Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

second attempt to add sd-jwt vcdm #147

Open
wants to merge 29 commits into
base: main
Choose a base branch
from
+106 −14
Open

second attempt to add sd-jwt vcdm #147

Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
faa61c1
second attempt to add sd-jwt vcdm
Dec 19, 2024
e3a2310
Apply suggestions from code review
Sakurann Jan 16, 2025
c363732
removing the schema related text
Sakurann Jan 16, 2025
90f1854
allow both signed and unsigned requests. mandate both for the wallet,…
Nov 28, 2024
b923559
resolve merge conflict
Jan 28, 2025
b4b4dc1
fix rebasing
Jan 28, 2025
87ea4e1
add requirements on iat and exp
Jan 28, 2025
91daefd
editorial: indentation, rendering fixes, small typos (#152)
c2bo Jan 15, 2025
67db658
update session transcript section to use oid4vp annex b (#146)
awoie Jan 15, 2025
cd003df
editorial: Wallet is a defined term (#82)
peppelinux Jan 16, 2025
6fd3679
Add specific requirements for response encryption (#155)
bc-pi Jan 17, 2025
78a01d9
Mandate DCQL instead of PE; all DCQL features are mandatory (#151)
c2bo Jan 23, 2025
a5033d5
removed pre-authz code (#154)
tlodderstedt Jan 24, 2025
d479a18
Remove the Wallet Attestation Schema and point to OpenID4VCI instead …
paulbastian Jan 27, 2025
c1d5151
fix: updated oid4vp version number
awoie Jan 23, 2025
3346319
fix: adjusted day to anticipated publication date
awoie Jan 23, 2025
5d62c89
ed: updated doc history
awoie Jan 23, 2025
e95f717
fix rebasing
Jan 28, 2025
bcd507f
fix rebasing
Jan 28, 2025
f2c2e4d
fix rebasing
Jan 28, 2025
5fc1e2f
fix rebasing'
Jan 28, 2025
c357d67
accept Oliver's suggestion on iss
Sakurann Jan 28, 2025
6a3f16b
clarify represent for sub and status
Jan 28, 2025
5266cf8
add Oliver's processor usage text as a starting point
Sakurann Jan 28, 2025
818a29e
format processing steps section
Jan 28, 2025
1fbef98
add a sentence on type and vct
Jan 28, 2025
f9fc560
AFAIK -02 was put out yesterday https://lists.openid.net/pipermail/op…
bc-pi Jan 28, 2025
9b31b9a
fix refs
bc-pi Jan 28, 2025
ac0f777
add `validFrom` and `validTo` properties
Sakurann Jan 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
120 changes: 106 additions & 14 deletions openid4vc-high-assurance-interoperability-profile-1_0.md
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
%%%
title = "OpenID4VC High Assurance Interoperability Profile - draft 01"
title = "OpenID4VC High Assurance Interoperability Profile - draft 03"
abbrev = "openid4vc-high-assurance-interoperability-profile"
ipr = "none"
workgroup = "Digital Credentials Protocols"
keyword = ["security", "openid4vc", "sd-jwt", "sd-jwt-vc", "mdoc"]

[seriesInfo]
name = "Internet-Draft"
value = "openid4vc-high-assurance-interoperability-profile-1_0-02"
value = "openid4vc-high-assurance-interoperability-profile-1_0-03"
status = "standard"

[[author]]
@@ -181,7 +181,6 @@ The following requirements apply for both, the Wallet and the Verifier, unless s
The JWE `enc` (encryption algorithm) header parameter (see [@!RFC7516, section 4.1.2]) value `A128GCM` (as defined in [@!RFC7518, section 5.3]) MUST be supported.
* The DCQL query and response as defined in Section 6 of [@!OIDF.OID4VP] MUST be used. Presentation Exchange as defined in Sections 5.4 and 5.5 of [@!OIDF.OID4VP] MUST NOT be used.


## ISO mdoc specific requirements for OpenID for Verifiable Presentations over W3C Digital Credentials API

Requirements for both the Wallet and the Verifier:
@@ -255,6 +254,91 @@ Note: The issuer MAY decide to support both options. In which case, it is at the

A Credential Format Profile for Credentials complying with IETF SD-JWT VCs [@!I-D.ietf-oauth-sd-jwt-vc] is defined in Annex A.3 of [@!OIDF.OID4VCI] and Annex A.4 of [@!OIDF.OID4VP].

