Skip to content

add option to have signed Credential Issuer metadata, remove signed_metadata from Credential Issuer metadata #520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

add option to have signed Credential Issuer metadata, remove signed_metadata from Credential Issuer metadata #520

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
532fe5d
add option to have signed Credential Issuer metadata, remove `signed_…
paulbastian May 27, 2025
80646b2
Update openid-4-verifiable-credential-issuance-1_0.md
paulbastian Jun 4, 2025
bb071cb
Update openid-4-verifiable-credential-issuance-1_0.md
paulbastian Jun 4, 2025
9897fcb
Update openid-4-verifiable-credential-issuance-1_0.md
paulbastian Jun 4, 2025
942d711
Update openid-4-verifiable-credential-issuance-1_0.md
paulbastian Jun 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions openid-4-verifiable-credential-issuance-1_0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1395,7 +1395,14 @@ Credential Issuers publishing metadata MUST make a JSON document available at th

Communication with the Credential Issuer Metadata Endpoint MUST utilize TLS.

To fetch the Credential Issuer Metadata, the requester MUST send an HTTP request using the GET method and the path formed following the steps above. The Credential Issuer MUST return a JSON document compliant with this specification using the `application/json` media type and the HTTP Status Code 200.
To fetch the Credential Issuer Metadata, the Wallet MUST send an HTTP request using the GET method and the path formed following the steps above. The Wallet is RECOMMENDED to send an `Accept` Header in the HTTP GET request to indicate whether it supports signed metadata.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To fetch the Credential Issuer Metadata, the Wallet MUST send an HTTP request using the GET method and the path formed following the steps above. The Wallet is RECOMMENDED to send an `Accept` Header in the HTTP GET request to indicate whether it supports signed metadata.
To fetch the Credential Issuer Metadata, the Wallet MUST send an HTTP request using the GET method and the path formed following the steps above. The Wallet is RECOMMENDED to send an `Accept` Header in the HTTP GET request to indicate the Content Type(s) it supports.

Copy link

@lj-raidiam lj-raidiam Jun 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To fetch the Credential Issuer Metadata, the Wallet MUST send an HTTP request using the GET method and the path formed following the steps above. The Wallet is RECOMMENDED to send an `Accept` Header in the HTTP GET request to indicate whether it supports signed metadata.
To fetch the Credential Issuer Metadata, the Wallet MUST send an HTTP request using the GET method and the path formed following the steps above. The Wallet is RECOMMENDED to send an `Accept` Header in the HTTP GET request to indicate the Content Type(s) it supports, and by doing so, signal whether it supports signed metadata.

@sloops77 I let myself improve it further. Saying straight that the mime type is used only determine wallet support for metadata is not ideal, but there's a value in keeping it explicit too.


The Credential Issuer MUST respond with HTTP Status Code 200 and return the Credential Issuer Metadata containing the [parameters defined in this specification](#credential-issuer-parameters) as either:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For interoperability, what are we normatively implying implementations must support, it would appear we are imply that all credential issuer implementations MUST support signed metadata or are we saying that only plain JSON MUST be supported and the client/wallet gets to decide what it wants to support?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The either to me implies that the issuer can choose. In the next section, it says the issuer may ignite the accept header and send whatever he likes, so to me it seems signed metadata is optional. That means wallets must support both.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Im not sure I support making signed metadata required for wallet/client implementations I'd prefer we only require them to support unsigned which is consistent with the equivalent feature in OAuth and OpenID connect.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wg discussion.

  • no normative requirement for the wallet to support this.
  • HAIP can mandate it.


* an unsigned JSON document using the media type `application/json`
* a signed JSON Web Token (JWT) containing the Credential Issuer Metadata in its payload using the media type `application/jwt`

The Credential Issuer MAY ignore the `Accept` Header. It MUST indicate the type of the returned Credential Issuer Metadata using the HTTP `Content-Type`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The Credential Issuer MAY ignore the `Accept` Header. It MUST indicate the type of the returned Credential Issuer Metadata using the HTTP `Content-Type`.
The Credential Issuer MAY ignore the `Accept` Header. If the Credential Issuer receives a request with an `Accept` header set to both media types then it SHOULD respond with a signed metadata format if possible (ie. `applicaiton/jwt`). It MUST indicate the type of the returned Credential Issuer Metadata using the HTTP `Content-Type`.


