[Openid-specs-ab] Issue #1501: [oidc4ci] encoding issued credentials (openid/connect)
alen_horvat
issues-reply at bitbucket.org
Thu May 19 13:56:36 UTC 2022
New issue 1501: [oidc4ci] encoding issued credentials
https://bitbucket.org/openid/connect/issues/1501/oidc4ci-encoding-issued-credentials
Alen Horvat:
[https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1\_0.html#section-6.7.3](https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1_0.html#section-6.7.3)
* `credential`: OPTIONAL. JSON string that is the base64url encoded representation of the issued credential. MUST be present when `acceptance_token` is not returned.
Today, the issued credentials are base64url encoded.
For the following signatures:
* JWS
* LD-proofs that use URDNA2015 canonicalization
* JAdES \(all profiles, except for the JAdES detached signatures for the baseline-\*T\* profiles – need to double-check\)
* anoncreds \(Torsten, can you please check\)
the extra encoding is not required as the signing schemes ensure the signature can be validated, even if the order of claims changes during the exchange or processing.
Question:
* Which signatures \(if any\) are not invariant to claim permutations?
Proposal:
* If there are signatures that aren’t invariant to the claim permutations, make the encoding optional for signatures that don’t protect against claim reordering, etc.
More information about the Openid-specs-ab
mailing list