From 9ed1fce9c0555d142eac9f86463f22748211f701 Mon Sep 17 00:00:00 2001 From: Michael Jones Date: Sat, 9 Dec 2023 17:57:26 -0800 Subject: [PATCH 1/9] Add missing IANA registrations --- ...id-4-verifiable-credential-issuance-1_0.md | 121 +++++++++++++++--- 1 file changed, 106 insertions(+), 15 deletions(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index d3a60c7f..f029cb7f 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1300,7 +1300,7 @@ The Wallet is supposed to detect signs of fraudulent behavior related to the Cre If an adversary is able to get hold of a key proof defined in (#proof_types), the adversary could get a Credential issued that is bound to a key pair controlled by the victim. -Note: For the attacker to be able to present to the Verifier a Credential bound to a replayed Key Proof, the attacker also needs to obtain the victim's private key. To limit this, servers are RECOMMENDED to check how the Wallet protects the private keys, using mechanisms such as Key Based Client Authentication defined in [@I-D.looker-oauth-attestation-based-client-auth]. +Note: For the attacker to be able to present to the Verifier a Credential bound to a replayed Key Proof, the attacker also needs to obtain the victim's private key. To limit this, servers are RECOMMENDED to check how the Wallet protects the private keys, using mechanisms such as Key Based Client Authentication defined in [@!I-D.ietf-oauth-attestation-based-client-auth]. `nonce` parameter is the primary countermeasure against key proof replay. To further narrow down the attack vector, the Credential Issuer SHOULD bind a unique `nonce` parameter to the respective Access Token. @@ -1434,9 +1434,12 @@ TBD Microsoft - Microsoft + Self-Issued Consulting + + + sprind.org - + @@ -1570,21 +1573,18 @@ TBD OpenID for Verifiable Presentations - ConsenSys Mesh + Mattr - yes.com + sprind.org Microsoft - - Convergence.tech - Mattr - + @@ -1625,31 +1625,122 @@ TBD Connect2id - + + + + OAuth Parameters + + IANA + + + + + + + + Media Types + + IANA + + + + # IANA Considerations ## Sub-Namespace Registration -This section registers the value "urn:ietf:params:oauth:grant-type:pre-authorized_code" in the IANA "OAuth URI" registry established by "An IETF URN Sub-Namespace for OAuth" [@!RFC6755]. +This specification registers the following URN in the IANA "OAuth URI" registry [@!IANA.OAuth.Parameters] established by [@!RFC6755]. * URN: urn:ietf:params:oauth:grant-type:pre-authorized_code * Common Name: Pre-Authorized Code -* Change Controller: AB/Connect Working Group - openid-specs-ab@lists.openid.net -* Specification Document: (#token_request) of this document +* Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#token_request) of this spedification + +## OAuth Parameters Registry + +This specification registers the following parameter names in the IANA "OAuth Parameters" registry [@!IANA.OAuth.Parameters] established by [@!RFC6749]. + +* Parameter Name: issuer_state +* Parameter Usage Location: authorization request +* Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#credential-authz-request) of this specification + +* Parameter Name: c_nonce +* Parameter Usage Location: token response +* Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#token-response) of this specification + +* Parameter Name: c_nonce_expires_in +* Parameter Usage Location: token response +* Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#token-response) of this specification + +## OAuth Dynamic Client Registration Metadata Registry + +This specification registers the following client metadata name in the IANA "OAuth Dynamic Client Registration Metadata" registry [@!IANA.OAuth.Parameters] established by [@!RFC7591]. + +* Client Metadata Name: credential_offer_endpoint +* Client Metadata Description: Credential Offer Endpoint +* Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#credential_offer_endpoint) of this specification ## Well-Known URI Registry -This specification registers the well-known URI defined in (#credential-issuer-wellknown) in the IANA Well-Known URI registry defined in RFC 5785 [@!RFC5785]. +This specification registers the following well-known URI in the IANA "Well-Known URI" registry established by [@!RFC5785]. * URI suffix: openid-credential-issuer -* Change controller: AB/Connect Working Group - openid-specs-ab@lists.openid.net +* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net * Specification document: (#credential-issuer-wellknown) of this document * Related information: (none) +## Media Types Registry + +This specification registers the following media types in the IANA "Media Types" registry [@!IANA.MediaTypes] in the manner described in [@!RFC6838]. + +* Type name: `application` +* Subtype name: `openid4vci-proof+jwt` +* Required parameters: n/a +* Optional parameters: n/a +* Encoding considerations: Uses JWS Compact