OpenID4VP icon indicating copy to clipboard operation
OpenID4VP copied to clipboard

Published 20 hours ago verified publisher icon openid

Specify relationship between vct in sd-jwt vc and type in ld payload

Open tlodderstedt opened this issue 7 months ago • 6 comments

The relationship between ' vct' and 'type' is currently unspecified. I think it makes sense to specify that the 'vct' value should be one of the values in the 'type' array. In my observation, there is typically one main type in this array, the respective value could be used in vct.

tlodderstedt avatar Apr 18 '25 08:04 tlodderstedt

Suggested text: "vct and type coexist, but vct MUST be set to one value in the type array."

tlodderstedt avatar Apr 18 '25 08:04 tlodderstedt

I don't agree with the proposal. I think we thought about is and said that sd-jwt vc must define it's own vct that governs the payload outside "ld" claim and the presence of the "ld" claim; and type value governs claims inside "ld" claim. so i don't see the need for vct to be one of the type values. and current situation is ok IMO.

Sakurann avatar Apr 23 '25 20:04 Sakurann

I don't agree with the proposal. I think we thought about is and said that sd-jwt vc must define it's own vct that governs the payload outside "ld" claim and the presence of the "ld" claim; and type value governs claims inside "ld" claim. so i don't see the need for vct to be one of the type values. and current situation is ok IMO.

While I get this theoretically, can you think of any usecases that would benefit from this flexibility? As I cant really and if thats the case I'd prefer Torstens proposal where we do force on of the types in the ld payload to be the vct. The risk of not doing this is that we make querying these credentials via DCQL much harder IMO.

tplooker avatar Apr 23 '25 21:04 tplooker

The risk of not doing this is that we make querying these credentials via DCQL much harder IMO.

that's true. if we do this, i think we should also add a sentence that when sd-jwt vcld is used, all user claims must be obtained from the ld object. my comment is based on the assumption that there is a world where even in sd-jwt vcld, user claims can be obtained from sd-jwt vc payload, not necessarily ld claims, which I thought we agreed we do not want to prevent yet. but if we are ready to remove that option, that's fine (chair hat off)

also @javereec made a good point that allowing vct to be one of the type values potentially changes the processing rules, that all sd-jwt verifiers need to look if ld claim is present first and look into vct only after that.

Sakurann avatar Apr 24 '25 07:04 Sakurann

Asia WG call discussion not blocking startign 60day review. this can also be added as an extension, it's not a breaking change

Sakurann avatar Apr 24 '25 07:04 Sakurann

WG discussion:

  • keep it unspecified closing in a week unless objections

Sakurann avatar May 08 '25 12:05 Sakurann

closing as it's been 3 weeks since Kristina's "closing in a week unless objections" comment.

jogu avatar May 31 '25 12:05 jogu