Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SD-JWT VC Profile #115

Merged
merged 19 commits into from
Apr 7, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions examples/client_metadata/sd_jwt_vc_verifier_metadata.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"vp_formats": {
"vc+sd-jwt": {
"sd-jwt_alg_values": ["ES256", "ES384"],
"kb-jwt_alg_values": ["ES256", "ES384"]
jogu marked this conversation as resolved.
Show resolved Hide resolved
}
}
}
25 changes: 25 additions & 0 deletions examples/credentials/sd_jwt_vc.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
{
"_sd": [
"3oUCnaKt7wqDKuyh-LgQozzfhgb8gO5Ni-RCWsWW2vA",
"8z8z9X9jUtb99gjejCwFAGz4aqlHf-sCqQ6eM_qmpUQ",
"Cxq4872UXXngGULT_kl8fdwVFkyK6AJfPZLy7L5_0kI",
"TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo",
"jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4",
"sFcViHN-JG3eTUyBmU4fkwusy5I1SLBhe1jNvKxP5xM",
"tiTngp9_jhC389UP8_k67MXqoSfiHq3iK6o9un4we_Y",
"xsKkGJXD1-e3I9zj0YyKNv-lU5YqhsEAF9NhOr8xga4"
],
"iss": "https://example.com/issuer",
"iat": 1683000000,
"exp": 1883000000,
"vct": "https://credentials.example.com/identity_credential",
"_sd_alg": "sha-256",
"cnf": {
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
"y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
}
}
}
29 changes: 29 additions & 0 deletions examples/request/pd_sd_jwt_vc.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"id": "example_sd_jwt_vc_request",
"input_descriptors": [
{
"id": "identity_credential",
"format": {
"vc+sd-jwt": {}
},
"constraints": {
"limit_disclosure": "required",
"fields": [
{
"path": ["$.vct"],
"filter": {
"type": "string",
"const": "https://credentials.example.com/identity_credential"
}
},
{
"path": ["$.family_name"]
},
{
"path": ["$.given_name"]
}
]
}
}
]
}
11 changes: 11 additions & 0 deletions examples/response/ps_sd_jwt_vc.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"definition_id": "example_sd_jwt_vc_request",
"id": "example_sd_jwt_vc_presentation_submission",
"descriptor_map": [
{
"id": "identity_credential",
"path": "$",
"format": "vc+sd-jwt"
}
]
}
23 changes: 23 additions & 0 deletions examples/response/token_response_vp_token_sd_jwt_vc.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
eyJhbGciOiAiRVMyNTYiLCAidHlwIjogInZjK3NkLWp3dCIsICJraWQiOiAiZG9jLXNp
Z25lci0wNS0yNS0yMDIyIn0.eyJfc2QiOiBbIjNvVUNuYUt0N3dxREt1eWgtTGdRb3p6
ZmhnYjhnTzVOaS1SQ1dzV1cydkEiLCAiOHo4ejlYOWpVdGI5OWdqZWpDd0ZBR3o0YXFs
SGYtc0NxUTZlTV9xbXBVUSIsICJDeHE0ODcyVVhYbmdHVUxUX2tsOGZkd1ZGa3lLNkFK
ZlBaTHk3TDVfMGtJIiwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3Ja
emZVYW9tTG8iLCAianN1OXlWdWx3UVFsaEZsTV8zSmx6TWFTRnpnbGhRRzBEcGZheVF3
TFVLNCIsICJzRmNWaUhOLUpHM2VUVXlCbVU0Zmt3dXN5NUkxU0xCaGUxak52S3hQNXhN
IiwgInRpVG5ncDlfamhDMzg5VVA4X2s2N01YcW9TZmlIcTNpSzZvOXVuNHdlX1kiLCAi
eHNLa0dKWEQxLWUzSTl6ajBZeUtOdi1sVTVZcWhzRUFGOU5oT3I4eGdhNCJdLCAiaXNz
IjogImh0dHBzOi8vZXhhbXBsZS5jb20vaXNzdWVyIiwgImlhdCI6IDE2ODMwMDAwMDAs
ICJleHAiOiAxODgzMDAwMDAwLCAidmN0IjogImh0dHBzOi8vY3JlZGVudGlhbHMuZXhh
bXBsZS5jb20vaWRlbnRpdHlfY3JlZGVudGlhbCIsICJfc2RfYWxnIjogInNoYS0yNTYi
LCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6
ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsczd2Q2VHZW1jIiwgInki
OiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2dDRqVDlGMkhaUSJ9fX0.
IwR3Wi_6oQPfD-kCKckaexh3iJ0wepZG25YHZIjyM5-uGBKCxKmkTzNEyDe3orM2kO0k
Kr40_8XTD83JWyQKKg~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uY
W1lIiwgIkRvZSJd~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUi
LCAiSm9obiJd~eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImtiK2p3dCJ9.eyJub25jZS
I6ICIxMjM0NTY3ODkwIiwgImF1ZCI6ICJodHRwczovL2V4YW1wbGUuY29tL3ZlcmlmaW
VyIiwgImlhdCI6IDE3MDg2MjA3OTcsICJzZF9oYXNoIjogImdtMXhTY3R1cEdJc2YwNH
RYNHlyN1ZoVEdGZHJNSk1JYlZudnhtVnVsTnMifQ.iISn2w1LTc-7sSexoXio92yr9Nk
WV_4ItUCM38qVJkQgBZ5vjrJQuhN4mbpstOfcbSni-HwXqrobfcQhalEKjg
84 changes: 84 additions & 0 deletions openid-4-verifiable-presentations-1_0.md
Original file line number Diff line number Diff line change
Expand Up @@ -1549,6 +1549,90 @@ Note: The reason hashes of the user claims are included in the `issuerAuth` item

