openid
Support for mdoc ZKP requests
As part of amendment 2 to 18013-5, a mechanism is being added to allow requesting, and returning responses using a ZKP proof system.
As DeviceResponse is returned as-is in VP, this is a feature request to extend DQCL to support asking for a zk proof of an mdoc.
There are two potential approaches:
- Create a new format mso-zkp, and define metadata to specify the ZkSystemSpec.
- Add additional metadata option to mso-mdoc, which indicates it returns a zkp proof.
IMO, the former is cleaner and composes better with the existing spec.
I've been thinking about this for a while and my current point of view would be this:
Given that the current ZKP proposal for mdoc is a layered approach where you have a proof system with a specific circuit that is applied to existing credential formats, I do believe a dedicated format per proof system is the best option to cleanly implement this.
the meta parameter for this proof type would then basically carry 2 layers of information:
- Information necessary for the proof type (e.g., circuit selection etc)
- Information necessary for the underlying credential (e.g., doctype for mdoc)
I think the biggest challenge introducing the full feature set of ZKPs into OpenID4VP will be on the query language side - since those proof systems can offer a lot more than "just" selecting sub-parts of a credential. I think we can solve most of those dcql extensions in a general fashion (e.g., predicate proofs, designated verifier proofs, issuer hiding), but some of them might require information that is special to that specific proof system -> I don't think we should overload that into existing credential formats but de-couple it into its own format.
