From f4a0d734de6a3dbe424551f9c4963867df062854 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 7 Feb 2025 14:45:08 +0100 Subject: [PATCH 1/7] fix: made type and values for credential_signing_alg_values_supported format specific and introduced credential_signing_crv_values_supported for mdocs --- ...id-4-verifiable-credential-issuance-1_0.md | 29 ++++++++++++++----- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 289c5013..b54e4d9f 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -960,7 +960,7 @@ The Credential Issuer MUST validate that the JWT used as a proof is actually sig The Credential Issuer SHOULD issue a Credential for each cryptographic public key specified in the `attested_keys` claim within the `key_attestation` parameter. -Cryptographic algorithm names used in the `proof_signing_alg_values_supported` Credential Issuer metadata parameter for this proof type SHOULD be one of those defined in [@IANA.JOSE]. +Cryptographic algorithm names used in the `proof_signing_alg_values_supported` Credential Issuer metadata parameter for this proof type are case sensitive strings and SHOULD be one of those defined in [@IANA.JOSE]. Below is a non-normative example of a `proof` parameter (with line breaks within values for display purposes only): @@ -1447,9 +1447,9 @@ This specification defines the following Credential Issuer Metadata parameters: * `format`: REQUIRED. A JSON string identifying the format of this Credential, i.e., `jwt_vc_json` or `ldp_vc`. Depending on the format value, the object contains further elements defining the type and (optionally) particular claims the Credential MAY contain and information about how to display the Credential. (#format-profiles) contains Credential Format Profiles introduced by this specification. * `scope`: OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. The value can be the same across multiple `credential_configurations_supported` objects. The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. The Wallet can use this value in the Authorization Request as defined in (#credential-request-using-type-specific-scope). Scope values in this Credential Issuer metadata MAY duplicate those in the `scopes_supported` parameter of the Authorization Server. * `cryptographic_binding_methods_supported`: OPTIONAL. Array of case sensitive strings that identify the representation of the cryptographic key material that the issued Credential is bound to, as defined in (#credential-binding). Support for keys in JWK format [@!RFC7517] is indicated by the value `jwk`. Support for keys expressed as a COSE Key object [@!RFC8152] (for example, used in [@!ISO.18013-5]) is indicated by the value `cose_key`. When the Cryptographic Binding Method is a DID, valid values are a `did:` prefix followed by a method-name using a syntax as defined in Section 3.1 of [@!DID-Core], but without a `:`and method-specific-id. For example, support for the DID method with a method-name "example" would be represented by `did:example`. - * `credential_signing_alg_values_supported`: OPTIONAL. Array of case sensitive strings that identify the algorithms that the Issuer uses to sign the issued Credential. Algorithm names used are determined by the Credential Format and are defined in (#format-profiles). + * `credential_signing_alg_values_supported`: OPTIONAL. Array of algorithm identifiers that the Issuer uses to sign the issued Credential. Algorithm identifier types and values used are determined by the Credential Format and are defined in (#format-profiles). * `proof_types_supported`: OPTIONAL. Object that describes specifics of the key proof(s) that the Credential Issuer supports. This object contains a list of name/value pairs, where each name is a unique identifier of the supported proof type(s). Valid values are defined in (#proof-types), other values MAY be used. This identifier is also used by the Wallet in the Credential Request as defined in (#credential-request). The value in the name/value pair is an object that contains metadata about the key proof and contains the following parameters defined by this specification: - * `proof_signing_alg_values_supported`: REQUIRED. Array of case sensitive strings that identify the algorithms that the Issuer supports for this proof type. The Wallet uses one of them to sign the proof. Algorithm names used are determined by the key proof type and are defined in (#proof-types). + * `proof_signing_alg_values_supported`: REQUIRED. Array of algorithm identifiers that the Issuer supports for this proof type. The Wallet uses one of them to sign the proof. Algorithm identifier types and values are determined by the key proof type and are defined in (#proof-types). * `key_attestations_required`: OPTIONAL. Object that describes the requirement for key attestations as described in (#keyattestation), which the Credential Issuer expects the Wallet to send