From ee4139d0904f2c7be7e42f7adfb5e0ebcd8d5887 Mon Sep 17 00:00:00 2001 From: David Chadwick Date: Sun, 31 Dec 2023 15:20:21 +0000 Subject: [PATCH] Improving explanation of SD-JWT This adds clarifying text and further describes example 1 to the reader --- index.html | 58 ++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 52 insertions(+), 6 deletions(-) diff --git a/index.html b/index.html index 2987eeb..a62f1ff 100644 --- a/index.html +++ b/index.html @@ -194,7 +194,7 @@

Terminology

Securing the VC Data Model

This section outlines how to secure documents conforming - to [[VC-DATA-MODEL-2.0]] using JOSE and COSE. + to [[VC-DATA-MODEL-2.0]] using SD-JWT and COSE.

Documents conforming to [[VC-DATA-MODEL-2.0]], @@ -223,16 +223,17 @@

Securing the VC Data Model

If implementations do not know which media type to use, media types defined in this specification MUST be used.

-

With JOSE

+

With SD-JWT

-

Securing JSON-LD Verifiable Credentials with JOSE

+

Securing JSON-LD Verifiable Credentials with SD-JWT

- This section details how to use JOSE to secure verifiable credentials conforming + This section details how to use SD-JWT to secure verifiable credentials conforming to [[VC-DATA-MODEL-2.0]].

- [[RFC7515]] MAY be used to secure this media type. - The typ header parameter SHOULD be vc+ld+json+sd-jwt. + [[SD-JWT]] MAY be used to secure this media type. + The typ header parameter SHOULD be vc+ld+json+sd-jwt. See + Explicit Typing. When present, the cty header parameter SHOULD be vc+ld+json. See Registered Header Parameter Names for additional details regarding usage of typ and @@ -265,6 +266,51 @@

Securing JSON-LD Verifiable Credentials with JOSE

} } +NOTE TO EDITORS. Please leave the example from the Latest Published Version here as is. +

+ Example 1 depicts a simple alumni verifiable credential. +

+NOTE TO EDITORS. Please insert the 5 tabbed example from the editors draft here. +

+ The tab labelled "Committed" indicates that the properties id, type, + credentialSchema.id, credentialSchema.type, + credentialSubject.id and credentialSubject.degree.type + will be selectively disclosable. The properties @context, issuer, + validFrom and credentialSubject.degree.name will always be disclosed. +

+ +

+ The tab labelled "Issued" depicts the SD-JWT that the issuer has produced for the holder. + It contains the JWT header (in red), the JWT body (in green), the JWT signature (in blue) and + six disclosures (in purple), one disclosure for each of the !sd properties in the + Committed tab. The JWT body contains the contents of the Committed tab with the six !sd + properties replaced by their hashed equivalents. It also contains the _sd_alg, + iss, iat, exp and cnf properties, the latter + holding the public key of the holder. +

+ +

+ The tab labelled "Disclosed" contains....?? It is unclear what this represents since it has two id + fields set to False. This explanation needs adding please. +

+ +

+ The tab labelled "Presented" contains the SD-JWT that the holder presents to the verifier. This + contains the SD-JWT that was originally issued by the issuer, except that only four of the original 6 + disclosures are presented. The credentialSubject.id and credentialSchema.id + disclosures have been omitted from the presentation. In addition the last component, after the final + tilde ('~'), contains a key binding JWT for the holder. This allows the verifier to confirm that the + SD-JWT was issued to the holder. +

+ +NOTE. The key binding JWT is not conformant to the latest SD-JWT specification as it omits the mandatory sd_hash property. + +

+ The tab labelled "Verified" depicts the presented SD-JWT after the verifier has verified the key + binding JWT and disclosed the four presented disclosures. The cnf property is the public + key of the holder. +

+

See for more details regarding this example.