OpenID4VP icon indicating copy to clipboard operation
OpenID4VP copied to clipboard

`vct` matching in credential queries

Open danielfett opened this issue 1 year ago • 4 comments

This comment highlighted a problem that we have not addressed explicitly in OpenID4VP yet:

The hierarchy idea behind VCTs doesn't translate well into presentation exchange. PE does string matching, but with SD-JWT VC, what we want is that a request for (or offer of) a credential of type X can lead to a response containing type Y if Y inherits from X. PE only does string matching, which is not sufficient here. For the new query language, this can be solved easily - it would just be defined that way for the format vc+sd-jwt.

Another way could be to define this as a processing rule within the SD-JWT VC.

danielfett avatar Jun 12 '24 12:06 danielfett

Another way could be to define this as a processing rule within the SD-JWT VC.

I think this is also what was done for ISO mdocs. I would be fine with this.

awoie avatar Jun 12 '24 13:06 awoie

Another way could be to define this as a processing rule within the SD-JWT VC.

I think this is also what was done for ISO mdocs. I would be fine with this.

+1 to Oliver.

Sakurann avatar Jun 13 '24 15:06 Sakurann

Another way could be to define this as a processing rule within the SD-JWT VC.

I think this is also what was done for ISO mdocs. I would be fine with this.

+1 to Oliver.

Sounds reasonable; +1

c2bo avatar Jun 17 '24 07:06 c2bo

Just for information to any reader of this issue. The latest released OID4VP draft 21 (dated 2024-08-09) contains a new section B.4. IETF SD-JWT VC that presents in subsection B.4.3.Presentation Request an example of a presentation definition that a relying party/verifier uses to select a credential having a specific vct claim value:

{
  ...
  "input_descriptors": [
    {
      ...
      "constraints": {
        ...
        "fields": [
          {
            "path": ["$.vct"],
            "filter": {
              "type": "string",
              "const": "https://credentials.example.com/identity_credential"
            }
          },
          ...
        ]
      }
    }
  ]
}

Such vct claim matching makes the credential request bound to a specific issuer, and via the digest in vct#integrity claim bound to a specific version of the issuer's SD-JWT VC Type Metadata document.

joelposti avatar Sep 02 '24 12:09 joelposti