The Wallet is RECOMMENDED to send an `Accept-Language` Header in the HTTP GET request to indicate the language(s) preferred for display. It is up to the Credential Issuer whether to:

Expand All @@ -1412,6 +1419,22 @@ Host: server.example.com
Accept-Language: fr-ch, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5
```

### Signed Metadata

The signed metadata MUST be secured using a JSON Web Signature (JWS) [@!RFC7515] and contain the following elements:

* in the JOSE header,
* `alg`: REQUIRED. A digital signature algorithm identifier such as per IANA "JSON Web Signature and Encryption Algorithms" registry [@IANA.JOSE]. It MUST NOT be `none` or an identifier for a symmetric algorithm (MAC).
* `typ`: REQUIRED. MUST be `key-attestation+jwt`, which explicitly types the key proof JWT as recommended in Section 3.11 of [@!RFC8725].

* in the JWT body,
* `iss`: OPTIONAL. String denoting the party attesting to the claims in the signed metadata
* `sub`: REQUIRED. String matching the Credential Issuer identifier
* `iat`: REQUIRED. Integer for the time at which the Credential Issuer Metadata was issued using the syntax defined in [@!RFC7519].
* `exp`: OPTIONAL. Integer for the time at which the Credential Issuer Metadata is expiring, using the syntax defined in [@!RFC7519].

The Wallet SHOULD establish trust in the signer of the metadata, and obtain the keys to validate the signature before processing the metadata, e.g. using JOSE header parameters like `x5c`, `kid` or `trust_chain` to convey the public key. The concrete mechanisms how to do that are out of scope of this specification.

### Credential Issuer Metadata Parameters {#credential-issuer-parameters}

This specification defines the following Credential Issuer Metadata parameters:
Expand All @@ -1428,7 +1451,6 @@ This specification defines the following Credential Issuer Metadata parameters:
* `encryption_required`: REQUIRED. Boolean value specifying whether the Credential Issuer requires the additional encryption on top of TLS for the Credential Response. If the value is `true`, the Credential Issuer requires encryption for every Credential Response and therefore the Wallet MUST provide encryption keys in the Credential Request. If the value is `false`, the Wallet MAY choose whether it provides encryption keys or not.
* `batch_credential_issuance`: OPTIONAL. Object containing information about the Credential Issuer's supports for batch issuance of Credentials on the Credential Endpoint. The presence of this parameter means that the issuer supports more than one key proof in the `proofs` parameter in the Credential Request so can issue more than one Verifiable Credential for the same Credential Dataset in a single request/response.
* `batch_size`: REQUIRED. Integer value specifying the maximum array size for the `proofs` parameter in a Credential Request.
* `signed_metadata`: OPTIONAL. String that is a signed JWT. This JWT contains Credential Issuer metadata parameters as claims. The signed metadata MUST be secured using JSON Web Signature (JWS) [@!RFC7515] and MUST contain an `iat` (Issued At) claim, an `iss` (Issuer) claim denoting the party attesting to the claims in the signed metadata, and `sub` (Subject) claim matching the Credential Issuer identifier. If the Wallet supports signed metadata, metadata values conveyed in the signed JWT MUST take precedence over the corresponding values conveyed using plain JSON elements. If the Credential Issuer wants to enforce use of signed metadata, it omits the respective metadata parameters from the unsigned part of the Credential Issuer metadata. A `signed_metadata` metadata value MUST NOT appear as a claim in the JWT. The Wallet MUST establish trust in the signer of the metadata, and obtain the keys to validate the signature before processing the metadata. The concrete mechanism how to do that is out of scope of this specification and MAY be defined in the profiles of this specification.
* `display`: OPTIONAL. A non-empty array of objects, where each object contains display properties of a Credential Issuer for a certain language. Below is a non-exhaustive list of valid parameters that MAY be included:
* `name`: OPTIONAL. String value of a display name for the Credential Issuer.
* `locale`: OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [@!RFC5646]. There MUST be only one object for each language identifier.
Expand Down Expand Up @@ -2750,6 +2772,8 @@ The technology described in this specification was made available from contribut

-16

* Add option to have signed Credential Issuer metadata
* Remove `signed_metadata` from Credential Issuer metadata
* Adds an option to return DPoP Nonce from the Nonce Endpoint
* Change Cryptographic Holder Binding to Cryptographic Key Binding
* add privacy considerations for the client_id used with wallet attestations
Expand Down