|
1 | 1 | %%% |
2 | | -title = "OpenID for Verifiable Presentations - Editor's draft" |
| 2 | +title = "OpenID for Verifiable Presentations" |
3 | 3 | abbrev = "openid-4-vp" |
4 | 4 | ipr = "none" |
5 | 5 | workgroup = "OpenID Digital Credentials Protocols" |
@@ -73,6 +73,10 @@ Additionally, it defines how to use OpenID4VP in conjunction with the Digital Cr |
73 | 73 | * Tobias Looker (MATTR) |
74 | 74 | * Adam Lemmon (MATTR) |
75 | 75 |
|
| 76 | +## Errata revisions |
| 77 | + |
| 78 | +The latest revision of this specification, incorporating any errata updates, is published at [openid-4-verifiable-presentations-1_0](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html). The text of the final specification as approved will always be available at [openid-4-verifiable-presentations-1_0-final](https://openid.net/specs/openid-4-verifiable-presentations-1_0-final.html). When referring to this specification from other documents, it is recommended to reference [openid-4-verifiable-presentations-1_0](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html). |
| 79 | + |
76 | 80 | ## Requirements Notation and Conventions |
77 | 81 |
|
78 | 82 | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [@!RFC2119] [@!RFC8174] when, and only when, they appear in all capitals, as shown here. |
@@ -3555,245 +3559,3 @@ Copyright (c) 2025 The OpenID Foundation. |
3555 | 3559 | The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft, Final Specification, or Final Specification Incorporating Errata Corrections solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts, Final Specifications, and Final Specification Incorporating Errata Corrections based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF. |
3556 | 3560 |
|
3557 | 3561 | The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy (found at openid.net) requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. OpenID invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification. |
3558 | | - |
3559 | | -# Document History |
3560 | | - |
3561 | | - [[ To be removed from the final specification ]] |
3562 | | - |
3563 | | - -30 |
3564 | | - |
3565 | | - * TBC |
3566 | | - |
3567 | | - -29 |
3568 | | - |
3569 | | - * define mdoc session transcript for redirect-based oid4vp flow |
3570 | | - * rename `verifier_attestations` parameter name to `verifier_info` |
3571 | | - * make the `meta` parameter mandatory in DCQL query |
3572 | | - * explicitly state that various arrays need to be non-empty |
3573 | | - * clarify text about how encryption keys are obtained |
3574 | | - * clarify how hashing works in transaction_data_hashes |
3575 | | - * rework & expand privacy considerations section |
3576 | | - * capitalize use of defined terms more consistently |
3577 | | - * relax language in some cases that required wallets to always perform signature verification |
3578 | | - * fix language implying `verifier_attestations` was mandatory |
3579 | | - * try to make it clearer that direct_post.jwt builds on top of direct_post |
3580 | | - * update pre-final specs section |
3581 | | - * add IANA considerations for `encrypted_response_enc_values_supported` |
3582 | | - * remove now unused reference to JARM |
3583 | | - * move `verifier_attestations` IANA consideration to correct section |
3584 | | - * fix title in 23220-2 ref |
3585 | | - * add example of response encryption |
3586 | | - * remove reference to CBOR encoding the OpenID4VPDCAPIHandoverInfo thumbprint |
3587 | | - * fixed reference for DC API single/multi sign requests and made it clear what the protocol identifier is |
3588 | | - * fix type_values example in W3C Verifiable Credential section |
3589 | | - * fix an example that used now removed jwt_vp and ldp_vp |
3590 | | - * fix description of invalid_request error |
3591 | | - * add note that cross-device flow diagram doesn't show all parameters |
3592 | | - * additions to & typo fixed in acknowledgements |
