiBbIjNvVUNuYUt0N3dxREt1eWgtTGdRb3p6
+ZmhnYjhnTzVOaS1SQ1dzV1cydkEiLCAiOHo4ejlYOWpVdGI5OWdqZWpDd0ZBR3o0YXFs
+SGYtc0NxUTZlTV9xbXBVUSIsICJDeHE0ODcyVVhYbmdHVUxUX2tsOGZkd1ZGa3lLNkFK
+ZlBaTHk3TDVfMGtJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3Ja
+emZVYW9tTG8iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3
+TFVLNCIsICJzRmNWaUhOLUpHM2VUVXlCbVU0Zmt3dXN5NUkxU0xCaGUxak52S3hQNXhN
+IiwgInRpVG5ncDlfamhDMzg5VVA4X2s2N01YcW9TZmlIcTNpSzZvOXVuNHdlX1kiLCAi
+eHNLa0dKWEQxLWUzSTl6ajBZeUtOdi1sVTVZcWhzRUFGOU5oT3I4eGdhNCJdLCAiaXNz
+IjogImh0dHBzOi8vZXhhbXBsZS5jb20vaXNzdWVyIiwgImlhdCI6IDE2ODMwMDAwMDAs
+ICJleHAiOiAxODgzMDAwMDAwLCAidmN0IjogImh0dHBzOi8vY3JlZGVudGlhbHMuZXhh
+bXBsZS5jb20vaWRlbnRpdHlfY3JlZGVudGlhbCIsICJfc2RfYWxnIjogInNoYS0yNTYi
+LCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6
+ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInki
+OiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.
+hBeB-fuMsIQ82QIE_674CSPIufs7w0D9CdfGdP_tGyBVp_vTSlbWb9MInFKSZ6Y3ie-r
+0MMeSSEHyuUz9WNGSQ~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uY
+W1lIiwgIkRvZSJd~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUi
+LCAiSm9obiJd~eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImtiK2p3dCJ9.eyJub25jZS
+I6ICJuLTBTNl9XekEyTWoiLCAiYXVkIjogImh0dHBzOi8vZXhhbXBsZS5jb20vdmVyaW
+ZpZXIiLCAiaWF0IjogMTcwOTgzODYwNCwgInNkX2hhc2giOiAiRHktUll3WmZhYW9DM2
+luSmJMc2xnUHZNcDA5YkgtY2xZUF8zcWJScXRXNCJ9.RmgIhqCHYWerxbDboMuB0lli6
+3HPJHI9Vl2ZNOGh20C7_6p7nf3Wkd2wkx5WlmwTwtHKc87MBY2nuRLoeduQMA
diff --git a/openid-4-verifiable-presentations-1_0.md b/openid-4-verifiable-presentations-1_0.md
@@ -1673,6 +1673,96 @@ The VP Token contains the base64url encoded `DeviceResponse` CBOR structure as d
 
 See ISO/IEC TS 18013-7 Annex B [@ISO.18013-7] and ISO/IEC 23220-4 Annex C [@ISO.23220-4] for the latest examples on how to use the `presentation_submission` parameter and how to generate the Authorizaton Response for presenting Credentials in the mdoc format.
 
