Internet-Draft | SD-JWT VC Type Metadata | February 2024 |
Fett | Expires 17 August 2024 | [Page] |
This specification describes metadata for SD-JWT based Verifiable Credentials.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/.¶
Source for this draft and an issue tracker can be found at https://github.com/vcstuff/sd-jwt-vc-types.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 17 August 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The SD-JWT VC specification [I-D.ietf-oauth-sd-jwt-vc] defines the JWT claim vct
(for verifiable credential type). The vct
value serves as an identifier for
the type of the SD-JWT VC.¶
A type is associated with rules defining which claims may or must appear in the SD-JWT VC and whether they may, must, or must not be selectively disclosable.¶
This specification defines metadata that can be associated with a type as well as a method for retrieving the metadata and processing rules. This metadata is intended to be used, among other things, for the following purposes:¶
Applications using this specification are called "consuming applications" in the following. This typically includes Issuers, Verifiers, and Wallets.¶
All examples in this section are non-normative.¶
In an SD-JWT VC, vct
can be used to express a type. Metadata can be retrieved as described in Section 3.¶
{ "vct": "https://betelgeuse.example.com/education_credential", "vct#integrity": "sha256-WRL5ca_xGgX3c1VLmXfh-9cLlJNXN-TsMk-PmKjZ5t0", ... }¶
Here, the type is https://betelgeuse.example.com/education_credential
. The
metadata is retrieved from the URL
https://betelgeuse.example.com/.well-known/vct/education_credential
.¶
The following is an example for a metadata document:¶
{ "vct":"https://betelgeuse.example.com/education_credential", "name":"Betelgeuse Education Credential - Preliminary Version", "description":"This is our development version of the education credential. Don't panic.", "extends":"https://galaxy.example.com/galactic-education-credential-0.9", "extends#integrity":"sha256-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-WRL5", "display":[ { "en-US":{ "name":"Betelgeuse Education Credential", "rendering":{ "simple":{ "logo":{ "uri":"https://betelgeuse.example.com/public/education-logo.png", "uri#integrity":"sha256-LmXfh-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1V", "alt_text":"Betelgeuse Ministry of Education logo" }, "background_color":"#12107c", "text_color":"#FFFFFF" }, "svg_templates":[ { "uri":"https://betelgeuse.example.com/public/credential-english.svg", "uri#integrity":"sha256-8cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-9c", "properties":{ "orientation":"landscape", "color_scheme":"light", "contrast":"high" } } ] } }, "de-DE":{ "name":"Betelgeuse-Bildungsnachweis", "rendering":{ "simple":{ "logo":{ "uri":"https://betelgeuse.example.com/public/education-logo-de.png", "uri#integrity":"sha256-LmXfh-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1V", "alt_text":"Logo des Betelgeusischen Bildungsministeriums" }, "background_color":"#12107c", "text_color":"#FFFFFF" }, "svg_templates":[ { "uri":"https://betelgeuse.example.com/public/credential-german.svg", "uri#integrity":"sha256-8cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-9c", "properties":{ "orientation":"landscape", "color_scheme":"light", "contrast":"high" } } ] } } } ], "claims":{ "/name":{ "display":{ "de-DE":{ "label":"Vor- und Nachname", "description":"Der Name des Studenten" }, "en-US":{ "label":"Name", "description":"The name of the student" } }, "verification":"verified", "sd":"allowed" }, "/degree":{ "display":{ "de-DE":{ "label":"Abschluss", "description":"Der Abschluss des Studenten" }, "en-US":{ "label":"Degree", "description":"Degree earned by the student" } }, "verification":"authoritative", "sd":"allowed" }, "/address":{ "display":{ "de-DE":{ "label":"Adresse", "description":"Adresse zum Zeitpunkt des Abschlusses" }, "en-US":{ "label":"Address", "description":"Address at the time of graduation" } }, "verification":"self-attested", "sd":"always" }, "/address/street_address":{ "display":{ "de-DE":{ "label":"Straße" }, "en-US":{ "label":"Street Address" } }, "verification":"self-attested", "sd":"always" } }, "schema_url":"https://exampleuniversity.com/public/credential-schema-0.9", "schema_url#integrity":"sha256-o984vn819a48ui1llkwPmKjZ5t0WRL5ca_xGgX3c1VLmXfh" }¶
vct
Claim
In an SD-JWT VC, a URI in the vct
claim can be used to express a type. If the
type is a URL, metadata can be retrieved from the URL
https://<authority>/.well-known/vct/<type>
, i.e., by inserting
/.well-known/vct
after the authority part of the URL.¶
The metadata is retrieved using the HTTP GET method. The response MUST be a JSON object as defined in Section 5.¶
If the claim vct#integrity
is present in the SD-JWT VC, its value
vct#integrity
MUST be an "integrity metadata" string as defined in Section Section 4.¶
A consuming application MAY use a registry to retrieve metadata for a type, e.g., if the type is not a URL or if the consuming application does not have access to the URL. The registry MUST be a trusted registry, i.e., the consuming application MUST trust the registry to provide correct metadata for the type.¶
The registry MUST provide the metadata in the same format as described in Section 5.¶
Ecosystems MAY define additional methods for retrieving metadata. For example, a
standardization body or a community MAY define a service which has to be used to
retrieve metadata based on a URN in the vct
claim.¶
A consuming application MAY cache metadata for a type. If a hash for integrity
protection is present in the metadata as defined in Section 4, the consuming
application MAY assume that the metadata is static and can be cached
indefinitely. Otherwise, the consuming application MUST use the Cache-Control
header of the HTTP response to determine how long the metadata can be cached.¶
Credentials MAY encode type metadata directly, providing it as "glue information" to the consumer.¶
For JSON-serialized JWS-based credentials, such type metadata documents MAY be
included in the unprotected header of the JWS. In this case, the key vctm
MUST
be used in the unprotected header and its value MUST be an array of
base64url-encoded Type Metadata documents as defined in this specification.