Serialization, as specified in [@!RFC7515]. +* Security considerations: See the Security Considerations in [@!RFC7519]. +* Interoperability considerations: n/a +* Published specification: (#jwt-proof-type) of this specification +* Applications that use this media type: Applications that issue and store verifiable credentials +* Additional information: + - Magic number(s): n/a + - File extension(s): n/a + - Macintosh file type code(s): n/a +* Person & email address to contact for further information: TBD +* Intended usage: COMMON +* Restrictions on usage: none +* Author: Michael B. Jones, michael_b_jones@hotmail.com +* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Provisional registration? No + +* Type name: `application` +* Subtype name: `openid4vci-proof+cwt` +* Required parameters: n/a +* Optional parameters: n/a +* Encoding considerations: Binary CBOR, as specified in [@!RFC9052] +* Security considerations: See the Security Considerations in [@!RFC8392]. +* Interoperability considerations: n/a +* Published specification: (#cwt-proof-type) of this specification +* Applications that use this media type: Applications that issue and store verifiable credentials +* Additional information: + - Magic number(s): n/a + - File extension(s): n/a + - Macintosh file type code(s): n/a +* Person & email address to contact for further information: TBD +* Intended usage: COMMON +* Restrictions on usage: none +* Author: Michael B. Jones, michael_b_jones@hotmail.com +* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Provisional registration? No + # Acknowledgements {#Acknowledgements} We would like to thank Paul Bastian, Vittorio Bertocci, Christian Bormann, John Bradley, Brian Campbell, Gabe Cohen, David Chadwick, Andrii Deinega, Giuseppe De Marco, Mark Dobrinic, Daniel Fett, Pedro Felix, George Fletcher, Timo Glasta, Mark Haine, Fabian Hauck, Roland Hedberg, Joseph Heenan, Alen Horvat, Andrew Hughes, Jacob Ideskog, Edmund Jay, Michael B. Jones, Tom Jones, Judith Kahrer, Takahiko Kawasaki, Niels Klomp, Ronald Koenig, Markus Kreusch, Adam Lemmon, Daniel McGrogan, Jeremie Miller, Kenichi Nakamura, Rolson Quadras, Nat Sakimura, Oliver Terbu, Arjen van Veen, David Waite, Jacob Ward for their valuable feedback and contributions to this specification. From 1ba535942ab734eb8486222438bab3d25d14e8b1 Mon Sep 17 00:00:00 2001 From: Kristina <52878547+Sakurann@users.noreply.github.com> Date: Wed, 13 Dec 2023 05:18:23 -0800 Subject: [PATCH 2/9] add missing parameter names --- ...id-4-verifiable-credential-issuance-1_0.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index f029cb7f..0e03b5de 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1664,11 +1664,31 @@ This specification registers the following URN in the IANA "OAuth URI" registry This specification registers the following parameter names in the IANA "OAuth Parameters" registry [@!IANA.OAuth.Parameters] established by [@!RFC6749]. +* Parameter Name: wallet_issuer +* Parameter Usage Location: authorization request +* Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#credential-authz-request) of this specification + +* Parameter Name: user_hint +* Parameter Usage Location: authorization request +* Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#credential-authz-request) of this specification + * Parameter Name: issuer_state * Parameter Usage Location: authorization request * Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net * Reference: (#credential-authz-request) of this specification +* Parameter Name: pre-authorized_code +* Parameter Usage Location: token request +* Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#token_request) of this specification + +* Parameter Name: tx_code +* Parameter Usage Location: token request +* Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#token_request) of this specification + * Parameter Name: c_nonce * Parameter Usage Location: token response * Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net From 458a5206f09528e7dd898e12db1cd5ef82f142ed Mon Sep 17 00:00:00 2001 From: Kristina <52878547+Sakurann@users.noreply.github.com> Date: Thu, 14 Dec 2023 09:37:18 -0800 Subject: [PATCH 3/9] add oauth extensions error registry section --- ...id-4-verifiable-credential-issuance-1_0.