OpenID4VP
OpenID4VP copied to clipboard
openid
`vct` matching in credential queries
This comment highlighted a problem that we have not addressed explicitly in OpenID4VP yet:
The hierarchy idea behind VCTs doesn't translate well into presentation exchange. PE does string matching, but with SD-JWT VC, what we want is that a request for (or offer of) a credential of type X can lead to a response containing type Y if Y inherits from X. PE only does string matching, which is not sufficient here. For the new query language, this can be solved easily - it would just be defined that way for the format vc+sd-jwt.
Another way could be to define this as a processing rule within the SD-JWT VC.
Another way could be to define this as a processing rule within the SD-JWT VC.
I think this is also what was done for ISO mdocs. I would be fine with this.
Another way could be to define this as a processing rule within the SD-JWT VC.
I think this is also what was done for ISO mdocs. I would be fine with this.
+1 to Oliver.
Another way could be to define this as a processing rule within the SD-JWT VC.
I think this is also what was done for ISO mdocs. I would be fine with this.
+1 to Oliver.
Sounds reasonable; +1
Just for information to any reader of this issue. The latest released OID4VP draft 21 (dated 2024-08-09) contains a new section B.4. IETF SD-JWT VC that presents in subsection B.4.3.Presentation Request an example of a presentation definition that a relying party/verifier uses to select a credential having a specific vct claim value:
{
...
"input_descriptors": [
{
...
"constraints": {
...
"fields": [
{
"path": ["$.vct"],
"filter": {
"type": "string",
"const": "https://credentials.example.com/identity_credential"
}
},
...
]
}
}
]
}
Such vct claim matching makes the credential request bound to a specific issuer, and via the digest in vct#integrity claim bound to a specific version of the issuer's SD-JWT VC Type Metadata document.
