Internet-Draft | SD-JWT VC | July 2023 |
Terbu & Fett | Expires 11 January 2024 | [Page] |
This specification describes data formats as well as validation and processing rules to express Verifiable Credentials with JSON payloads based on the Selective Disclosure for JWTs (SD-JWT) [I-D.ietf-oauth-selective-disclosure-jwt] format. It can be used when there are no selective disclosable claims, too.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In the so-called Issuer-Holder-Verifier Model, Issuers issue Verifiable Credentials to a Holder, who can then present the Verifiable Credentials to Verifiers. Verifiable Credentials are cryptographically signed statements about a Subject, typically the Holder.¶
Verifiers can check the authenticity of the data in the Verifiable Credentials and optionally enforce Key Binding, i.e., ask the Holder to prove that they are the intended holder of the Verifiable Credential, for example, by proving possession of a cryptographic key referenced in the credential. This process is further described in [I-D.ietf-oauth-selective-disclosure-jwt].¶
To support revocation of Verifiable Credentials, revocation information can optionally be retrieved from a Status Provider. The role of a Status Provider can be fulfilled by either a fourth party or by the Issuer.¶
This specification defines Verifiable Credentials based on the SD-JWT format with a JWT Claim Set. It can be used when there are no selective disclosable claims, too.¶
JSON Web Tokens (JWTs) [RFC7519] can in principle be used to express Verifiable Credentials in a way that is easy to understand and process as it builds upon established web primitives.¶
Selective Disclosure JWT (SD-JWT) [I-D.ietf-oauth-selective-disclosure-jwt] is a specification that introduces conventions to support selective disclosure for JWTs: For an SD-JWT document, a Holder can decide which claims to release (within bounds defined by the Issuer).¶
SD-JWT is a superset of JWT as it can also be used when there are no selectively disclosable claims and also supports JWS JSON serialization, which is useful for long term archiving and multi signatures. However, SD-JWT itself does not define the claims that must be used within the payload or their semantics.¶
This specification therefore uses SD-JWT and the well-established JWT content rules and extensibility model as basis for representing Verifiable Credentials with JSON payload. Those Verifiable Credentials are called SD-JWT VCs.¶
SD-JWTs VC can contain claims that are registered in "JSON Web Token Claims" registry as defined in [RFC7519], as well as public and private claims.¶
Note: This specification does not utilize the W3C's Verifiable Credentials Data Model v1.0, v1.1, or v2.0.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].¶
This specification uses the terms "Holder", "Issuer", "Verifier", defined by [I-D.ietf-oauth-selective-disclosure-jwt].¶
TBD: explain use cases of the Issuer-Holder-Verifier Model.¶
TBD: conventional crypt, hardware security, hsm, mobile secure area, compliance with FIPS¶
This section defines encoding, validation and processing rules for SD-JWT VCs.¶
SD-JWT VCs compliant with this specification MUST use the media type
application/vc+sd-jwt
as defined in Appendix A.2.1.¶
SD-JWT VCs MUST be encoded using the SD-JWT Combined Format for Issuance as defined in Section 5.3. of [I-D.ietf-oauth-selective-disclosure-jwt].¶
When there are selectively disclosable claims, SD-JWT VCs MUST contain all Disclosures corresponding to their SD-JWT component except for Decoy Digests as per Section 5.1.1.3. of [I-D.ietf-oauth-selective-disclosure-jwt].¶
This section defines JWT header parameters for the SD-JWT component of the SD-JWT VC.¶
The typ
header parameter of the SD-JWT MUST be present. The typ
value MUST
use vc+sd-jwt
. This indicates that the payload of the SD-JWT contains plain
JSON and follows the rules as defined in this specification. It further
indicates that the SD-JWT is a SD-JWT component of a SD-JWT VC.¶
The following is a non-normative example of a decoded SD-JWT header:¶
{ "alg": "ES256", "typ": "vc+sd-jwt" }¶
This section defines the claims that can be included in the payload of SD-JWT VCs.¶
type
claim
This specification defines the JWT claim type
. The type
claim is used
to express the type of the JSON object that is secured by the
JWT. The type
value MUST be a case-sensitive StringOrURI
value.¶
The following is a non-normative example of how type
is used to express
a type:¶
{ "type": "SomeType" }¶
SD-JWT VCs MAY use any claim registered in the "JSON Web Token Claims" registry as defined in [RFC7519].¶
If present, the following registered JWT claims MUST be included in the SD-JWT and MUST NOT be included in the Disclosures, i.e. cannot be selectively disclosed:¶
iss
¶
iat
¶
nbf
¶
exp
¶
cnf
¶
type
¶
IdentityCredential
, as defined in Section 4.2.2.1.¶
status
¶
The following registered JWT claims MAY be contained in the SD-JWT or in the Disclosures and MAY be selectively disclosed:¶
Additional public claims MAY be used in SD-JWT VCs depending on the application.¶
An SD-JWT VC MAY have no selectively disclosable claims.