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 0e03b5de..407cf9f1 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1708,6 +1708,40 @@ This specification registers the following client metadata name in the IANA "OAu * Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net * Reference: (#credential_offer_endpoint) of this specification +## OAuth Extensions Error Registry + +This specification registers the following error values in the IANA "OAuth Extensions Error Registry" [@!IANA.OAuth.Params] established by [@!RFC6749]. + +* Name: invalid_credential_request +* Usage Location: resource access error response +* Protocol Extension: OpenID for Verifiable Credentials Issuance +* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#credential-request-error) of this specification + +* Name: unsupported_credential_type +* Usage Location: resource access error response +* Protocol Extension: OpenID for Verifiable Credentials Issuance +* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#credential-request-error) of this specification + +* Name: unsupported_credential_format +* Usage Location: resource access error response +* Protocol Extension: OpenID for Verifiable Credentials Issuance +* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#credential-request-error) of this specification + +* Name: invalid_proof +* Usage Location: resource access error response +* Protocol Extension: OpenID for Verifiable Credentials Issuance +* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#credential-request-error) of this specification + +* Name: invalid_encryption_parameters +* Usage Location: resource access error response +* Protocol Extension: OpenID for Verifiable Credentials Issuance +* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net +* Reference: (#credential-request-error) of this specification + ## Well-Known URI Registry This specification registers the following well-known URI in the IANA "Well-Known URI" registry established by [@!RFC5785]. From 766df036875355f1ae06ee3a9d7db1084a8dc00a Mon Sep 17 00:00:00 2001 From: Kristina <52878547+Sakurann@users.noreply.github.com> Date: Thu, 14 Dec 2023 09:45:28 -0800 Subject: [PATCH 4/9] make sure the file compiles --- openid-4-verifiable-credential-issuance-1_0.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 407cf9f1..04dd5383 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1710,37 +1710,37 @@ This specification registers the following client metadata name in the IANA "OAu ## OAuth Extensions Error Registry -This specification registers the following error values in the IANA "OAuth Extensions Error Registry" [@!IANA.OAuth.Params] established by [@!RFC6749]. +This specification registers the following error values in the IANA "OAuth Extensions Error Registry" [@!IANA.OAuth.Parameters] established by [@!RFC6749]. * Name: invalid_credential_request * Usage Location: resource access error response * Protocol Extension: OpenID for Verifiable Credentials Issuance * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net -* Reference: (#credential-request-error) of this specification +* Reference: (#credential-request-errors) of this specification * Name: unsupported_credential_type * Usage Location: resource access error response * Protocol Extension: OpenID for Verifiable Credentials Issuance * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net -* Reference: (#credential-request-error) of this specification +* Reference: (#credential-request-errors) of this specification * Name: unsupported_credential_format * Usage Location: resource access error response * Protocol Extension: OpenID for Verifiable Credentials Issuance * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net -* Reference: (#credential-request-error) of this specification +* Reference: (#credential-request-errors) of this specification * Name: invalid_proof * Usage Location: resource access error response * Protocol Extension: OpenID for Verifiable Credentials Issuance * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net -* Reference: (#credential-request-error) of this specification +* Reference: (#credential-request-errors) of this specification * Name: invalid_encryption_parameters * Usage Location: resource access error response * Protocol Extension: OpenID for Verifiable Credentials Issuance * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net -* Reference: (#credential-request-error) of this specification +* Reference: (#credential-request-errors) of this specification ## Well-Known URI Registry From ef7d1afbdb39da14d7b8cc7021c16f2c730bfbbc Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Mon, 18 Dec 2023 09:06:14 -0800 Subject: [PATCH 5/9] Update openid-4-verifiable-credential-issuance-1_0.md Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com> --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 04dd5383..ee7740b1 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1771,7 +1771,7 @@ This specification registers the following media types in the IANA "Media Types" * Person & email address to contact for further information: TBD * Intended usage: COMMON * Restrictions on usage: none -* Author: Michael B. Jones, michael_b_jones@hotmail.com +* Author: Torsten Lodderstedt, torsten@lodderstedt.net * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net * Provisional registration? No From b69339350861793ad73d04b9988045a25e5bd475 Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Mon, 18 Dec 2023 09:06:24 -0800 Subject: [PATCH 