## SD-JWT VC Data Model (SD-JWT VCDM)

SD-JWT VCDM is a credential format that is compliant to IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc] that allows the usage of existing data structures represented using W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0], while enabling selective disclosure.
Copy link

@peacekeeper peacekeeper Jan 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please change this sentence. While admittedly not strictly untrue, to most readers, this paragraph will only perpetuate the false claim that W3C VCDM does not support selective disclosure, which has been spread at various conferences and communities in the last years. The claim that SD-JWT VCDM is needed to do SIMPLE selective disclosure with W3C VCDM is equally untrue, as you can also just use plain SD-JWT if you really want. The introduction should explain this to avoid risk of further confusion and deception.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This, of course, doesn't strictly speak to the false cry of perpetuating claims that W3C VCDM does not support selective disclosure but might be more relatable to many readers.

Suggested change
SD-JWT VCDM is a credential format that is compliant to IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc] that allows the usage of existing data structures represented using W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0], while enabling selective disclosure.
SD-JWT VCDM is a credential format that is compliant to IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc] that allows the usage of existing data structures represented using W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0], while enabling a consistent approach to selective disclosure.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

false cry

I don't think it's helpful to bring emotions into this thread. There is no "cry", and it is not "false" to simply observe that SD-JWT (VC(DM)) proponents have made false claims about selective disclosure in W3C VCDM.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To try and be productive, I don't think this suggested change is helpful, since it still doesn't explain why SD-JWT VCDM is needed. If you want to enable "a consistent approach to selective disclosure", as this suggestion says, you can also just use plain SD-JWT with VCDM directly, without the SD-JWT VC extensions.

Therefore I still think this introduction needs to explain somehow what this work adds to what's already out there.


SD-JWT VCDM credentials contain a data structure that can be processed using a JSON-LD processor after applying SD-JWT processing.

When IETF SD-JWT VC is mentioned in this specification, SD-JWT VCDM defined in this section MAY be used.

Implementaters of SD-JWT VCDM MUST use valid values for both `vct` Claim defined in IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc] and `type` proprty defined in W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0].
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do they have to match or not? What happens if one client processes the vct claim, and another processes the type claim, and they arrive at different conclusions? To me it sounds like a huge source of ambiguity and potential problems if a data model contains basically the same concept twice ("type of a Verifiable Credential"). Especially if not only the values can be different, but also the way how the values are being expressed is different.

Saying that "it's the responsibility of the issuer" is a bit naïve I think...

Copy link
Member

@bc-pi bc-pi Jan 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Implementaters of SD-JWT VCDM MUST use valid values for both `vct` Claim defined in IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc] and `type` proprty defined in W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0].
Implementers of SD-JWT VCDM MUST use valid values for both `vct` Claim defined in IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc] and `type` property defined in W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0].

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Implementaters of SD-JWT VCDM MUST use valid values for both `vct` Claim defined in IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc] and `type` proprty defined in W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0].
Implementaters of SD-JWT VCDM MUST use valid values for both `vct` Claim defined in IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc] and `type` property defined in W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0].

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Implementaters of SD-JWT VCDM MUST use valid values for both `vct` Claim defined in IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc] and `type` proprty defined in W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0].
Implementaters of SD-JWT VCDM MUST use valid values for both `vct` Claim defined in IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc] and `type` property defined in W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0].


For backward compatibility with JWT processors, the following registered JWT claims MUST be used, instead of their respective counterpart properties in W3C VCDM [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0]:

* To represent the validity period of SD-JWT VCDM (i.e., cryptographic signature), `exp`/`iat` Claims encoded as a UNIX timestamp (NumericDate) MUST be used, and not `expirationDate` and `issuanceDate` properties defined in [@!W3C.VCDM1.1], `validFrom` and `validTo` properties defined in [@!W3C.VCDM2.0].
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* To represent the validity period of SD-JWT VCDM (i.e., cryptographic signature), `exp`/`iat` Claims encoded as a UNIX timestamp (NumericDate) MUST be used, and not `expirationDate` and `issuanceDate` properties defined in [@!W3C.VCDM1.1], `validFrom` and `validTo` properties defined in [@!W3C.VCDM2.0].
* To represent the validity period of SD-JWT VCDM (i.e., cryptographic signature), `exp`/`nbf` Claims encoded as a UNIX timestamp (NumericDate) MUST be used, and not `expirationDate` and `issuanceDate` properties defined in [@!W3C.VCDM1.1], `validFrom` and `validTo` properties defined in [@!W3C.VCDM2.0].

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See:

iat is the time the token is issued, not the time at which the token is to be considered valid.

It's conceivable that a mismatch here would prevent use cases where I issue a credential now, that becomes active a day from now.