Multiple documents MAY be included for providing a whole chain of types to the
consuming application (see Section 6).¶
A consuming application of a credential MAY use the documents in the vctm
array instead of retrieving the respective metadata elsewhere as follows:¶
vct
in a credential, the consuming application MUST ensure
that the vct
claim in the credential matches the one in the metadata
document, and it MUST verify the integrity of the metadata document as
defined in Section 4. The consuming application MUST NOT use the metadata
if no hash for integrity protection was provided in vct#integrity
.¶
extends
property in a metadata document, the consuming
application MUST ensure that the value of the extends
property in the
metadata document matches that of the vct
in the metadata document, and it
MUST verify the integrity of the metadata document as defined in
Section 4. The consuming application MUST NOT use the metadata if no hash
for integrity protection was provided.¶
Both the vct
claim in the SD-JWT VC and various URIs in the metadata
document MAY be accompanied by a respective claim suffixed with #integrity
, in particular:¶
The value MUST be an "integrity metadata" string as defined in Section 3 of [W3C.SRI]. A consuming application of the respective documents MUST verify the integrity of the retrieved document as defined in Section 3.3.5 of [W3C.SRI].¶
The metadata document MUST be a JSON object. The following properties are defined:¶
name
: A human-readable name for the type, intended for developers reading
the JSON document. This property is OPTIONAL.¶
description
: A human-readable description for the type, intended for
developers reading the JSON document. This property is OPTIONAL.¶
extends
: A URI of another type that this type extends, as described in
Section 6. This property is OPTIONAL.¶
display
: An object containing display information for the type, as described
in Section 7. This property is OPTIONAL.¶
claims
: An object containing claim information for the type, as described in
Section 8. This property is OPTIONAL.¶
schema
: An embedded JSON Schema document describing the structure of the
credential as described in Section 9. This property is OPTIONAL. MUST NOT be
used if schema_url
is present.¶
schema_url
: A URL pointing to a JSON Schema document describing the
structure of the credential as described in Section 9. This property is
OPTIONAL. MUST NOT be used if schema
is present.¶
A type can extend another type. The extended type is identified by the URI in
the extends
property. The consuming application MUST retrieve and process
metadata for the extended type before processing the metadata for the extending
type.¶
The extended type MAY itself extend another type. This can be used to create a chain or hierarchy of types. The security considerations described in Section 10.1 apply in order to avoid problems with circular dependencies.¶
The following processing rules apply for extending types (recursively for all extended types):¶
display
property of the extending type MUST be used for display
purposes. If there is no such property, the display
property of the
extended type MAY be used.¶
claims
of the
extending type MUST be used for validation purposes if it exists. If there is
no such property, the respective property of the extended type MUST be used.¶
schema
or schema_url
property of the extending type MUST be evaluated
for validation purposes if it exists. Afterwards, or if there is no such
property, the schema
property of the extended type MUST evaluated. This
means that all schemas in the chain of extended types MUST be evaluated for a
particular credential.¶
The display
property is an object containing display information for the type.
The object MUST contain a property for each language that is supported by the
type. The property name MUST be a language tag as defined in Section 2 of
[RFC5646]. The property value MUST be an object containing the following
properties:¶
name
: A human-readable name for the type, intended for end users. This
property is OPTIONAL.¶
description
: A human-readable description for the type, intended for end
users. This property is OPTIONAL.¶
rendering
: An object containing rendering information for the type, as
described in Section 7.1. This property is OPTIONAL.¶
The rendering
property is an object containing rendering information for the
type. The object MUST contain a property for each rendering method that is
supported by the type. The property name MUST be a rendering method identifier
and the property value MUST be an object containing the properties defined for
the rendering method.¶
The simple
rendering method is intended for use in applications that do not
support SVG rendering. The object MUST contain the following properties:¶
logo
: An object containing information about the logo to be displayed for
the type, as described in Section 7.1.1.1. This property is OPTIONAL.¶
background_color
: A CSS color value for the background of the credential.