6/9] Update openid-4-verifiable-credential-issuance-1_0.md Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com> --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index ee7740b1..b9b341e4 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1788,7 +1788,7 @@ This specification registers the following media types in the IANA "Media Types" - Magic number(s): n/a - File extension(s): n/a - Macintosh file type code(s): n/a -* Person & email address to contact for further information: TBD +* Person & email address to contact for further information: Torsten Lodderstedt, torsten@lodderstedt.net * Intended usage: COMMON * Restrictions on usage: none * Author: Michael B. Jones, michael_b_jones@hotmail.com From 3cd7935768e03b3140910e9d4f68c46da5e31b28 Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Mon, 18 Dec 2023 09:06:34 -0800 Subject: [PATCH 7/9] Update openid-4-verifiable-credential-issuance-1_0.md Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com> --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index b9b341e4..20f6ef30 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1791,7 +1791,7 @@ This specification registers the following media types in the IANA "Media Types" * Person & email address to contact for further information: Torsten Lodderstedt, torsten@lodderstedt.net * Intended usage: COMMON * Restrictions on usage: none -* Author: Michael B. Jones, michael_b_jones@hotmail.com +* Author: Torsten Lodderstedt, torsten@lodderstedt.net * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net * Provisional registration? No From 3a2f244a02507ecedfb22877bf90dd7fc9540272 Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Mon, 18 Dec 2023 09:06:45 -0800 Subject: [PATCH 8/9] Update openid-4-verifiable-credential-issuance-1_0.md Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com> --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 20f6ef30..8d43abf3 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1768,7 +1768,7 @@ This specification registers the following media types in the IANA "Media Types" - Magic number(s): n/a - File extension(s): n/a - Macintosh file type code(s): n/a -* Person & email address to contact for further information: TBD +* Person & email address to contact for further information: Torsten Lodderstedt, torsten@lodderstedt.net * Intended usage: COMMON * Restrictions on usage: none * Author: Torsten Lodderstedt, torsten@lodderstedt.net From 56e100514c25691fca65abfbcc970ea052c6bf78 Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Tue, 19 Dec 2023 13:00:52 -0800 Subject: [PATCH 9/9] Update openid-4-verifiable-credential-issuance-1_0.md Accepted Brian's suggestion Co-authored-by: Brian Campbell <71398439+bc-pi@users.noreply.github.com> --- ...id-4-verifiable-credential-issuance-1_0.md | 33 ------------------- 1 file changed, 33 deletions(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 8d43abf3..6540d37a 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1708,39 +1708,6 @@ This specification registers the following client metadata name in the IANA "OAu * Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net * Reference: (#credential_offer_endpoint) of this specification -## OAuth Extensions Error Registry - -This specification registers the following error values in the IANA "OAuth Extensions Error Registry" [@!IANA.OAuth.Parameters] established by [@!RFC6749]. - -* Name: invalid_credential_request -* Usage Location: resource access error response -* Protocol Extension: OpenID for Verifiable Credentials Issuance -* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net -* Reference: (#credential-request-errors) of this specification - -* Name: unsupported_credential_type -* Usage Location: resource access error response -* Protocol Extension: OpenID for Verifiable Credentials Issuance -* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net -* Reference: (#credential-request-errors) of this specification - -* Name: unsupported_credential_format -* Usage Location: resource access error response -* Protocol Extension: OpenID for Verifiable Credentials Issuance -* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net -* Reference: (#credential-request-errors) of this specification - -* Name: invalid_proof -* Usage Location: resource access error response -* Protocol Extension: OpenID for Verifiable Credentials Issuance -* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net -* Reference: (#credential-request-errors) of this specification - -* Name: invalid_encryption_parameters -* Usage Location: resource access error response -* Protocol Extension: OpenID for Verifiable Credentials Issuance -* Change controller: OpenID Foundation Digital Credentials Protocols Working Group - openid-specs-digital-credentials-protocols@lists.openid.net -* Reference: (#credential-request-errors) of this specification ## Well-Known URI Registry