The example in this section is also applicable to the electronic identification Verifiable Credentials expressed using data models defined in ISO/IEC TR 23220-2.

## IETF SD-JWT VC

This section defines how credentials complying with [@!I-D.ietf-oauth-sd-jwt-vc] can be presented to the Verifier using this specification.
javereec marked this conversation as resolved.
Show resolved Hide resolved

### Format Identifier

The Credential format identifier is `vc+sd-jwt`.

#### Example Credential

The following is a non-normative example of the payload of an IETF SD-JWT VC that will be used throughout this section:

<{{examples/credentials/sd_jwt_vc.json}}

The following are disclosures belonging to the claims from the example above.

__Claim `given_name`__:

* SHA-256 Hash: `jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4`
* Disclosure:\
`WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9o`\
`biJd`
* Contents:
`["2GLC42sKQveCfGfryNRN9w", "given_name", "John"]`


__Claim `family_name`__:

* SHA-256 Hash: `TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo`
* Disclosure:\
`WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRv`\
`ZSJd`
* Contents:
`["eluV5Og3gSNII8EYnsxA_A", "family_name", "Doe"]`


__Claim `birthdate`__:

* SHA-256 Hash: `tiTngp9_jhC389UP8_k67MXqoSfiHq3iK6o9un4we_Y`
* Disclosure:\
`WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImJpcnRoZGF0ZSIsICIxOTQw`\
`LTAxLTAxIl0`
* Contents:
`["6Ij7tM-a5iVPGboS5tmvVA", "birthdate", "1940-01-01"]`

### Verifier Metadata

The Verifier SHOULD add a `vp_formats` element to its metadata (e.g. in the `client_metadata` authorization request parameter) to let the wallet know what protection algorithms it supports in conjunction with SD-JWT VCs. The format element MUST have the key `vc+sd-jwt`, the value is an object consisting of the following elements:

* `sd-jwt_alg_values`: OPTIONAL. A JSON array containing identifiers of cryptographic algorithms the verifier supports for protection of a SD-JWT. If present, the `alg` JOSE header (as defined in [@!RFC7515]) of the presented SD-JWT MUST match one of the array values.
* `kb-jwt_alg_values`: OPTIONAL. A JSON array containing identifiers of cryptographic algorithms the verifier supports for protection of a KB-JWT. If present, the `alg` JOSE header (as defined in [@!RFC7515]) of the presented KB-JWT MUST match one of the array values.
javereec marked this conversation as resolved.
Show resolved Hide resolved

The following is a non-normative example of `client_metadata` request parameter value in a request to present a SD-JWT VC.

<{{examples/client_metadata/sd_jwt_vc_verifier_metadata.json}}

jogu marked this conversation as resolved.
Show resolved Hide resolved
### Presentation Request
awoie marked this conversation as resolved.
Show resolved Hide resolved

The following is a non-normative example of an Authorization Request:

<{{examples/request/request.txt}}
Sakurann marked this conversation as resolved.
Show resolved Hide resolved

The following is a non-normative example of the contents of a presentation_definition parameter that contains the requirements regarding the Credential to be presented:
javereec marked this conversation as resolved.
Show resolved Hide resolved

<{{examples/request/pd_sd_jwt_vc.json}}>

The presentation of a SD-JWT VC is requested by adding an object named `vc+sd-jwt` to the `format` object of an `input_descriptor`. The object is empty.
javereec marked this conversation as resolved.
Show resolved Hide resolved

Setting `limit_disclosure` property defined in [@!DIF.PresentationExchange] to `required` enables selective release by instructing the Wallet to submit only the disclosures for the claims specified in the fields array.

### Presentation Response

A non-normative example of the Authorization Response would look the same as in the examples of other Credential formats in this Annex.

The following is a non-normative example of the content of the `presentation_submission` parameter:

<{{examples/response/ps_sd_jwt_vc.json}}

The following is a non-normative example of the `vp_token` parameter provided in the same response and referred to by the `presentation_submission` above:

<{{examples/response/token_response_vp_token_sd_jwt_vc.txt}}

In this example the `vp_token` contains only the disclosures for the claims specified in the `presentation_submission`, along with a Key Binding JWT.

## Combining this specification with SIOPv2

This section shows how SIOP and OpenID for Verifiable Presentations can be combined to present Verifiable Credentials and pseudonymously authenticate an end-user using subject controlled key material.
Expand Down
Loading