3593 | | - |
3594 | | - -28 |
3595 | | - |
3596 | | - * rename `issuer_signed_alg_values` and `device_signed_alg_values` and add support for HMAC variants |
3597 | | - * Replace the JARM `authorization_encrypted_response_enc` with a new `encrypted_response_enc_values_supported` that allows the client to specify an array of acceptable `enc` values for the JWE |
3598 | | - |
3599 | | - -27 |
3600 | | - |
3601 | | - * rename `vp_formats` to `vp_formats_supported` in Verifier Metadata |
3602 | | - * update the `vp_formats_supported` metadata to always be format specific, and explicitly define the structure for `mso_mdoc`, `jwt_vc_json` and `ldp_vc`. |
3603 | | - * require fully-specified COSE and JOSE algorithms for `mso_mdoc` and `dc+sd-jwt` formats in `vp_formats_supported` metadata |
3604 | | - * remove AnonCreds for now as we're lacking implementation experience |
3605 | | - * clarify that client identifier prefix specific parameters go in the header in multi RP DC API requests |
3606 | | - * wallets must verify `expected_origins` in signed requested over the Digital Credentials API |
3607 | | - * add "SD-JWT VCLD" section to SD-JWT VC Credential Format appendix |
3608 | | - * clarify rules around rejecting presentations that fail checks |
3609 | | - * remove references to ISO 18013-7 due it referencing an older version of the VP specification |
3610 | | - * specify value matching for mdocs via a reference to cbor-to-json |
3611 | | - |
3612 | | - -26 |
3613 | | - |
3614 | | - * add SD-JWT VCDM (now called SD-JWT VC LD) |
3615 | | - * add `verifier_attestations` to list of authorization parameters |
3616 | | - * renamed "Client ID Scheme" to "Client Identifier Prefix", and updated metadata (`client_id_prefixes_supported`) and an example `error_description` to match |
3617 | | - * add note that `iss` must be ignored if present in the request object |
3618 | | - * added security considerations for value matching in DCQL |
3619 | | - * require `kid` in JWE response header if present in client_metadata `jwks` |
3620 | | - * added some more (non-exhaustive) privacy considerations with pointers to SD-JWT and OpenID4VCI |
3621 | | - * add implementation consideration about pre-final specs |
3622 | | - * remove DIF Presentation Exchange as a query language option |
3623 | | - * Changes in the DCQL query parameters specific to W3C VCs and AnonCreds |
3624 | | - * Introduce ability to present without key binding, including a new parameter `require_cryptographic_holder_binding` in the Credential Query |
3625 | | - * Adapt usage of "Verifiable Presentation" to only refer to Presentations with Holder Binding and "Presentation" to refer to all types of credential presentations |
3626 | | - * change the identifier for the ETSI trusted list `trusted_authorities` entry from `openid_fed` to `openid_federation` |
3627 | | - * change openid_fed to openid_federation for Trusted Authorities Query |
3628 | | - * remove JARM and response signing, using JWT directly for unsigned, encrypted responses, including changes to allow the client to indicate a set of acceptable `alg` values for the JWE using the `alg` value in the JWKS instead of the JARM `authorization_encrypted_response_alg` |
3629 | | - * make consistent the use of prefixes in the client_id prefixing, defining new `openid_federation:` and `decentralized_identifier:` prefixes |
3630 | | - * fix nonce computation for AnonCreds |
3631 | | - * For w3c vc, DCQL `type_values` now matches against expanded type values |
3632 | | - * For ISO mdoc, `doctype_value` is now mandatory in DCQL query `meta` parameter |
3633 | | - * For SD-JWT VC, `vct_values` is now mandatory in DCQL query `meta` parameter |
3634 | | - * For W3C VC, `type_values` is now mandatory in DCQL query `meta` parameter |
3635 | | - * `purpose` element removed from DCQL `credential_sets` |
3636 | | - * Add new DC API `openid4vp-v1-multisigned` protocol identifier for requests with JWS JSON Serialization |