+## IETF SD-JWT VC
+
+This section defines how Credentials complying with [@!I-D.ietf-oauth-sd-jwt-vc] can be presented to the Verifier using this specification.
+
+### Format Identifier
+
+The Credential format identifier is `vc+sd-jwt`.
+
+#### Example Credential
+
+The following is a non-normative example of the unsecured payload of an IETF SD-JWT VC that will be used throughout this section:
+
+<{{examples/credentials/sd_jwt_vc_unsecured.json}}
+
+The following is a non-normative example of an IETF SD-JWT VC using the unsecured payload above, containing claims that are selectively disclosable.
+
+<{{examples/credentials/sd_jwt_vc.json}}
+
+The following are disclosures belonging to the claims from the example above.
+
+__Claim `given_name`__:
+
+ * SHA-256 Hash: `jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4`
+ * Disclosure:\
+`WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9o`\
+`biJd`
+ * Contents:
+`["2GLC42sKQveCfGfryNRN9w", "given_name", "John"]`
+
+
+__Claim `family_name`__:
+
+ * SHA-256 Hash: `TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo`
+ * Disclosure:\
+`WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRv`\
+`ZSJd`
+ * Contents:
+`["eluV5Og3gSNII8EYnsxA_A", "family_name", "Doe"]`
+
+
+__Claim `birthdate`__:
+
+ * SHA-256 Hash: `tiTngp9_jhC389UP8_k67MXqoSfiHq3iK6o9un4we_Y`
+ * Disclosure:\
+`WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImJpcnRoZGF0ZSIsICIxOTQw`\
+`LTAxLTAxIl0`
+ * Contents:
+`["6Ij7tM-a5iVPGboS5tmvVA", "birthdate", "1940-01-01"]`
+
+### Verifier Metadata
+
+The `format` value in the `vp_formats` parameter of the Verifier metadata MUST have the key `vc+sd-jwt`, and the value is an object consisting of the following name/value pairs:
+
+* `sd-jwt_alg_values`: OPTIONAL. A JSON array containing identifiers of cryptographic algorithms the Verifier supports for signing of an Issuer-signed JWT of an SD-JWT. If present, the `alg` JOSE header (as defined in [@!RFC7515]) of the Issuer-signed JWT of the presented SD-JWT MUST match one of the array values.
+* `kb-jwt_alg_values`: OPTIONAL. A JSON array containing identifiers of cryptographic algorithms the Verifier supports for signing of a Key Binding JWT (KB-JWT). If present, the `alg` JOSE header (as defined in [@!RFC7515]) of the presented KB-JWT MUST match one of the array values.
+
+The following is a non-normative example of `client_metadata` request parameter value in a request to present an IETF SD-JWT VC.
+
+<{{examples/client_metadata/sd_jwt_vc_verifier_metadata.json}}
+
+### Presentation Request
+
+The following is a non-normative example of an Authorization Request:
+
+<{{examples/request/request.txt}}
+
+The following is a non-normative example of the contents of a `presentation_definition` parameter that contains the requirements regarding the Credential to be presented:
+
+<{{examples/request/pd_sd_jwt_vc.json}}
+
+The presentation of an IETF SD-JWT VC is requested by adding an object named `vc+sd-jwt` to the `format` object of an `input_descriptor`. The `input_descriptor` value is applied to the unsecured payload of the IETF SD-JWT VC which correspond to the disclosures of the presented SD-JWT VC.
+
+Setting `limit_disclosure` property defined in [@!DIF.PresentationExchange] to `required` enables selective release by instructing the Wallet to submit only the disclosures for the matching claims specified in the fields array. The unsecured payload of an IETF SD-JWT VC is used to perform the matching.
+
+### Presentation Response
+
+A non-normative example of the Authorization Response would look the same as in the examples of other Credential formats in this Annex.
+
+The following is a non-normative example of the content of the `presentation_submission` parameter:
+
+<{{examples/response/ps_sd_jwt_vc.json}}
+
+The following is a non-normative example of the `vp_token` parameter provided in the same response and referred to by the `presentation_submission` above:
+
+<{{examples/response/token_response_vp_token_sd_jwt_vc.txt}}
+
+In this example the `vp_token` contains only the disclosures for the claims specified in the `presentation_submission`, along with a Key Binding JWT.
+
+Note: The Key Binding JWT `nonce` claim contains the value of the `nonce` from the authorization request, and the `aud` claim contains the Client Identifier of the Verifier.
+
 ## Combining this specification with SIOPv2
 
 This section shows how SIOP and OpenID for Verifiable Presentations can be combined to present Verifiable Credentials and pseudonymously authenticate an end-user using subject controlled key material.