In that case, the SD-JWT VC MUST NOT contain the _sd
claim in the JWT body. It also
MUST NOT have any Disclosures.¶
The following is a non-normative example of an unsecured payload of an SD-JWT VC.¶
{ "type": "IdentityCredential", "given_name": "John", "family_name": "Doe", "email": "johndoe@example.com", "phone_number": "+1-202-555-0101", "address": { "street_address": "123 Main St", "locality": "Anytown", "region": "Anystate", "country": "US" }, "birthdate": "1940-01-01", "is_over_18": true, "is_over_21": true, "is_over_65": true }¶
The following is a non-normative example of how the unsecured payload of the SD-JWT VC above can be used in a SD-JWT where the resulting SD-JWT VC contains only claims about the Subject that are selectively disclosable:¶
{ "_sd": [ "09vKrJMOlyTWM0sjpu_pdOBVBQ2M1y3KhpH515nXkpY", "2rsjGbaC0ky8mT0pJrPioWTq0_daw1sX76poUlgCwbI", "EkO8dhW0dHEJbvUHlE_VCeuC9uRELOieLZhh7XbUTtA", "IlDzIKeiZdDwpqpK6ZfbyphFvz5FgnWa-sN6wqQXCiw", "JzYjH4svliH0R3PyEMfeZu6Jt69u5qehZo7F7EPYlSE", "PorFbpKuVu6xymJagvkFsFXAbRoc2JGlAUA2BA4o7cI", "TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo", "jdrTE8YcbY4EifugihiAe_BPekxJQZICeiUQwY9QqxI", "jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4" ], "iss": "https://example.com/issuer", "iat": 1683000000, "exp": 1883000000, "type": "IdentityCredential", "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } } }¶
Note that a cnf
claim has been added to the SD-JWT payload to express the
confirmation method of the Key Binding.¶
The following are the Disclosures belonging to the SD-JWT payload above:¶
Claim given_name
:¶
jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4
¶
WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STjl3IiwgImdpdmVuX25hbWUiLCAiSm9o
biJd
¶
["2GLC42sKQveCfGfryNRN9w", "given_name", "John"]
¶
Claim family_name
:¶
TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo
¶
WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BIiwgImZhbWlseV9uYW1lIiwgIkRv
ZSJd
¶
["eluV5Og3gSNII8EYnsxA_A", "family_name", "Doe"]
¶
Claim email
:¶
JzYjH4svliH0R3PyEMfeZu6Jt69u5qehZo7F7EPYlSE
¶
WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwgImVtYWlsIiwgImpvaG5kb2VA
ZXhhbXBsZS5jb20iXQ
¶
["6Ij7tM-a5iVPGboS5tmvVA", "email", "johndoe@example.com"]
¶
Claim phone_number
:¶
PorFbpKuVu6xymJagvkFsFXAbRoc2JGlAUA2BA4o7cI
¶
WyJlSThaV205UW5LUHBOUGVOZW5IZGhRIiwgInBob25lX251bWJlciIsICIr
MS0yMDItNTU1LTAxMDEiXQ
¶
["eI8ZWm9QnKPpNPeNenHdhQ", "phone_number",
"+1-202-555-0101"]
¶
Claim address
:¶
IlDzIKeiZdDwpqpK6ZfbyphFvz5FgnWa-sN6wqQXCiw
¶
WyJRZ19PNjR6cUF4ZTQxMmExMDhpcm9BIiwgImFkZHJlc3MiLCB7InN0cmVl
dF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRv
d24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cnkiOiAiVVMifV0
¶
["Qg_O64zqAxe412a108iroA", "address", {"street_address":
"123 Main St", "locality": "Anytown", "region": "Anystate",
"country": "US"}]
¶
Claim birthdate
:¶
jdrTE8YcbY4EifugihiAe_BPekxJQZICeiUQwY9QqxI
¶
WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIiwgImJpcnRoZGF0ZSIsICIxOTQw
LTAxLTAxIl0
¶
["AJx-095VPrpTtN4QMOqROA", "birthdate", "1940-01-01"]
¶
Claim is_over_18
:¶
09vKrJMOlyTWM0sjpu_pdOBVBQ2M1y3KhpH515nXkpY
¶
WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdWZRIiwgImlzX292ZXJfMTgiLCB0cnVl
XQ
¶
["Pc33JM2LchcU_lHggv_ufQ", "is_over_18", true]
¶
Claim is_over_21
:¶
2rsjGbaC0ky8mT0pJrPioWTq0_daw1sX76poUlgCwbI
¶
WyJHMDJOU3JRZmpGWFE3SW8wOXN5YWpBIiwgImlzX292ZXJfMjEiLCB0cnVl
XQ
¶
["G02NSrQfjFXQ7Io09syajA", "is_over_21", true]
¶
Claim is_over_65
:¶
EkO8dhW0dHEJbvUHlE_VCeuC9uRELOieLZhh7XbUTtA
¶
WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgImlzX292ZXJfNjUiLCB0cnVl
XQ
¶
["lklxF5jMYlGTPUovMNIvCA", "is_over_65", true]
¶
The SD-JWT and the Disclosures would then be serialized by the Issuer into the following format for issuance to the Holder:¶
eyJhbGciOiAiRVMyNTYifQ.eyJfc2QiOiBbIjA5dktySk1PbHlUV00wc2pwdV9wZE9CV kJRMk0xeTNLaHBINTE1blhrcFkiLCAiMnJzakdiYUMwa3k4bVQwcEpyUGlvV1RxMF9kY Xcxc1g3NnBvVWxnQ3diSSIsICJFa084ZGhXMGRIRUpidlVIbEVfVkNldUM5dVJFTE9pZ UxaaGg3WGJVVHRBIiwgIklsRHpJS2VpWmREd3BxcEs2WmZieXBoRnZ6NUZnbldhLXNON ndxUVhDaXciLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQW WxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJI iwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAia mRyVEU4WWNiWTRFaWZ1Z2loaUFlX0JQZWt4SlFaSUNlaVVRd1k5UXF4SSIsICJqc3U5e VZ1bHdRUWxoRmxNXzNKbHpNYVNGemdsaFFHMERwZmF5UXdMVUs0Il0sICJpc3MiOiAia HR0cHM6Ly9leGFtcGxlLmNvbS9pc3N1ZXIiLCAiaWF0IjogMTY4MzAwMDAwMCwgImV4c CI6IDE4ODMwMDAwMDAsICJ0eXBlIjogIklkZW50aXR5Q3JlZGVudGlhbCIsICJfc2RfY WxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiO iAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsc zd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2d DRqVDlGMkhaUSJ9fX0.nIneu9ghAY_pjnfAczLZe80xN2Z-jjxs42MOx8UVZtCT4ACFV W8RMdBANSwjfRBD1Xag6vnayC6HUnBvkVWlMQ~WyIyR0xDNDJzS1F2ZUNmR2ZyeU5STj l3IiwgImdpdmVuX25hbWUiLCAiSm9obiJd~WyJlbHVWNU9nM2dTTklJOEVZbnN4QV9BI iwgImZhbWlseV9uYW1lIiwgIkRvZSJd~WyI2SWo3dE0tYTVpVlBHYm9TNXRtdlZBIiwg ImVtYWlsIiwgImpvaG5kb2VAZXhhbXBsZS5jb20iXQ~WyJlSThaV205UW5LUHBOUGVOZ W5IZGhRIiwgInBob25lX251bWJlciIsICIrMS0yMDItNTU1LTAxMDEiXQ~WyJRZ19PNj R6cUF4ZTQxMmExMDhpcm9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIj EyMyBNYWluIFN0IiwgImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueX N0YXRlIiwgImNvdW50cnkiOiAiVVMifV0~WyJBSngtMDk1VlBycFR0TjRRTU9xUk9BIi wgImJpcnRoZGF0ZSIsICIxOTQwLTAxLTAxIl0~WyJQYzMzSk0yTGNoY1VfbEhnZ3ZfdW ZRIiwgImlzX292ZXJfMTgiLCB0cnVlXQ~WyJHMDJOU3JRZmpGWFE3SW8wOXN5YWpBIiw gImlzX292ZXJfMjEiLCB0cnVlXQ~WyJsa2x4RjVqTVlsR1RQVW92TU5JdkNBIiwgImlz X292ZXJfNjUiLCB0cnVlXQ~¶
The recipient of the SD-JWT VC MUST process and verify an SD-JWT VC as follows:¶
iss
claim in the SD-JWT MAY be used to retrieve the public
key from the JWT Issuer Metadata configuration (as defined in
Section 5) of the SD-JWT VC issuer. A Verifier MAY use alternative
methods to obtain the public key to verify the signature of the SD-JWT.
