[Openid-specs-ab] UserInfo Verifiable Credentials

Joseph Heenan joseph at authlete.com
Tue Dec 13 12:07:27 UTC 2022 

Thanks all. This looks like an interesting spec.

I did initially assume the same as others, that the credential would be issued from the userinfo endpoint.

It might be worth considering an alternative name like “user claims” instead of “userinfo”?

It’s also interesting to think about how this might work with the OIDC ‘claims’ parameter  <https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter>- that would presumably result in the need for a new entity inside the ‘claims’ object in the request at the same level as “id_token” and “userinfo”.

My initial thought is I’d be in favour of adoption.

Thanks

Joseph



> On 13 Dec 2022, at 08:59, Kristina Yasuda via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> Thanks, Jer!
> 
> Just to clarify, because it came up during the Pacific Connect call today, "the draft profile does not use UserInfo endpoint (tho the name might imply so)". The endpoint used to issue VCs is Ceedential Endpoint defined in VCI spec.
> 
> We realize the name of the draft might be a little confusing - we are open to suggestions - the core idea is that the claim set included in the VCs is the same as the basic claim set defined in OIDC Core.
> 
> Cheers, 
> Kristina 
> 
> Get Outlook for iOS <https://aka.ms/o0ukef>
> From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on behalf of Jeremie Miller via Openid-specs-ab <openid-specs-ab at lists.openid.net>
> Sent: Tuesday, December 13, 2022 10:16:50 AM
> To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
> Cc: Jeremie Miller <jmiller at pingidentity.com>
> Subject: Re: [Openid-specs-ab] UserInfo Verifiable Credentials
>  
> Hi Richard, welcome!
> 
> I'm in complete support of this, a quick read of the proposed draft looks very complete already as well, great work and thank you!
> 
> Jer
> 
> 
> On Mon, Dec 12, 2022 at 4:08 PM Richard Barnes (richbarn) via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> Hi everyone,
> 
>  
> 
> I’m Richard Barnes from Cisco.  I’m new to OpenID, but might be familiar to some folks from the IETF, where I’ve worked on crypto things like TLS, MLS, and ACME (and JOSE back in the day).
> 
>  
> 
> I wanted to bring to the group some proposed new work on “UserInfo Verifiable Credentials” that I’ve been working on with Kristina Yasuda, Pieter Kasselman, and Morteza Ansari. 
> 
>  
> 
> MD: https://github.com/bifurcation/userinfo-vc/blob/main/userinfo-vc.md <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbifurcation%2Fuserinfo-vc%2Fblob%2Fmain%2Fuserinfo-vc.md&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7Cc508d439e932420455ac08dadc9f640d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638064874837454207%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Gark2ZVyVS%2BhbxKL4%2BbS0VFWppbE7K%2F95g4g8rmnBI4%3D&reserved=0>
> HTML: https://bifurcation.github.io/userinfo-vc <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbifurcation.github.io%2Fuserinfo-vc&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7Cc508d439e932420455ac08dadc9f640d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638064874837454207%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Eq7ojFO1OY6PQoSCyd7Bsb26hu%2BT7lhdnaeFphBHje8%3D&reserved=0>
>  
> 
> The high-level idea here is to take the OpenID for Verifiable Credential Issuance spec and give it the same level of easy interoperability as OpenID Connect.  The generality of the VCI mechanism is powerful, but means the wallet and issuer need to agree on a bunch of details, each of which is a chance for interop failure.
> 
>  
> 
> Concretely, the proposal is to define a profile of VC and VCI that is tailored to OpenID Connect.  A “UserInfo VC” carries the same claims that are provided by the UserInfo endpoint, wrapped as a VC.  The issuance process is just VCI with certain knobs pre-set (e.g., proof of possession is always via a JWT).
> 
>  
> 
> We would love to see this work adopted by this WG.  In any case, feedback welcome!
> 
>  
> 
> Thanks,
> 
> --Richard
> 
>  
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> https://lists.openid.net/mailman/listinfo/openid-specs-ab <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7Cc508d439e932420455ac08dadc9f640d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638064874837454207%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=bejZLSXs%2BcFLMSM%2FSw23RyLmex8RRZquL0kESgZPQ%2B8%3D&reserved=0>
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20221213/f3f20af7/attachment-0001.html>

More information about the Openid-specs-ab mailing list