3637 | | - * Remove incorrect requirement for automatic registration when using OpenID Federation |
3638 | | - * Change DCQL processing rules to allow the same credential to fulfil different queries |
3639 | | - * Update specification to make DC API consistent with the rest of the specification |
3640 | | - |
3641 | | - -25 |
3642 | | - |
3643 | | - * clarify value matching in DCQL |
3644 | | - * clarify why requests using redirect_uri scheme cannot be signed |
3645 | | - * add `trusted_authorities` to DCQL |
3646 | | - * add note introducing cbor and cddl |
3647 | | - * clarify DCQL case of `claims` and `claim_sets` being absent |
3648 | | - * add language on client ID and nonce binding for ISO mdocs and W3C VCs |
3649 | | - * for DC API, always use Origin for binding the response (e.g. in Key Binding JWT `aud` and sessionTranscript in mdoc) |
3650 | | - * clarify the behavior is not to sign when authorization_signed_response_alg is omitted |
3651 | | - * add a note on the use of apu/apv in the JWE header of encrypted responses |
3652 | | - * add x509_hash client identifier scheme |
3653 | | - * remove x509_san_uri client identifier scheme |
3654 | | - * clarify that `dcql_query` and `presentation_definition` are passed as JSON objects (not strings) in request objects |
3655 | | - * support returning multiple presentations for a single dcql credential query when requested using `multiple` |
3656 | | - * Added support for multiple Client Identifiers and corresponding Request Signature to the DC API profile |
3657 | | - |
3658 | | - -24 |
3659 | | - |
3660 | | - * add mdoc specific `intent_to_retain` mechanism, using the definition from 18013-5 |
3661 | | - * require `typ` value in request object to be `oauth-authz-req+jwt` |
3662 | | - * add `SessionTranscript` requirements |
3663 | | - * use claims path pointer for mdoc based credentials |
3664 | | - |
3665 | | - -23 |
3666 | | - |
3667 | | - * fixed percent-encoding of URI examples |
3668 | | - * fixed an example that used 'client' where 'wallet' is more appropriate |
3669 | | - * make SIOP example request/response consistent with each other |
3670 | | - * make example request and example SD-JWT key binding JWT consistent |
3671 | | - * add note that there are a choice of encryption JWE algorithms available, including the HPKE draft |
3672 | | - * add `transaction_data` & `dcql_query` to list of allowed parameters in W3C Digital Credentials API appendix |
3673 | | - * change Credential Format Identifier `vc+sd-jwt` to `dc+sd-jwt` to align with the media type in draft -06 of [@I-D.ietf-oauth-sd-jwt-vc] and update `typ` accordingly in examples |
3674 | | - * remove references to the openid4vci credential format section |
3675 | | - * clarified what profiling OID4VP means |
3676 | | - * moved credential format specific DCQL parameters to the annex |
3677 | | - * generalized W3C Digital Credentials API references |
3678 | | - * changed response mode value for the OID4VP over the DC API |
3679 | | - * updated to PE ver 2.1.1 (used to be 2.0.0) |
3680 | | - |
3681 | | - -22 |
3682 | | - |
3683 | | - * Introduced the Digital Credentials Query Language |
3684 | | - * add transaction data mechanism |
3685 | | - * remove `client_id_scheme` and turn it into a prefix of the `client_id`; this addresses a security issue with the previous solution |
3686 | | - * Clarified what can go in the `client_metadata` parameter |
3687 | | - * Fixed #227: Enabled non-breaking extensibility. |
3688 | | - * Fixed #383: Completed IANA Considerations section. |
3689 | | - |
3690 | | - -21 |
3691 | | - |
3692 | | - * removed `client_metadata_uri` authorization parameter |
3693 | | - * added how OpenID4VP request/response can be used over the browser API |
3694 | | - * remove path_nested description from Response Parameters section and move it into W3C VC Annex |