If there are no selectively disclosable claims, there is no need to process the
_sd
claim nor any Disclosures.¶
status
is present in the verified payload of the SD-JWT,
the status SHOULD be checked. It depends on the Verifier policy to reject or
accept a presentation of a SD-JWT VC based on the status of the Verifiable
Credential.¶
Any claims used that are not understood MUST be ignored.¶
Additional validation rules MAY apply, but their use is out of the scope of this specification.¶
This specification defines the JWT Issuer Metadata to retrieve the JWT Issuer
Metadata configuration of the JWT Issuer of the JWT. The JWT Issuer is
identified by the iss
claim in the JWT. Use of the JWT Issuer Metadata
is OPTIONAL.¶
JWT Issuers publishing JWT Issuer Metadata MUST make a JWT Issuer Metadata
configuration available at the path formed by concatenating the string
/.well-known/jwt-issuer
to the iss
claim value in the JWT. The iss
MUST
be a case-sensitive URL using the HTTPS scheme that contains scheme, host and,
optionally, port number and path components, but no query or fragment
components.¶
A JWT Issuer Metadata configuration MUST be queried using an HTTP GET
request
at the path defined in Section 5.¶
The following is a non-normative example of a HTTP request for the JWT Issuer
Metadata configuration when iss
is set to https://example.com
:¶
GET /.well-known/jwt-issuer HTTP/1.1 Host: example.com¶
If the iss
value contains a path component, any terminating /
MUST be
removed before inserting /.well-known/
and the well-known URI suffix
between the host component and the path component.¶
The following is a non-normative example of a HTTP request for the JWT Issuer
Metadata configuration when iss
is set to https://example.com/user/1234
:¶
GET /.well-known/jwt-issuer/user/1234 HTTP/1.1 Host: example.com¶
A successful response MUST use the 200 OK HTTP
and return the JWT Issuer
Metadata configuration using the application/json
content type.¶
An error response uses the applicable HTTP status code value.¶
This specification defines the following JWT Issuer Metadata configuration parameters:¶
issuer
REQUIRED. The JWT Issuer identifier, which MUST be identical to the iss
value in the JWT.¶
jwks_uri
¶
jwks
¶
JWT Issuer Metadata MUST include either jwks_uri
or jwks
in their JWT
Issuer Metadata, but not both.¶
It is RECOMMENDED that the JWT contains a kid
JWT header parameter that can
be used to lookup the public key in the JWK Set included by value or referenced
in the JWT Issuer Metadata.¶
The following is a non-normative example of a JWT Issuer Metadata configuration
including jwks
:¶