within the proof of the Credential Request. If the Credential Issuer does not require a key attestation, this parameter MUST NOT be present in the metadata. If both `key_storage` and `user_authentication` parameters are absent, the `key_attestations_required` parameter may be empty, indicating a key attestation is needed without additional constraints. * `key_storage`: OPTIONAL. Array defining values specified in (#keyattestation-apr) accepted by the Credential Issuer. * `user_authentication`: OPTIONAL. Array defining values specified in (#keyattestation-apr) accepted by the Credential Issuer. @@ -1922,6 +1922,15 @@ regulation), the Credential Issuer should properly authenticate the Wallet and e + + + CBOR Object Signing and Encryption (COSE) + + IANA + + + + OpenID for Verifiable Presentations @@ -2074,7 +2083,7 @@ When the `format` value is `jwt_vc_json`, the entire Credential Offer, Authoriza #### Credential Issuer Metadata {#server-metadata-jwt-vc-json} -Cryptographic algorithm names used in the `credential_signing_alg_values_supported` parameter SHOULD be one of those defined in [@IANA.JOSE]. +Cryptographic algorithm identifiers used in the `credential_signing_alg_values_supported` parameter are case sensitive strings and SHOULD be one of those JWS algorithm names defined in [@IANA.JOSE]. The following additional Credential Issuer metadata parameters are defined for this Credential Format for use in the `credential_configurations_supported` parameter, in addition to those defined in (#credential-issuer-parameters). @@ -2124,7 +2133,7 @@ Note: Data Integrity used to be called Linked Data Proofs, hence the "ldp" in th #### Credential Issuer Metadata {#server-metadata-ldp-vc} -Cryptographic algorithm names used in the `credential_signing_alg_values_supported` parameter SHOULD be one of those defined in [@LD_Suite_Registry]. +Cryptographic algorithm identifiers used in the `credential_signing_alg_values_supported` parameter are case sensitive strings and SHOULD be one of those signature suite identifiers defined in [@LD_Suite_Registry]. The following additional Credential Issuer metadata parameters are defined for this Credential Format for use in the `credential_configurations_supported` parameter, in addition to those defined in (#credential-issuer-parameters): @@ -2190,12 +2199,14 @@ The Credential Format Identifier is `mso_mdoc`. This refers to the Mobile Securi ### Credential Issuer Metadata {#server-metadata-mso-mdoc} -Cryptographic algorithm names used in the `credential_signing_alg_values_supported` parameter SHOULD be one of those defined in [@!ISO.18013-5]. +Cryptographic algorithm identifiers used in the `credential_signing_alg_values_supported` parameter are numeric values and SHOULD be one of those COSE algorithm values defined in [@IANA.COSE]. The following additional Credential Issuer metadata parameters are defined for this Credential Format for use in the `credential_configurations_supported` parameter, in addition to those defined in (#credential-issuer-parameters). * `doctype`: REQUIRED. String identifying the Credential type, as defined in [@!ISO.18013-5]. * `claims`: OPTIONAL. An array of claims description objects as defined in (#claims-description-issuer-metadata). +* `credential_signing_crv_values_supported`: OPTIONAL. Array of cryptographic curve identifiers that the Issuer uses with one of the algorithms listed in `credential_signing_alg_values_supported` to sign the issued Credential. Curve identifier types and values used are numeric values and SHOULD be one of those in COSE eliptic curve values defined in [@IANA.COSE]. Note that `credential_signing_crv_values_supported` MAY be used if one of the algorithms in `credential_signing_alg_values_supported` supports multiple curves. + The following is a non-normative example of an object containing the `credential_configurations_supported` parameter for Credential Format `mso_mdoc`: @@ -2230,7 +2241,7 @@ The Credential Format Identifier is `dc+sd-jwt`. ### Credential Issuer Metadata {#server-metadata-sd-jwt-vc} -Cryptographic algorithm names used in the `credential_signing_alg_values_supported` parameter SHOULD be one of those defined in [@IANA.JOSE]. +Cryptographic algorithm identifiers used in the `credential_signing_alg_values_supported` parameter are case sensitive strings and SHOULD be one of those JWS algorithm names defined in [@IANA.JOSE]. The following additional Credential Issuer metadata parameters are defined for this Credential Format for use in the `credential_configurations_supported` parameter, in addition to those defined in (#credential-issuer-parameters). @@ -2756,7 +2767,9 @@ The technology described in this specification was made available from contribut -16 - * + * made type and values for credential_signing_alg_values_supported format specific + * change algorithm identifiers for credential_signing_alg_values_supported