You could also say that for simplicity it is not possible to issue sd-jwt-vc with validity periods which exist in the future, and leave the current text, and resolve this comment.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could there be valid scenarios where exp, iat, nbf, validFrom, validTo all have different values?

Or is the idea that validFrom, validTo are ignored, just like this PR also proposes to ignore other VC properties?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

related eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework#160 (comment)

* `iss` Claim MUST represent the identifier of the `issuer` property, i.e., the `issuer` property value if `issuer` is a String, or the `id` property of the `issuer` object if `issuer` is an object. `issuer` property MUST be ignored if present.
* `status` Claim MUST represent `credentialStatus` property. `credentialStatus` property MUST be ignored if present.
* `sub` Claim MUST represent the `id` property of `credentialSubject` property. `credentialSubject` property MUST be ignored if present.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `sub` Claim MUST represent the `id` property of `credentialSubject` property. `credentialSubject` property MUST be ignored if present.
* `sub` Claim MUST represent the `id` property of `credentialSubject` property. `credentialSubject` property MUST be ignored if present. There is no support for the case where `credentialSubject` is an array.


IETF SD-JWT VC is extended with the following claims:

* `vcdm`: OPTIONAL. Contains properties defined in [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0] that are not represented by their counterpart JWT Claims as defined above.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is "vcdm" different from the good old "vc" claim?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend removing the "vcdm" if the governance of the data model is well defined. (see my question on how to express claims from different vocabularies)

Copy link
Collaborator

@awoie awoie Jan 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The vcdm claim is there to allow JSON-LD processors to process the vcdm object which has to be a valid JSON-LD object in compact form. Some JSON-LD processors would have issues with terms that are not included in a context definition. There might be some SD-JWT and SD-JWT VC claims today or in the future that are not included and therefore cause issues. By encapsulating the JSON-LD stuff within vcdm, we guarantee this won't cause any issues. See my processing model suggestions https://github.com/openid/oid4vc-haip/pull/147/files#r1922554997.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By encapsulating the JSON-LD stuff within vcdm

Isn't that exactly the same reason why you introduced vc a few years ago? Why not re-use that?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess vc would be fine, but it is an IANA-registered claim that's defined for use in a different context. Might be okay to re-use though. vcdm would make it clear that this claim is to be used with the processing model in mind that @awoie describes in one of the other suggested changes.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If implementations had issues
a) what are the issues?
b) can we contact them and learn more about the issues?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think vc won't be used. It would be "vcdm": { VCDM 1.1 or VCDM 2.0 stuff }.

But @Sakurann said:

IANA reserved vc for w3c vcdm 1.1

Wouldn't there be a lot of ambiguity and interop problems if you define two different JWT claims that can be used for the same purpose (VCDM 1.1)?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see how that would be a problem. The SD-JWT VC DM wrapper is new and has to be implemented anyway; any claim name would work. What is important is what is in the vcdm claim.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any claim name would work

So are you saying if an Issuer wants to use VCDM 1.1 wrapped inside a JWT, they could use either the vc or vcdm claim, since both serve the same purpose? And would Verifiers also be expected to support both? Or pick one of the two?

Copy link

@danielfett danielfett Feb 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant to say that we can define any claim name here, without much impact on implementations. Whether they process vcdm, vc or foo doesn't matter. Of course we need to settle on one.

There may be a preference of one over the other for historic reasons, or because one has an existing IANA definition, or because one has clearer semantics, but other than that, it doesn't matter.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't do this.

Just let the claimset be defined as a JWT claimset.
And allow any properties that are not understood to be ignored.
Do not introduce a nested object, it breaks compatibility with the TR defined here:

https://www.w3.org/TR/vc-jose-cose/#securing-with-sd-jwt

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with @OR13 , inserting one data model as a nested object inside another data model will lead to interop problems.


The following outlines a suggested non-normative processing steps for SD-JWT VCDM:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The following outlines a suggested non-normative processing steps for SD-JWT VCDM:
The following outlines a suggested non-normative set of processing steps for SD-JWT VCDM:


1. SD-JWT VC Processing:

- A receiver (holder or verifier) of an SD-JWT VCDM applies the processing rules outlined in Section 4 of [@!I-D.ietf-oauth-sd-jwt-vc], including verifying signatures, validity periods, status information, etc.
- If the `vct` value is associated with any SD-JWT VC Type Metadata, schema validation of the entire SD-JWT VCDM is performed, including the nested `vcdm` claim.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just say that when vct is present it overrides any application profile type specific processing that might have been implied by type as described in https://www.w3.org/TR/vc-data-model-2.0/#types

- Additionally, trust framework rules are applied, such as ensuring the issuer is authorized to issue SD-JWT VCDMs for the specified `vct` value.