{ "issuer":"https://example.com", "jwks":{ "keys":[ { "kid":"doc-signer-05-25-2022", "e":"AQAB", "n":"nj3YJwsLUFl9BmpAbkOswCNVx17Eh9wMO-_AReZwBqfaWFcfG HrZXsIV2VMCNVNU8Tpb4obUaSXcRcQ-VMsfQPJm9IzgtRdAY8NN8Xb7PEcYyk lBjvTtuPbpzIaqyiUepzUXNDFuAOOkrIol3WmflPUUgMKULBN0EUd1fpOD70p RM0rlp_gg_WNUKoW1V-3keYUJoXH9NztEDm_D2MQXj9eGOJJ8yPgGL8PAZMLe 2R7jb9TxOCPDED7tY_TU4nFPlxptw59A42mldEmViXsKQt60s1SLboazxFKve qXC_jpLUt22OC6GUG63p-REw-ZOr3r845z50wMuzifQrMI9bQ", "kty":"RSA" } ] } }¶
The following is a non-normative example of a JWT Issuer Metadata
configuration including jwks_uri
:¶
{ "issuer":"https://example.com", "jwks_uri":"https://jwt-issuer.example.org/my_public_keys.jwks" }¶
Additional JWT Issuer Metadata configuration parameters MAY also be used.¶
The issuer
value returned MUST be identical to the iss
value of the JWT. If
these values are not identical, the data contained in the response MUST NOT be
used.¶
This section defines encoding, validation and processing rules for presentations of SD-JWT VCs.¶
A presentation of an SD-JWT VC MUST be encoded using the SD-JWT Combined Format for Presentation as defined in Section 5.4. of [I-D.ietf-oauth-selective-disclosure-jwt].¶
A presentation of an SD-JWT VC MAY contain a Key Binding JWT as described in Section 5.4.1. of [I-D.ietf-oauth-selective-disclosure-jwt].¶
When there are no selectively disclosable claims, a presentation of SD-JWT VC does not contain any Disclosures.¶
If the presentation of the SD-JWT VC includes a Key Binding JWT, the following claims are used within the Key Binding JWT:¶
nonce
¶
nonce
values used to prevent attackers from
guessing values.¶
aud
¶
iat
¶
exp
¶
The Key Binding JWT MAY include addtional claims which when not understood MUST be ignored.¶
The following is a non-normative example of a presentation of the SD-JWT shown above including a Key Binding JWT:¶
eyJhbGciOiAiRVMyNTYifQ.eyJfc2QiOiBbIjA5dktySk1PbHlUV00wc2pwdV9wZE9CV kJRMk0xeTNLaHBINTE1blhrcFkiLCAiMnJzakdiYUMwa3k4bVQwcEpyUGlvV1RxMF9kY Xcxc1g3NnBvVWxnQ3diSSIsICJFa084ZGhXMGRIRUpidlVIbEVfVkNldUM5dVJFTE9pZ UxaaGg3WGJVVHRBIiwgIklsRHpJS2VpWmREd3BxcEs2WmZieXBoRnZ6NUZnbldhLXNON ndxUVhDaXciLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQW WxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJI iwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAia mRyVEU4WWNiWTRFaWZ1Z2loaUFlX0JQZWt4SlFaSUNlaVVRd1k5UXF4SSIsICJqc3U5e VZ1bHdRUWxoRmxNXzNKbHpNYVNGemdsaFFHMERwZmF5UXdMVUs0Il0sICJpc3MiOiAia HR0cHM6Ly9leGFtcGxlLmNvbS9pc3N1ZXIiLCAiaWF0IjogMTY4MzAwMDAwMCwgImV4c CI6IDE4ODMwMDAwMDAsICJ0eXBlIjogIklkZW50aXR5Q3JlZGVudGlhbCIsICJfc2RfY WxnIjogInNoYS0yNTYiLCAiY25mIjogeyJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiO iAiUC0yNTYiLCAieCI6ICJUQ0FFUjE5WnZ1M09IRjRqNFc0dmZTVm9ISVAxSUxpbERsc zd2Q2VHZW1jIiwgInkiOiAiWnhqaVdXYlpNUUdIVldLVlE0aGJTSWlyc1ZmdWVjQ0U2d DRqVDlGMkhaUSJ9fX0.nIneu9ghAY_pjnfAczLZe80xN2Z-jjxs42MOx8UVZtCT4ACFV