to COSE algorithm values for mdocs + * add credential_signing_crv_values_supported to mdoc format -15 From 56dc1169796e4bfbb54fd52785073e57e11bdc0b Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 7 Feb 2025 14:46:36 +0100 Subject: [PATCH 2/7] fix: fixed typo --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index b54e4d9f..b918eb94 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -2767,7 +2767,7 @@ The technology described in this specification was made available from contribut -16 - * made type and values for credential_signing_alg_values_supported format specific + * make type and values for credential_signing_alg_values_supported format specific * change algorithm identifiers for credential_signing_alg_values_supported to COSE algorithm values for mdocs * add credential_signing_crv_values_supported to mdoc format From b18cb5d2e65a3036728e8053fddeeedb197506e0 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 7 Feb 2025 14:51:31 +0100 Subject: [PATCH 3/7] fix: updated metadata example for mdocs --- .DS_Store | Bin 0 -> 6148 bytes examples/credential_metadata_mso_mdoc.json | 5 ++++- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..17dcf883ba6757559ce8c48db7f982e140fcd7c6 GIT binary patch literal 6148 zcmeHK-AcnS6i&A3GKR1V1-%P+JFt^Y7~YgRU%-l9sLYlPEq2XVJ1dMq@AZXz5ue9% zl1v;^@Jhs;11Dc{ej4(nojHC>CBsQ*6Oqlo3h((&*wFfEZXK2J8_i>T9%SS}HL>4E&4%JRc+|qHD1*sE-b4@cM}U3L*;h@hyQU zExHy9gWv(-CKb@6a{I*KCLQe3#<>;?gC?DEJu`gA&dlu#h3nbDE_FELu0d*v0b*d8 zfwCDku>PNZ|NdW2q7gAb4E!qwc%|p}JXn>t*SeS}Q?sK~XTSF!+%I9bJkc7EAFi bs1~qG>;SqJ3xi+*p^Jc~ff{1qR~dK*imXjq literal 0 HcmV?d00001 diff --git a/examples/credential_metadata_mso_mdoc.json b/examples/credential_metadata_mso_mdoc.json index 1f8923b1..ab63e05d 100644 --- a/examples/credential_metadata_mso_mdoc.json +++ b/examples/credential_metadata_mso_mdoc.json @@ -7,7 +7,10 @@ "cose_key" ], "credential_signing_alg_values_supported": [ - "ES256", "ES384", "ES512" + -7, -8 + ], + "credential_signing_crv_values_supported": [ + 1, 2, 3, 256, 257, 258, 259, 6, 7 ], "display": [ { From 30f6af2d72980be87b5face13982a7495873e93b Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 7 Feb 2025 14:52:18 +0100 Subject: [PATCH 4/7] fix: removed .DS_Store --- .DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 17dcf883ba6757559ce8c48db7f982e140fcd7c6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHK-AcnS6i&A3GKR1V1-%P+JFt^Y7~YgRU%-l9sLYlPEq2XVJ1dMq@AZXz5ue9% zl1v;^@Jhs;11Dc{ej4(nojHC>CBsQ*6Oqlo3h((&*wFfEZXK2J8_i>T9%SS}HL>4E&4%JRc+|qHD1*sE-b4@cM}U3L*;h@hyQU zExHy9gWv(-CKb@6a{I*KCLQe3#<>;?gC?DEJu`gA&dlu#h3nbDE_FELu0d*v0b*d8 zfwCDku>PNZ|NdW2q7gAb4E!qwc%|p}JXn>t*SeS}Q?sK~XTSF!+%I9bJkc7EAFi bs1~qG>;SqJ3xi+*p^Jc~ff{1qR~dK*imXjq From 3794c612caf07c8d0a85d715ca944f593e3b8d77 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 7 Feb 2025 15:00:07 +0100 Subject: [PATCH 5/7] fix: improved language --- openid-4-verifiable-credential-issuance-1_0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index b918eb94..28ba5341 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -960,7 +960,7 @@ The Credential Issuer MUST validate that the JWT used as a proof is actually sig The Credential Issuer SHOULD issue a Credential for each cryptographic public key specified in the `attested_keys` claim within the `key_attestation` parameter. -Cryptographic algorithm names used in the `proof_signing_alg_values_supported` Credential Issuer metadata parameter for this proof type are case sensitive strings and SHOULD be one of those defined in [@IANA.JOSE]. +Cryptographic algorithm identifiers used in the `proof_signing_alg_values_supported` Credential Issuer metadata parameter for this proof type are case sensitive strings and SHOULD be one of those defined in [@IANA.JOSE]. Below is a non-normative example of a `proof` parameter (with line breaks within values for display purposes only): @@ -1025,7 +1025,7 @@ When a W3C Verifiable Presentation as defined by [@VC_DATA_2.0] or [@VC_DATA] si The Credential Issuer MUST validate that the W3C Verifiable Presentation used as a proof is actually signed with a key in the possession of the Holder. -Cryptographic algorithm names used in the `proof_signing_alg_values_supported` Credential Issuer metadata parameter for this proof type SHOULD be one of those defined in [@LD_Suite_Registry]. +Cryptographic algorithm identifiers used in the `proof_signing_alg_values_supported` Credential Issuer metadata parameter for this proof type are case sensitive strings and SHOULD be one of those signature suite identifiers defined in [@LD_Suite_Registry]. Below is a non-normative example of a `proof` parameter: From 40061fb61d8c7757acfef05484895461192d94f4 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 7 Feb 2025 15:03:20 +0100 Subject: [PATCH 6/7] fix: editorial fix --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 28ba5341..77e103cd 