This property is OPTIONAL.¶
text_color
: A CSS color value for the text of the credential. This property
is OPTIONAL.¶
The logo
property is an object containing information about the logo to be
displayed for the type. The object contains the following properties:¶
The svg_template
rendering method is intended for use in applications that
support SVG rendering. The object MUST contain an array of objects containing
information about the SVG templates available for the type. Each object contains
the following properties:¶
uri
: A URI pointing to the SVG template. This property is REQUIRED.¶
uri#integrity
: An "integrity metadata" string as described in
Section 4. This property is OPTIONAL.¶
properties
: An object containing properties for the SVG template, as
described in Section 7.1.2.1. This property is REQUIRED if more than
one SVG template is present, otherwise it is OPTIONAL.¶
The properties
property is an object containing properties for the SVG
template. Consuming applications MUST use these properties to find the best SVG
template available for display to the user based on the display properties
(landscape/portrait) and user preferences (color scheme, contrast). The object
MUST contain at least one of the following properties:¶
orientation
: The orientation for which the SVG template is optimized, with
valid values being portrait
and landscape
. This property is OPTIONAL.¶
color_scheme
: The color scheme for which the SVG template is optimized, with
valid values being light
and dark
. This property is OPTIONAL.¶
contrast
: The contrast for which the SVG template is optimized, with valid
values being normal
and high
. This property is OPTIONAL.¶
The claims
property is an object containing information about particular claims
for displaying and validating the claims.¶
The object MAY contain a property for each claim that is supported by the type. The property name MUST be a JSON Pointer [RFC6901] pointing to the claim in the credential. The property value MUST be an object containing the following properties:¶
display
: An object containing display information for the claim, as
described in Section 8.1. This property is OPTIONAL.¶
verification
: A string indicating how the claim is verified, as described in
Section 8.2. This property is OPTIONAL.¶
sd
: A string indicating whether the claim is selectively disclosable, as
described in Section 8.3. This property is OPTIONAL.¶
Note: The JSON Pointer MUST point to the respective claim as if all selectively disclosable claims were disclosed to the Verifier. That means that a consuming application which does not have access to all disclosures may not be able to validate the claim.¶
The display
property is an object containing display information for the
claim. The object MUST contain a property for each language that is supported by
the type. The property name MUST be a language tag as defined in Section 2 of
[RFC5646]. The consuming application MUST use the language tag it considers most
appropriate for the user.¶
The property value MUST be an object containing the following properties:¶
The verification
property is a string indicating how the claim is verified.
The following values are defined:¶
self-attested
: The claim's value was self-attested by the End-User towards
the Issuer. The Issuer did not verify the claim. For example, in a diploma,
the residential address of the student may be self-attested.¶
verified
: The claim's value was verified by the Issuer. The Issuer may have
used a third party to verify the claim. For example, in a diploma, the birth
date of the student may have been verified by the university using the
student's passport.¶
authoritative
: The Issuer claims to be the authority to make a statement
about the claim's value. For example, in a diploma, the degree earned by the
student may be authoritative if the Issuer is the university that issued the
degree.¶
The sd
property is a string indicating whether the claim is selectively
disclosable. The following values are defined:¶
If a schema
or schema_url
property is present, a consuming application that
intends to validate the credential (in particular, Verifiers) MUST validate the
credential against the provided JSON Schema document.¶
A type MUST NOT extend another type that extends (either directly or with steps in-between) the first type. This would result in a circular dependency that could lead to infinite recursion when retrieving and processing the metadata.¶
Consuming applications MUST detect such circular dependencies and reject the credential.¶
In Section 3, various methods for distributing and retrieving metadata are described. Methods relying on a network connection may fail due to network issues or unavailability of a network connection due to offline usage of credentials, temporary server outages, or denial of service attacks on the metadata server.¶
Consuming applications SHOULD therefore implement a local cache as described in Section 3.4 if possible. Such a cache MAY be populated with metadata before the credential is used.¶
Issuers MAY provide glue documents as described in Section 3.5 to provide metadata directly with the credential and avoid the need for network requests.¶
These measures allow the consuming application to continue to function even if the metadata server is temporarily unavailable and avoid privacy issues as described in Section 11.2.¶
A Wallet MUST always ensure that all claims that are disclosed to a Verifier are
also displayed to the user as appropriate for the use case. If there is no
information about the claim in the claims
section of the metadata, the Wallet
MUST either fall back to show the user the 'raw' claim value or MUST NOT
disclose the claim to the Verifier.¶
In Section 3, various methods for distributing and retrieving metadata are described. For methods which rely on a network connection to a URL (e.g., provided by an Issuer), third parties (like the Issuer) may be able to track the usage of a credential by observing requests to the metadata URL.¶
Consuming applications SHOULD prefer methods for retrieving metadata that do not leak information about the usage of a credential to third parties. The recommendations in Section 10.2 apply.¶
The SVG rendering method is based on work of the W3C CCG: https://w3c-ccg.github.io/vc-render-method/¶
The authors would like to thank the following people for their contributions to this document and the discussions around it: Giuseppe De Marco, Paul Bastian, Alen Horvat, Oliver Terbu, Torsten Lodderstedt, Kristina Yasuda¶