2. Business Logic Processing:

- Once the SD-JWT VC is verified and trusted by the SD-JWT VC processor, and if the `vcdm` claim is present, the receiver extracts the VCDM (1.1 or 2.0) object from the `vcdm` claim and uses this for the business logic object. If the `vcdm` claim is not present, the entire SD-JWT VC is considered to represent the business logic object.
- The business logic object is then passed on for further use case-specific processing and validation. The business logic assumes that all security-critical functions (e.g., signature verification, trusted issuer) have already been performed during the previous step. Additional schema validation is applied if provided in the `vcdm` claim, e.g., to support SHACL schemas. Note that while a `vct` claim is required, SD-JWT VC type metadata resolution and related schema validation is optional in certain cases.

The following is a non-normative example of an unsecured payload of an SD-JWT VCDM, that is built using the example of unsecured payload in Section 3.3 of [@!I-D.ietf-oauth-sd-jwt-vc]:

```json
{
"vct": "https://credentials.example.com/identity_credential",
"vcdm": { //W3C VCDM 2.0 compliant claims
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"vcdm": { //W3C VCDM 2.0 compliant claims
"vcdm": { //W3C VCDM 2.0 or 1.1 compliant claims

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this mean for:

IANA reserved vc for w3c vcdm 1.1

"@context": ["https://www.w3.org/ns/credentials/v2"],
"type": ["VerifiableCredential", "https://credentials.example.com/identity_credential"],
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be top level and relationship with vct must be explained

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are various options, see above, but it seems that only one is reasonable.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree. See my question on data model governance: https://github.com/openid/oid4vc-haip/pull/147/files#r1922674086

Copy link
Collaborator

@awoie awoie Jan 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would remove the relationship between vct and type. We should acknowledge that the typing can be different. I assume that JSON-LD processors want their JSON-LD type system. To guarantee interop on the protocol level, e.g., query credentials in OID4VP, the vct value has to be used.

Suggested change
"type": ["VerifiableCredential", "https://credentials.example.com/identity_credential"],
"type": ["VerifiableCredential", "IdentityCredential"],

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means you could have a situation where you request a driver's license on the OID4VP level, but then receive a VC with a type of birth certificate?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To guarantee interop on the protocol level, e.g., query credentials in OID4VP, the vct value has to be used.

I always thought OID4VP supports different credential formats? Is it now getting more tightly coupled to SD-JWT VC?

Copy link
Collaborator

@awoie awoie Jan 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means you could have a situation where you request a driver's license on the OID4VP level, but then receive a VC with a type of birth certificate?

@peacekeeper It is the issuer's responsibility to avoid nonsensical situations like this. If the issuer is trusted, I'd assume this not going to happen and they would make sure that vct value and business logic object would align. For instance, this could be done via vct Type Metadata where the Type Metadata would say that for a given vct value the type property has to have certain values as well.

Copy link
Collaborator

@awoie awoie Jan 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I always thought OID4VP supports different credential formats? Is it now getting more tightly coupled to SD-JWT VC?

@peacekeeper It is not getting more tightly coupled. OID4VP does support any format. This PR is specifically about SD-JWT VCDM. Also note that this is the HAIP repository, not the OID4VP repository.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The goal is to have the selective disclosure capabilities of SD-JWT VC, but re-use existing data structures in W3C VCDM format. See the modified intro text: "SD-JWT VCDM credentials contain a data structure that can be processed using a JSON-LD processor after applying SD-JWT processing."

Copy link

@peacekeeper peacekeeper Jan 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The goal is to have the selective disclosure capabilities of SD-JWT VC, but re-use existing data structures in W3C VCDM format.

Apart from the fact that VCDM already supports selective disclosure using Data Integrity proofs (no SD-JWT needed), it ALSO supports securing VCDM with SD-JWT directly (no SD-JWT VC needed).

So why SD JWT VCDM?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So why SD JWT VCDM

If you asked me personally, one major advantage is that no JSON-LD is required whereas VCDM 2.0 requires the payload to be a valid JSON-LD object in compact form. It has more overhead and the idea is that while this should stay possible, it shouldn't be required. SD-JWT VCDM would allow for this.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peacekeeper because SD-JWT VC does not cover several subjects like microcredentials, references to external formats. On other hand Selective Disclosure much easier as well as the subjects Olivermentioned. That's why SD-JWT VCDM needed. Also in context eIDAS. Recommend to focus on technical subjects here

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • base data format is JSON
  • if use cases want to use JSON-LD, JSON-LD should cover all the definitions needed to successfully process the data model (again, depending on for what purpose JSON-LD is used)
  • JSON-LD context MUST be treated as any referenced content in the data model (integrity protection, ability to share the data as unsigned payload); See related discussion: Data Integrity -> external resources w3c/vc-data-integrity#323 (comment)

Hence, I propose to remove the "VCDM" claim and the double-processing rules as it is creating confusion and repeating the error from the past.

"credentialSubject": {
"given_name": "John",
"family_name": "Doe",
Copy link

@OR13 OR13 Feb 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these terms are not defined in https://www.w3.org/ns/credentials/v2, so you either need to add another context to the top level, or leave them defined like this to highlight that the RDF part of JSON-LD rarely works.

The "correct" way to fix this is to put a second context in the claimset which you are intending to be well formed JSON-LD, like this:

  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://credentials.example.com/ns/credentials/examples/v2"
  ],

or

  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    { "@vocab": "https://schema.org/" }
  ],

For example: https://github.com/schemaorg/schemaorg/blob/9aa7bd2b51717bceb825a3ef551fca89016e1e1f/data/sdo-soso-dataset-examples.txt#L22

"email": "[email protected]",
"phone_number": "+1-202-555-0101",
"address": {
"street_address": "123 Main St",
"locality": "Anytown",
"region": "Anystate",
"country": "US"
},
"birthdate": "1940-01-01",
"is_over_18": true,
"is_over_21": true,
"is_over_65": true
}
}
}
```

