[Openid-specs-ab] Issue #1341: Requesting credentials issued by a federation member (openid/connect)

David Chadwick issues-reply at bitbucket.org
Thu Sep 23 15:21:21 UTC 2021

New issue 1341: Requesting credentials issued by a federation member

David Chadwick:

The current way of requesting a credential from a specific issuer is to request a match on the issuer property. But what if the RP wants a credential that is issued by any issuer that is a member of a specific federation \(or trust network\) e.g. a member of EduRoam. There should be a standard way of requesting this. In the eSSIF TRAIN project we have enabled this in the following way. The Issuer creates a Terms of Use object \(which is a standard property from the W3C VC specification\) indicating which federation it is member of. On receipt of this credential, the RP asks the federation operator if the issuer of this credential really is a member of this federation, and if it is, the VC satisfies its policy requirement.

If the group likes this solution, then we would need to document the current best practice for using the Terms of Use property for specifying federation membership. Note that the ToU property is used in general by the Issuer to place any type of constraint on the use of the issued credential. A verifier is free to follow or to ignore the ToU but in the latter case they would not be able to claim any damages or losses from the issuer by violating its terms of use.

There are two aspects to specifying this ToU:

a\) specifying the ToU type i.e. that this ToU property is about a trust scheme \(or trust mechanism\) e.g. the TRAIN scheme

b\) specifying the federation \(or trust network\) that operates under this trust scheme e.g. visa.net.

More information about the Openid-specs-ab mailing list