add sd-jwt vc profile to vci #128
Conversation
Sakurann
requested review from
bifurcation,
danielfett,
jogu,
tlodderstedt,
pmhsfelix,
peppelinux,
c2bo,
awoie,
bc-pi,
selfissued and
tplooker
Co-authored-by: Joseph Heenan <joseph@heenan.me.uk> Co-authored-by: Giuseppe De Marco <demarcog83@gmail.com>
Co-authored-by: Paul Bastian <paul.bastian@posteo.de>
Co-authored-by: Oliver Terbu <43441584+awoie@users.noreply.github.com> Co-authored-by: Joseph Heenan <joseph@heenan.me.uk>
|
@TimoGlastra just the heads up that if you implemented sd-jwt vc profile that was in HAIP, this PR introduces breaking changes to that. |
|
|
||
| The following additional parameters are defined for Credential Requests and this Credential format. | ||
|
|
||
| * `vct`: REQUIRED when the `credential_identifier` is not used. String as defined in (#server_metadata_sd_jwt_vc). This claim contains the type values the Wallet requests authorization for at the Credential Issuer. |
There was a problem hiding this comment.
Do we need to clearer about when VCT and credential_identifier are both present in a credential request? Does one need to take precedent, what if they conflict?
There was a problem hiding this comment.
If we do, I think it should be clarified when addressing issue #132.
the clarification should also be in this section that defines the behavior of credential request https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html#name-credential-request, so this is probably out of scope of this PR.
the current thinking has been that both format specific claims and credential_identifier can be present since it is possible to use both scopes and RAR in the same authz request
There was a problem hiding this comment.
I cannot think of any case where both, the credential_identifier and the vct could be in the same request, so this should be a MUST NOT if credential_identifier is present.
The credential request text already states "When this parameter is used, the format parameter and any other Credential format specific set of parameters such as those defined in (#format_profiles) MUST NOT be present."
Additionally, I'm not sure these requirements should be stated in a profile as the interplay between credential_identifier and format+format specific type information is subject to the core spec. I think the profile should state something like: "vct: determines the type of a credential of this format, might also be used in credential request ..."
There was a problem hiding this comment.
Right. I confused the ability to use both for the same credential - we still currently support using RAR for one credential and format/type for another with the same access token.
This came up because 'vct' is mandatory when format/type is used but must not be present when credential_identifier is used. So honestly, I would suggest that current language works ok.
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
|
|
||
| The following additional parameters are defined for Credential Requests and this Credential format. | ||
|
|
||
| * `vct`: REQUIRED when the `credential_identifier` is not used. String as defined in (#server_metadata_sd_jwt_vc). This claim contains the type values the Wallet requests authorization for at the Credential Issuer. |
There was a problem hiding this comment.
| * `vct`: REQUIRED when the `credential_identifier` is not used. String as defined in (#server_metadata_sd_jwt_vc). This claim contains the type values the Wallet requests authorization for at the Credential Issuer. | |
| * `vct`: String as defined in (#server_metadata_sd_jwt_vc). This claim contains the type values the Wallet requests authorization for at the Credential Issuer. This claim MUST NOT be present if the `credential_identifier` is present in the request. |
There was a problem hiding this comment.
I clarified for all other credential formats, too.
|
|
||
| The following additional parameters are defined for Credential Requests and this Credential format. | ||
|
|
||
| * `vct`: REQUIRED when the `credential_identifier` was not present in the Credential Request. MUST NOT be used otherwise. String as defined in (#server_metadata_sd_jwt_vc). This claim contains the type values the Wallet requests authorization for at the Credential Issuer. |
There was a problem hiding this comment.
| * `vct`: REQUIRED when the `credential_identifier` was not present in the Credential Request. MUST NOT be used otherwise. String as defined in (#server_metadata_sd_jwt_vc). This claim contains the type values the Wallet requests authorization for at the Credential Issuer. | |
| * `vct`: REQUIRED when the `credential_identifier` is not present in the Credential Request. MUST NOT be used otherwise. String as defined in (#server_metadata_sd_jwt_vc). This claim contains the type values the Wallet requests authorization for at the Credential Issuer. |
|
|
||
| The following additional parameters are defined for Credential Requests and this Credential format. | ||
|
|
||
| * `vct`: REQUIRED when the `credential_identifier` was not present in the Credential Request. MUST NOT be used otherwise. String as defined in (#server_metadata_sd_jwt_vc). This claim contains the type values the Wallet requests authorization for at the Credential Issuer. |
There was a problem hiding this comment.
| * `vct`: REQUIRED when the `credential_identifier` was not present in the Credential Request. MUST NOT be used otherwise. String as defined in (#server_metadata_sd_jwt_vc). This claim contains the type values the Wallet requests authorization for at the Credential Issuer. | |
| * `vct`: REQUIRED when the `credential_identifier` was not present in the Credential Request. MUST NOT be used otherwise. String as defined in (#server_metadata_sd_jwt_vc). This claim contains the type value of the Credential the Wallet requests the Credential Issuer to issue. |
|
|
||
| ### Credential Issuer Metadata {#server_metadata_sd_jwt_vc} | ||
|
|
||
| The following additional Credential Issuer metadata parameters are defined for this Credential format to be added to the `credentials_supported` parameter in addition to those defined in (#credential-issuer-parameters). |
There was a problem hiding this comment.
This will conflict with with the credential_configurations_supported change.
Co-authored-by: Torsten Lodderstedt <torsten@lodderstedt.net>
resolves #122. resolves #28. resolves #134