<!DOCTYPE html>
<!-- saved from url=(0080)https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html -->
<html lang="en" class="Internet-Draft"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>OpenID4VC High Assurance Interoperability Profile with SD-JWT VC</title>
<meta content="Kristina Yasuda" name="author">
<meta content="Torsten Lodderstedt" name="author">
<meta content="
This document defines a profile of OpenID for Verifiable Credentials in combination with the credential format SD-JWT VC. The aim is to select features and to define a set of requirements for the existing specifications to enable interoperability among Issuers, Wallets and Verifiers of Credentials where a high level of security and privacy is required. The profiled specifications include OpenID for Verifiable Credential Issuance , OpenID for Verifiable Presentations , Self-Issued OpenID Provider v2 , and SD-JWT VC .
" name="description">
<meta content="xml2rfc 3.18.2" name="generator">
<meta content="security" name="keyword">
<meta content="openid4vc" name="keyword">
<meta content="sd-jwt" name="keyword">
<meta content="draft-oid4vc-haip-sd-jwt-vc-latest" name="ietf.draft">
<!-- Generator version information:
xml2rfc 3.18.2
Python 3.11.6
ConfigArgParse 1.5.3
google-i18n-address 3.1.0
intervaltree 3.1.0
Jinja2 3.1.2
lxml 4.9.3
platformdirs 3.11.0
pycountry 22.3.5
PyYAML 6.0
requests 2.31.0
setuptools 67.7.2
six 1.16.0
wcwidth 0.2.9
-->
<link href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.xml" rel="alternate" type="application/rfc+xml">
<link href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#copyright" rel="license">
<style type="text/css">@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-vietnamese.woff2') format('woff2');
unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Lora';
font-style: italic;
font-weight: 400;
font-display: swap;
src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic.woff2') format('woff2');
unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-vietnamese.woff2') format('woff2');
unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic-ext.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic.woff2') format('woff2');
unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-vietnamese.woff2') format('woff2');
unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 700;
font-display: swap;
src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Lora';
font-style: normal;
font-weight: 600;
font-display: swap;
src: local('Lora SemiBold'), local('Lora-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-semibold-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Cabin Condensed';
font-style: normal;
font-weight: 600;
font-display: swap;
src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-vietnamese.woff2') format('woff2');
unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
}
@font-face {
font-family: 'Cabin Condensed';
font-style: normal;
font-weight: 600;
font-display: swap;
src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Cabin Condensed';
font-style: normal;
font-weight: 600;
font-display: swap;
src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
@font-face {
font-family: 'Oxygen Mono';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin-ext.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
@font-face {
font-family: 'Oxygen Mono';
font-style: normal;
font-weight: 400;
font-display: swap;
src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
:root {
color-scheme: light dark;
--background-color: #fff;
--text-color: #222;
--title-color: #191919;
--link-color: #2a6496;
--highlight-color: #f9f9f9;
--line-color: #eee;
--pilcrow-weak: #ddd;
--pilcrow-strong: #bbb;
--small-font-size: 14.5px;
--font-mono: 'Oxygen Mono', monospace;
scrollbar-color: #bbb #eee;
}
body {
max-width: 600px;
margin: 75px auto;
padding: 0 5px;
color: var(--text-color);
background-color: var(--background-color);
font: 16px/22px "Lora", serif;
scroll-behavior: smooth;
}
.ears {
display: none;
}
/* headings */
h1, h2, h3, h4, h5, h6 {
font-family: "Cabin Condensed", sans-serif;
font-weight: 600;
margin: 0.8em 0 0.3em;
font-size-adjust: 0.5;
color: var(--title-color);
}
h1#title {
font-size: 32px;
line-height: 40px;
clear: both;
}
h1#title, h1#rfcnum {
margin: 1.5em 0 0.2em;
}
h1#rfcnum + h1#title {
margin: 0.2em 0;
}
h1, h2, h3 {
font-size: 22px;
line-height: 27px;
}
h4, h5, h6 {
font-size: 20px;
line-height: 24px;
}
/* general structure */
.author {
padding-bottom: 0.3em;
}
#abstract+p {
font-size: 18px;
line-height: 24px;
}
#abstract+p code, #abstract+p samp, #abstract+p tt {
font-size: 16px;
line-height: 0;
}
p {
padding: 0;
margin: 0.5em 0;
text-align: left;
}
div {
margin: 0;
}
.alignRight.art-text {
background-color: var(--highlight-color);
border: 1px solid var(--line-color);
border-radius: 3px;
padding: 0.5em 1em 0;
margin-bottom: 0.5em;
}
.alignRight.art-text pre {
padding: 0;
width: auto;
}
.alignRight {
margin: 1em 0;
}
.alignRight > *:first-child {
border: none;
margin: 0;
float: right;
clear: both;
}
.alignRight > *:nth-child(2) {
clear: both;
display: block;
border: none;
}
svg {
display: block;
}
/* font-family isn't space-separated, but =~ will have to do */
svg[font-family~="monospace" i], svg [font-family~="monospace" i] {
font-family: var(--font-mono);
}
.alignCenter.art-text {
background-color: var(--highlight-color);
border: 1px solid var(--line-color);
border-radius: 3px;
padding: 0.5em 1em 0;
margin-bottom: 0.5em;
}
.alignCenter.art-text pre {
padding: 0;
width: auto;
}
.alignCenter {
margin: 1em 0;
}
.alignCenter > *:first-child {
border: none;
/* this isn't optimal, but it's an existence proof. PrinceXML doesn't
support flexbox yet.
