[Openid-specs-ab] Issue #1238: Requesting Verifiable Presentation (openid/connect)

David Chadwick issues-reply at bitbucket.org
Tue May 18 17:30:29 UTC 2021

New issue 1238: Requesting Verifiable Presentation

David Chadwick:

Relying parties can have quite complex needs in terms of the VCs/claims they require to be inserted in a VP. The current document only has a simplistic way of requesting claims. For example, it does not allow for disjunctive claim requests but only conjunctive ones. Furthermore if the RP’s requirements are sent privately in the OIDC protocol between the RP and OP, so there is no guarantee that this request will conform to privacy legislation such as GDPR. For these reasons I would like to request the option of sending a pointer to a public policy server where RPs can store their policies. This has a number of advantages such as:

i\) the same policy can be referred to by multiple RPs e.g. a policy for entering all the nightclubs in a region or country

ii\) the ICO can inspect RPs published policies to see that they are compliant with legal requirements

iii\) this stops unscrupulous RPs sending a privacy revealing policy to an OP but notifying the ICO of a different more privacy protecting one.

iv\) it allows more complex policies to be specified according to need e.g. the policy store could hold a DIF PE policy or another policy format defined by a federation of users.

This feature can be enabled by introducing a new property “credential\_policy” as an alternative to “credential\_types” where “credential\_policy” is defined as

"credential\_policy": \{  
         "policyURL": "<url of public policy server>",  
         "policyMatch": \{  
                                  "any": "definedPolicyMatchingObject"  

The policy match could be a simple “type” with any string value, e.g. “type”:”my resource policy” or it could be an “action” on a “resource” e.g. \{“action”:”enter”, “resource”:”nightclub”\}.

More information about the Openid-specs-ab mailing list