second attempt to add sd-jwt vcdm #147
Conversation
| { | ||
| "vct": "https://credentials.example.com/identity_credential", | ||
| //W3C VCDM 2.0 compliant claims | ||
| "vcdm": { |
| //W3C VCDM 2.0 compliant claims | ||
| "vcdm": { | ||
| "@context": ["https://www.w3.org/ns/credentials/v2"], | ||
| "type": ["VerifiableCredential", "https://credentials.example.com/identity_credential"], |
There was a problem hiding this comment.
should be top level and relationship with vct must be explained
| For backward compatibility with JWT processors, the following registered JWT claims MUST be used, instead of their respective counterpart properties in [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0]: | ||
|
|
||
| * `exp` Claim MUST represent the `expirationDate` property, encoded as a UNIX timestamp (NumericDate). | ||
| * `iss` Claim MUST represent the `issuer` property. |
There was a problem hiding this comment.
issuer can be an object; IMO usage of iss/issuer must be properly explained as self-declared and unverifiable claims should not be used.
| * `exp` Claim MUST represent the `expirationDate` property, encoded as a UNIX timestamp (NumericDate). | ||
| * `iss` Claim MUST represent the `issuer` property. | ||
| * `iat` Claim MUST represent `issuanceDate` property, encoded as a UNIX timestamp (NumericDate). | ||
| * `status` Claim MUST represent `credentialStatus` property. |
There was a problem hiding this comment.
Do you confirm that status and credential status have the same governance model? So, it contains a "type" property that defines which revocation/suspension mechanism is used?
| * `iss` Claim MUST represent the `issuer` property. | ||
| * `iat` Claim MUST represent `issuanceDate` property, encoded as a UNIX timestamp (NumericDate). | ||
| * `status` Claim MUST represent `credentialStatus` property. | ||
| * `schema` Claim MUST represent the `credentialSchema` property. |
There was a problem hiding this comment.
Same question as for status; Note: ELM is using 2: JSON schema and SHACL schema.
| @@ -343,6 +343,75 @@ Note: The issuer MAY decide to support both options. In which case, it is at the | |||
|
|
|||
| A Credential Format Profile for Credentials complying with IETF SD-JWT VCs [@!I-D.ietf-oauth-sd-jwt-vc] is defined in Annex A.3 of [@!OIDF.OID4VCI] and Annex A.4 of [@!OIDF.OID4VP]. | |||
|
|
|||
| ## SD-JWT VC Data Model (SD-JWT VCDM) | |||
|
|
|||
| SD-JWT VCDM is a data model that follows IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc], but allows the usage of [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0]. When IETF SD-JWT VC is mentioned in this specification, SD-JWT VCDM define in this section MAY be used. | |||
There was a problem hiding this comment.
need to add more detailed explanation that sd-jwt processor is used to process sd-jwt to get the payload, and json-ld processor is only applied to the vcdm part of the payload. also clarify that sd-jwt before processing (the one that includes _sd etc) should not be put into a json-ld processor.
There was a problem hiding this comment.
add a note that not using vcdm claim simplifies additional processing
|
|
||
| For backward compatibility with JWT processors, the following registered JWT claims MUST be used, instead of their respective counterpart properties in [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0]: | ||
|
|
||
| * `exp` Claim MUST represent the `expirationDate` property, encoded as a UNIX timestamp (NumericDate). |
There was a problem hiding this comment.
| * `exp` Claim MUST represent the `expirationDate` property, encoded as a UNIX timestamp (NumericDate). | |
| * `expirationDate` property MUST NOT be used. It MUST be ignored if present. It is represented by `exp` Claim encoded as a UNIX timestamp (NumericDate). |
|
|
||
| SD-JWT VCDM is a data model that follows IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc], but allows the usage of [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0]. When IETF SD-JWT VC is mentioned in this specification, SD-JWT VCDM define in this section MAY be used. | ||
|
|
||
| For backward compatibility with JWT processors, the following registered JWT claims MUST be used, instead of their respective counterpart properties in [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0]: |
There was a problem hiding this comment.
need to add a paragraph on vct claim and type property
|
|
||
| * `vcdm`: OPTIONAL. Contains properties defined in [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0] that are not represented by their counterpart JWT Claims as defined above. | ||
|
|
||
| The following is a non-normative example of an unsecured payload of an SD-JWT VCDM, that is built using the example of unsecured payload in Section 3.3 of [@!I-D.ietf-oauth-sd-jwt-vc]: |
There was a problem hiding this comment.
expectation is for all user claims being included in vcdm, not outside of it. it makes more sense to define a static vct that is used when vcdm claim is present. and that static vct can have a flag that json-ld processing applies to vcdm. but this might be too complex
There was a problem hiding this comment.
How is sd-jwt vc defining "namespaces"/"vocabularies"?
Namely, all the issues raised here are due to lack of it.
resolves #128
intended as an altenative that supercedes #134