3695 | | - * fix indentation of examples |
3696 | | - * added references to ISO/IEC 23220 and 18013 documents |
3697 | | - * added `post` request method for Request URI |
3698 | | - * Added IETF SD-JWT VC profile |
3699 | | - * Added `wallet_unavailable` error |
3700 | | - |
3701 | | - -20 |
3702 | | - |
3703 | | - * added "verifier_attestation" client id scheme value |
3704 | | - |
3705 | | - -19 |
3706 | | - |
3707 | | - * added "x509_san_uri" and "x509_san_dns" client id scheme value |
3708 | | - |
3709 | | - -18 |
3710 | | - |
3711 | | - * editorial update based on the 45 days review period prior to the Vote for proposed Second Implementer’s Draft |
3712 | | - |
3713 | | - -17 |
3714 | | - |
3715 | | - * direct_post response mode uses state to identify response |
3716 | | - * Added sequence diagrams for same and cross device flows to overview section |
3717 | | - |
3718 | | - -16 |
3719 | | - |
3720 | | - * Added `client_id_scheme` parameter |
3721 | | - * Defined that single VP Tokens must not use the array syntax for single Verifiable Presentations |
3722 | | - |
3723 | | - -15 |
3724 | | - |
3725 | | - * Added definition of VP Token |
3726 | | - * Editorial improvements for better readability (restructured request and response section, consistent terminology, and casing) |
3727 | | - |
3728 | | - -14 |
3729 | | - |
3730 | | - * added support for signed and encrypted authorization responses based on JARM |
3731 | | - * clarified response encoding for authorization responses |
3732 | | - * moved invocation/just-in-time client metadata exchange/AS Discovery sections from siopv2 to openid4vp |
3733 | | - |
3734 | | - -13 |
3735 | | - |
3736 | | - * added scope support |
3737 | | - |
3738 | | - -12 |
3739 | | - |
3740 | | - * add Cross-Device flow (using SIOP v2 text) |
3741 | | - * Added Client Metadata Section (based on SIOP v2 text) |
3742 | | - |
3743 | | - -11 |
3744 | | - |
3745 | | - * changed base protocol to OAuth 2.0 |
3746 | | - * consolidated the examples |
3747 | | - |
3748 | | - -10 |
3749 | | - |
3750 | | - * Added AnonCreds example |
3751 | | - * Added ISO mobile Driving License (mDL) example |
3752 | | - |
3753 | | - -09 |
3754 | | - |
3755 | | - * added support for passing presentation_definition by reference |
3756 | | - * added description how to request credential issued by a member of a federation |
3757 | | - |
3758 | | - -08 |
3759 | | - |
3760 | | - * reflected editorial comments received during pre-implementer's draft review period |
3761 | | - |
3762 | | - -07 |
3763 | | - |
3764 | | - * added text on other credential formats |
3765 | | - * fixed inconsistency in security consideration regarding nonce |
3766 | | - |
3767 | | - -06 |
3768 | | - |
3769 | | - * added additional security considerations |
3770 | | - * removed support for embedding Verifiable Presentations in ID Token or UserInfo response |
3771 | | - * migrated to Presentation Exchange 2.0 |
3772 | | - |
3773 | | - -05 |
3774 | | - |
3775 | | - * moved presentation submission parameters outside of Verifiable Presentations (ID Token or UserInfo) |
3776 | | - |
3777 | | - -04 |
3778 | | - |
3779 | | - * added presentation submission support |
3780 | | - * cleaned up examples to use `nonce` & `client_id` instead of `vp_hash` for replay detection |
3781 | | - * fixed further nits in examples |
3782 | | - * added and reworked references to other specifications |
3783 | | - |
3784 | | - -03 |
3785 | | - |
3786 | | - * aligned with SIOP v2 spec |
3787 | | - |
3788 | | - -02 |
3789 | | - |
3790 | | - * added `presentation_definition` as sub parameter of `verifiable_presentation` and VP Token |
3791 | | - |
3792 | | - -01 |
3793 | | - |
3794 | | - * adopted DIF Presentation Exchange request syntax |
3795 | | - * added security considerations regarding replay detection for Verifiable Credentials |
3796 | | - |
3797 | | - -00 |
3798 | | - |
3799 | | - * initial revision |
0 commit comments