| Internet-Draft | native-jwt-vcs | May 2023 |
| Prorock & Steele | Expires 25 November 2023 | [Page] |
This document describes how to construct and utilize a JWT as a Verifiable Credential utilizing only JSON and registered claims.¶
This document does not define any new cryptography, only seralizations of systems.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 25 November 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
The following terminology is used throughout this document:¶
This section provides guidance on how to use JSON [RFC8259] claimsets with JWT [RFC7519] registered claims to construct a JWT that can be mapped to a verifiable credential. This section also describes how to use content types and token types to distinguish different representations of verifiable credentials.¶
This representation relies on claims registered in the IANA JSON Web Token Claims Registry whenever possible.¶
Implementers using this representation SHOULD NOT use vc+ld+json as
an input.¶
typ MUST use the media type vc+jwt.¶
Example of credential metadata (decoded JWT header):¶
{
"kid": "https://example.edu/issuers/14#key-0",
"alg": "ES256",
"typ": "vc+jwt"
}
¶
Example of a credential (decoded JWT payload):¶
{
"iss": "https://example.edu/issuers/14",
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"urn:example:claim": true
}
¶
NOTE: The vc and vp claims MUST NOT be present when the content
type header parameter is set to credential-claims-set+json.¶
Example of an JWT encoded verifiable credential (using external proof):¶
=============== NOTE: '\' line wrapping per RFC 8792 ================ eyJraWQiOiJodHRwczovL2V4YW1wbGUuZWR1L2lzc3VlcnMvMTQja2V5LTAiLCJhbGci\ OiJFUzI1NiIsInR5cCI6InZjK2p3dCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuZWR\ 1L2lzc3VlcnMvMTQiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiw\ iaWF0IjoxNTE2MjM5MDIyLCJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZX0.WLD4Qxh629T\ FkJHzmbkWEefYX-QPkdCmxbBMKNHErxND2QpjVBbatxHkxS9Y_SzBmwffuM2E9i5VvVg\ pZ6v4Tg¶
All security considerations from JSON [RFC8259] and JWT [RFC7519] SHOULD be followed.¶
This section will register the "application/vc+jwt" media type [RFC2046] in the "Media Types" registry [IANA.MediaTypes] in the manner described in RFC 6838 [RFC6838], which can be used to indicate that the content is a JWT.¶