W8RMdBANSwjfRBD1Xag6vnayC6HUnBvkVWlMQ~WyJRZ19PNjR6cUF4ZTQxMmExMDhpcm 9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0IiwgIm xvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW50cn kiOiAiVVMifV0~eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImtiK2p3dCJ9.eyJub25jZ SI6ICIxMjM0NTY3ODkwIiwgImF1ZCI6ICJodHRwczovL2V4YW1wbGUuY29tL3Zlcmlma WVyIiwgImlhdCI6IDE2ODkwMTIzMzR9.3rROqnKkUNgiYfSwtmTXnXVMtSfb_RA2pVVv EclTihvi7MIZ-W_x3sVPVliJJIDdH4frgvxjxMWa__vCoTEbqQ¶
In this presentation, the Holder provides only the Disclosure for the claim
address
. Other claims are not disclosed to the Verifier.¶
The following example shows a presentation of a (different) SD-JWT without a Key Binding JWT:¶
eyJhbGciOiAiRVMyNTYifQ.eyJfc2QiOiBbIjA5dktySk1PbHlUV00wc2pwdV9wZE9CV kJRMk0xeTNLaHBINTE1blhrcFkiLCAiMnJzakdiYUMwa3k4bVQwcEpyUGlvV1RxMF9kY Xcxc1g3NnBvVWxnQ3diSSIsICJFa084ZGhXMGRIRUpidlVIbEVfVkNldUM5dVJFTE9pZ UxaaGg3WGJVVHRBIiwgIklsRHpJS2VpWmREd3BxcEs2WmZieXBoRnZ6NUZnbldhLXNON ndxUVhDaXciLCAiSnpZakg0c3ZsaUgwUjNQeUVNZmVadTZKdDY5dTVxZWhabzdGN0VQW WxTRSIsICJQb3JGYnBLdVZ1Nnh5bUphZ3ZrRnNGWEFiUm9jMkpHbEFVQTJCQTRvN2NJI iwgIlRHZjRvTGJnd2Q1SlFhSHlLVlFaVTlVZEdFMHc1cnREc3JaemZVYW9tTG8iLCAia mRyVEU4WWNiWTRFaWZ1Z2loaUFlX0JQZWt4SlFaSUNlaVVRd1k5UXF4SSIsICJqc3U5e VZ1bHdRUWxoRmxNXzNKbHpNYVNGemdsaFFHMERwZmF5UXdMVUs0Il0sICJpc3MiOiAia HR0cHM6Ly9leGFtcGxlLmNvbS9pc3N1ZXIiLCAiaWF0IjogMTY4MzAwMDAwMCwgImV4c CI6IDE4ODMwMDAwMDAsICJ0eXBlIjogIklkZW50aXR5Q3JlZGVudGlhbCIsICJfc2RfY WxnIjogInNoYS0yNTYifQ.gew2qB8_rJxmckdiQ8S_VE-GouPs2XE5q3NdfAeh6QdZ20 qQrXZNIEvUwAX4rSPvE9UfD_D2zZgYgS3EdQPkQg~WyJRZ19PNjR6cUF4ZTQxMmExMDh pcm9BIiwgImFkZHJlc3MiLCB7InN0cmVldF9hZGRyZXNzIjogIjEyMyBNYWluIFN0Iiw gImxvY2FsaXR5IjogIkFueXRvd24iLCAicmVnaW9uIjogIkFueXN0YXRlIiwgImNvdW5 0cnkiOiAiVVMifV0~¶
The Verifier MUST process and verify a presentation of SD-JWT VC as follows:¶
cnf
claim of the SD-JWT MUST be used.¶
TBD: Verifier provided nonce
.¶
TBD: Holder provided nonce via jti
.¶
Claim Name: "type"¶
The Internet media type for a SD-JWT VC is application/vc+sd-jwt
.¶
Type name: : application
¶
Subtype name: : vc+sd-jwt
¶
Required parameters: : n/a¶
Optional parameters: : n/a¶
Encoding considerations: : 8-bit code points; SD-JWT VC values are encoded as a series of base64url-encoded values (some of which may be the empty string) separated by period ('.') and tilde ('~') characters.¶
Security considerations: : See Security Considerations in Section 7.¶
Interoperability considerations: : n/a¶
We would like to thank Alen Horvat, Andres Uribe, Brian Campbell, Christian Bormann, Giuseppe De Marco, Michael Jones, Mike Prorock, Orie Steele, Paul Bastian, Torsten Lodderstedt, Tobias Looker, and Kristina Yasuda for their contributions (some of which substantial) to this draft and to the initial set of implementations.¶