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1449,7 +1449,7 @@ This specification defines the following Credential Issuer Metadata parameters: * `cryptographic_binding_methods_supported`: OPTIONAL. Array of case sensitive strings that identify the representation of the cryptographic key material that the issued Credential is bound to, as defined in (#credential-binding). Support for keys in JWK format [@!RFC7517] is indicated by the value `jwk`. Support for keys expressed as a COSE Key object [@!RFC8152] (for example, used in [@!ISO.18013-5]) is indicated by the value `cose_key`. When the Cryptographic Binding Method is a DID, valid values are a `did:` prefix followed by a method-name using a syntax as defined in Section 3.1 of [@!DID-Core], but without a `:`and method-specific-id. For example, support for the DID method with a method-name "example" would be represented by `did:example`. * `credential_signing_alg_values_supported`: OPTIONAL. Array of algorithm identifiers that the Issuer uses to sign the issued Credential. Algorithm identifier types and values used are determined by the Credential Format and are defined in (#format-profiles). * `proof_types_supported`: OPTIONAL. Object that describes specifics of the key proof(s) that the Credential Issuer supports. This object contains a list of name/value pairs, where each name is a unique identifier of the supported proof type(s). Valid values are defined in (#proof-types), other values MAY be used. This identifier is also used by the Wallet in the Credential Request as defined in (#credential-request). The value in the name/value pair is an object that contains metadata about the key proof and contains the following parameters defined by this specification: - * `proof_signing_alg_values_supported`: REQUIRED. Array of algorithm identifiers that the Issuer supports for this proof type. The Wallet uses one of them to sign the proof. Algorithm identifier types and values are determined by the key proof type and are defined in (#proof-types). + * `proof_signing_alg_values_supported`: REQUIRED. Array of algorithm identifiers that the Issuer supports for key proofs. The Wallet uses one of them to sign the proof. Algorithm identifier types and values are determined by the key proof type and are defined in (#proof-types). * `key_attestations_required`: OPTIONAL. Object that describes the requirement for key attestations as described in (#keyattestation), which the Credential Issuer expects the Wallet to send within the proof of the Credential Request. If the Credential Issuer does not require a key attestation, this parameter MUST NOT be present in the metadata. If both `key_storage` and `user_authentication` parameters are absent, the `key_attestations_required` parameter may be empty, indicating a key attestation is needed without additional constraints. * `key_storage`: OPTIONAL. Array defining values specified in (#keyattestation-apr) accepted by the Credential Issuer. * `user_authentication`: OPTIONAL. Array defining values specified in (#keyattestation-apr) accepted by the Credential Issuer. From 7d026a17cb93b2041a320787003e75e11865e545 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 7 Feb 2025 15:06:09 +0100 Subject: [PATCH 7/7] fix: editrial fix --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 77e103cd..920d2bcc 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -2205,7 +2205,7 @@ The following additional Credential Issuer metadata parameters are defined for t * `doctype`: REQUIRED. String identifying the Credential type, as defined in [@!ISO.18013-5]. * `claims`: OPTIONAL. An array of claims description objects as defined in (#claims-description-issuer-metadata). -* `credential_signing_crv_values_supported`: OPTIONAL. Array of cryptographic curve identifiers that the Issuer uses with one of the algorithms listed in `credential_signing_alg_values_supported` to sign the issued Credential. Curve identifier types and values used are numeric values and SHOULD be one of those in COSE eliptic curve values defined in [@IANA.COSE]. Note that `credential_signing_crv_values_supported` MAY be used if one of the algorithms in `credential_signing_alg_values_supported` supports multiple curves. +* `credential_signing_crv_values_supported`: OPTIONAL. Array of cryptographic curve identifiers that the Issuer uses with one of the algorithms listed in `credential_signing_alg_values_supported` to sign the issued Credential. Curve identifier types and values used are numeric values and SHOULD be one of those COSE eliptic curve values defined in [@IANA.COSE]. Note that `credential_signing_crv_values_supported` MAY be used if one of the algorithms in `credential_signing_alg_values_supported` supports multiple curves. The following is a non-normative example of an object containing the `credential_configurations_supported` parameter for Credential Format `mso_mdoc`: