diff --git a/examples/authorization_details_sd_jwt_vc.json b/examples/authorization_details_sd_jwt_vc.json index 2597243..cc08984 100644 --- a/examples/authorization_details_sd_jwt_vc.json +++ b/examples/authorization_details_sd_jwt_vc.json @@ -2,8 +2,6 @@ { "type": "openid_credential", "format": "vc+sd-jwt", - "credential_definition": { - "vct": "IdentityCredential" - } + "vct": "IdentityCredential" } ] \ No newline at end of file diff --git a/examples/credential_metadata_sd_jwt_vc.json b/examples/credential_metadata_sd_jwt_vc.json index a723acd..4b90dfc 100644 --- a/examples/credential_metadata_sd_jwt_vc.json +++ b/examples/credential_metadata_sd_jwt_vc.json @@ -15,52 +15,43 @@ "text_color": "#FFFFFF" } ], - "credential_definition": { - "vct": "IdentityCredential", - "claims": { - "given_name": { - "display": [ - { - "name": "Given Name", - "locale": "en-US" - }, - { - "name": "Vorname", - "locale": "de-DE" - } - ] - }, - "last_name": { - "display": [ - { - "name": "Surname", - "locale": "en-US" - }, - { - "name": "Nachname", - "locale": "de-DE" - } - ] - }, - "email": {}, - "phone_number": {}, - "address": { - "street_address": {}, - "locality": {}, - "region": {}, - "country": {} - }, - "birthdate": {}, - "is_over_18": {}, - "is_over_21": {}, - "is_over_65": {} - } - } -} - - -{ "vct": "IdentityCredential", - "given_name": "John", - "family_name": "Doe", + "claims": { + "given_name": { + "display": [ + { + "name": "Given Name", + "locale": "en-US" + }, + { + "name": "Vorname", + "locale": "de-DE" + } + ] + }, + "last_name": { + "display": [ + { + "name": "Surname", + "locale": "en-US" + }, + { + "name": "Nachname", + "locale": "de-DE" + } + ] + }, + "email": {}, + "phone_number": {}, + "address": { + "street_address": {}, + "locality": {}, + "region": {}, + "country": {} + }, + "birthdate": {}, + "is_over_18": {}, + "is_over_21": {}, + "is_over_65": {} + } } \ No newline at end of file diff --git a/examples/credential_request_sd_jwt_vc.json b/examples/credential_request_sd_jwt_vc.json index 430e54d..95fc53c 100644 --- a/examples/credential_request_sd_jwt_vc.json +++ b/examples/credential_request_sd_jwt_vc.json @@ -1,8 +1,6 @@ { "format": "vc+sd-jwt", - "credential_definition": { - "vct": "IdentityCredential" - }, + "vct": "IdentityCredential", "proof": { "proof_type": "jwt", "jwt":"eyJraWQiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEva2V5cy8 diff --git a/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.md b/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.md index e155b81..fb4e778 100644 --- a/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.md +++ b/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.md @@ -272,86 +272,7 @@ Note: The issuer MAY decide to support both options. In which case, it is at the ## OpenID4VC Credential Format Profile {#vc_sd_jwt_profile} -This section specifies how SD-JWT VCs as defined in [@!I-D.ietf-oauth-sd-jwt-vc] are used in conjunction with the OpenID4VC specifications. - -### Format Identifier - -The Credential format identifier is `vc+sd-jwt`. This format identifier is used in issuance and presentation requests. - -### Credential Issuer Metadata {#server_metadata_vc_sd-jwt} - -The following additional Credential Issuer metadata are defined for this Credential format to be used in addition to those defined in Section 10.2 of [@!OIDF.OID4VCI]. - -* `credential_definition`: REQUIRED. JSON object containing the detailed description of the credential type. It consists at least of the following three sub elements: - * `vct`: REQUIRED. JSON string designating the type of a credential as defined in [@!I-D.ietf-oauth-sd-jwt-vc], Section 4.2.2.1. - * `claims`: OPTIONAL. A JSON object containing a list of name/value pairs, where each name identifies a claim offered in the Credential. The value can be another such object (nested data structures), or an array of such objects. To express the specifics about the claim, the most deeply nested value MAY be a JSON object that includes a following non-exhaustive list of parameters defined by this specification: - * `mandatory`: OPTIONAL. Boolean which when set to `true` indicates the claim MUST be present in the issued Credential. If the `mandatory` property is omitted its default should be assumed to be `false`. - * `value_type`: OPTIONAL. String value determining type of value of the claim. A non-exhaustive list of valid values defined by this specification are `string`, `number`, and image media types such as `image/jpeg` as defined in IANA media type registry for images (https://www.iana.org/assignments/media-types/media-types.xhtml#image). - * `display`: OPTIONAL. An array of objects, where each object contains display properties of a certain claim in the Credential for a certain language. Below is a non-exhaustive list of valid parameters that MAY be included: - * `name`: OPTIONAL. String value of a display name for the claim. - * `locale`: OPTIONAL. String value that identifies language of this object represented as language tag values defined in BCP47 [@!RFC5646]. There MUST be only one object for each language identifier. -* `order`: OPTIONAL. An array of claims.display.name values that lists them in the order they should be displayed by the Wallet. - -The following is a non-normative example of an object comprising `credentials_supported` parameter of Credential format `vc+sd-jwt`. - -<{{examples/credential_metadata_sd_jwt_vc.json}} - -### Credential Offer - -The following additional claims are defined for this Credential format. - -* `credential_definition`: REQUIRED. JSON object containing the detailed description of the credential type. It MUST contain at least `vct` property as defined in (#server_metadata_vc_sd-jwt). - -The following is a non-normative example of an object comprising `credentials_supported` parameter of Credential format `vc+sd-jwt`. - -<{{examples/credential_offer_sd_jwt_vc.json}} - -### Authorization Details {#authorization_vc_sd-jwt} - -The following additional claims are defined for authorization details of type `openid_credential` and this Credential format. - -* `credential_definition`: REQUIRED. JSON object containing the detailed description of the credential type. It MUST contain at least `vct` property as defined in (#server_metadata_vc_sd-jwt). It MAY contain `claims` property as defined in (#server_metadata_vc_sd-jwt). - -The following is a non-normative example of an authorization details object with Credential format `vc+sd-jwt`. - -<{{examples/authorization_details_sd_jwt_vc.json}} - -### Credential Request - -The following additional parameters are defined for Credential Requests and this Credential format. - -* `credential_definition`: REQUIRED. JSON object containing the detailed description of the credential type. It MUST contain at least `vct` property as defined in (#server_metadata_vc_sd-jwt). It MAY contain `claims` property as defined in (#server_metadata_vc_sd-jwt). - -The following is a non-normative example of a Credential Request with Credential format `vc+sd-jwt`. - -<{{examples/credential_request_sd_jwt_vc.json}} - -### Credential Response {#credential_response_jwt_vc_json} - -The value of the `credential` claim in the Credential Response MUST be a JSON string that is an SD-JWT VC. Credentials of this format are already suitable for transfer and, therefore, they need not and MUST NOT be re-encoded. - -The following is a non-normative example of a Credential Response with Credential format `vc+sd-jwt`. - -<{{examples/credential_response_sd_jwt_vc.txt}} - -### Verifier Metadata - -The Verifier SHOULD add a `vp_formats` element to its metadata (e.g. in the `client_metadata` authorization request parameter) to let the wallet know what protection algorithms it supports in conjunction with SD-JWT VCs. The format element MUST have the key `vc+sd-jwt`, the value is an object consisting of the following elements: - -* `sd-jwt_alg_values`: OPTIONAL. A JSON array containing identifiers of cryptographic algorithms the verifier supports for protection of a SD-JWT. If present, the `alg` JOSE header (as defined in [@!RFC7515]) of the presented SD-JWT MUST match one of the array values. -* `kb-jwt_alg_values`: OPTIONAL. A JSON array containing identifiers of cryptographic algorithms the verifier supports for protection of a KB-JWT. If present, the `alg` JOSE header (as defined in [@!RFC7515]) of the presented KB-JWT MUST match one of the array values. - -The following is a non-normative example of `client_metadata` request parameter value in a request to present a SD-JWT VC. - -<{{examples/client_metadata_sd_jwt_vc.json}} - -### Presentation Definition - -The presentation of a SD-JWT VC is requested by adding an object named `vc+sd-jwt` to the `format` object of an `input_descriptor`. The object is empty. - -The following is a non-normative example of a presentation definition for a SD-JWT VC. - -<{{examples/presentation_definition_sd_jwt_vc.json}} +A Credential Format Profile for Credentials complying with IETF SD-JWT VCs [@!I-D.ietf-oauth-sd-jwt-vc] is defined in Annex A.3 of [@!OIDF.OID4VCI] and Annex A.4 of [@!OIDF.OID4VP]. # Crypto Suites