The following is a non-normative example of how an unsecured payload of an SD-JWT VCDM above can be used for the SD-JWT:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still not sure this sentience makes sense but the "an"s here weren't helping.

Suggested change
The following is a non-normative example of how an unsecured payload of an SD-JWT VCDM above can be used for the SD-JWT:
The following is a non-normative example of how the unsecured payload of the SD-JWT VCDM above can be used for the SD-JWT:

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this sentence is trying to say:

The following is a non-normative example of how to secure "application/vc" with "application/dc+sd-jwt":


```json
{
"_sd": [
"vwUhdFvpylx9Sqi2YNBV1dfVK6lCbhXvkH0nThfKFT0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize it's just a "a non-normative example" but to my naïve little mind this implies that the vcdm claim is the only thing made selectively disclosable. And that doesn't make much sense to me.

],
"iss": "https://example.com/issuer",
"iat": 1683000000,
"exp": 1883000000,
"vct": "https://credentials.example.com/identity_credential",
"_sd_alg": "sha-256",
"cnf": {
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
"y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
}
}
}
```

# Crypto Suites

Issuers, holders and verifiers MUST support P-256 (secp256r1) as a key type with ES256 JWT algorithm for signing and signature validation whenever this profiles requires to do so:
@@ -398,19 +482,23 @@ Note: When using this profile with other cryptosuites, it is recommended to be e
</front>
</reference>

<reference anchor="VC-DATA" target="https://www.w3.org/TR/vc-data-model-2.0/">
<reference anchor="W3C.VCDM2.0" target="https://www.w3.org/TR/2025/CRD-vc-data-model-2.0-20250127/">
<front>
<title>Verifiable Credentials Data Model v2.0</title>
<author fullname="Manu Sporny">
<organization>Digital Bazaar</organization>
</author>
<author fullname="Dave Longley">
<organization>Digital Bazaar</organization>
</author>
<author fullname="David Chadwick">
<organization>Crossword Cybersecurity PLC</organization>
</author>
<date day="4" month="May" year="2023"/>
<author fullname="Manu Sporny"/>
<author fullname="Dave Longley"/>
<author fullname="David Chadwick"/>
<date day="27" month="January" year="2025"/>
</front>
</reference>

<reference anchor="W3C.VCDM1.1" target="https://www.w3.org/TR/vc-data-model-1.1/">
<front>
<title>Verifiable Credentials Data Model v1.1</title>
<author fullname="Manu Sporny"/>
<author fullname="Dave Longley"/>
<author fullname="David Chadwick"/>
<date day="3" month="March" year="2022"/>
</front>
</reference>

@@ -434,6 +522,10 @@ The technology described in this specification was made available from contribut

[[ To be removed from the final specification ]]

-03

* Add SD-JWT VCDM

-02

* Mandate DCQL instead of presentation exchange