*/
display: table;
margin: 0 auto;
}
/* lists */
ol, ul {
padding: 0;
margin: 0 0 0.5em 2em;
}
:is(ol, ul) :is(ol, ul) {
margin-left: 1em;
}
li {
margin: 0 0 0.25em 0;
}
.ulCompact li {
margin: 0;
}
ul.empty, .ulEmpty {
list-style-type: none;
}
ul.empty li, .ulEmpty li {
margin-top: 0.5em;
}
:is(ul, ol).compact, .ulCompact, .olCompact {
line-height: 1;
margin: 0 0 0 2em;
}
/* definition lists */
dl {
clear: left;
--indent: 3ch;
/* --indent: attr(indent ch); not supported in any browser, but we can dream */
}
dl.olPercent {
--indent: 5ch;
}
dl > dt {
float: left;
margin-right: 2ch;
min-width: 8ch;
}
dl.dlNewline > dt {
float: none;
}
dl > dd {
margin-bottom: .8em;
margin-left: var(--indent) !important; /* stupid element overrides */
min-height: 2ex;
}
dl.olPercent > dt {
min-width: calc(var(--indent) - 2ch);
}
:is(dl.compact, .dlCompact) > dd {
margin-bottom: 0;
}
:is(dl.compact, .dlCompact) > dd > :is(:first-child, .break:first-child + *) {
margin-top: 0;
}
:is(dl.compact, .dlCompact) > dd > :is(:last-child) {
margin-bottom: 0;
}
dl > dd > dl {
margin-top: 0.5em;
margin-bottom: 0;
}
:is(dd, span).break {
display: none;
}
/* links */
a, a[href].selfRef:hover {
text-decoration: none;
}
a[href] {
color: var(--link-color);
}
a[href].selfRef, .iref + a[href].internal {
color: var(--text-color);
}
a[href]:hover {
text-decoration: underline;
}
a[href].selfRef:hover {
background-color: var(--highlight-color);
}
a.xref:is(.cite, .auto), :is(#status-of-memo, #copyright) a {
white-space: nowrap;
}
/* Figures */
tt, code, pre {
background-color: var(--highlight-color);
font: 14px/22px var(--font-mono);
}
tt, code {
/* changing the font for inline elements leads to different ascender
and descender heights; as we want to retain baseline alignment,
remove leading to avoid altering the final height of lines
note: this fails if these blocks take an entire line,
a different solution would be great */
line-height: 0;
}
:is(h1, h2, h3, h4, h5, h6) :is(tt, code) {
font-size: 84%;
}
pre {
border: 1px solid var(--line-color);
font-size: 13.5px;
line-height: 16px;
letter-spacing: -0.2px;
margin: 5px;
padding: 5px;
}
img {
max-width: 100%;
}
figure {
margin: 0.5em 0;
padding: 0;
}
figure blockquote {
margin: 0.8em 0.4em 0.4em;
}
figcaption, caption {
font-style: italic;
margin: 0.5em 1.5em;
text-align: left;
}
@media screen {
/* Auto-collapse boilerplate. */
:is(#status-of-memo, #copyright) p {
margin: -2px 0;
max-height: 0;
transition: max-height 2s ease, margin 0.5s ease 0.5s;
overflow: hidden;
}
:is(#status-of-memo, #copyright):hover p,
:is(#status-of-memo, #copyright) h2:target ~ p {
margin: 0.5em 0;
max-height: 500px;
overflow: auto;
}
pre, svg {
display: inline-block;
overflow-x: auto;
}
pre {
max-width: 100%;
width: calc(100% - 22px - 1em);
}
svg {
max-width: calc(100% - 22px - 1em);
}
figure pre {
display: block;
width: calc(100% - 25px);
}
:is(pre, svg) + .pilcrow {
display: inline-block;
vertical-align: text-bottom;
padding-bottom: 8px;
}
}
/* aside, blockquote */
aside, blockquote {
margin-left: 0;
padding: 0 2em;
font-style: italic;
}
blockquote {
margin: 1em 0;
}
cite {
display: block;
text-align: right;
font-style: italic;
}
/* tables */
table {
max-width: 100%;
margin: 0 0 1em;
border-collapse: collapse;
}
table.right {
margin-left: auto;
}
table.center {
margin-left: auto;
margin-right: auto;
}
table.left {
margin-right: auto;
}
thead, tbody {
border: 1px solid var(--line-color);
}
th, td {
text-align: left;
vertical-align: top;
padding: 5px 10px;
}
th {
background-color: var(--line-color);
}
:is(tr:nth-child(2n), thead+tbody > tr:nth-child(2n+1)) > td {
background-color: var(--background-color);
}
:is(tr:nth-child(2n+1), thead+tbody > tr:nth-child(2n)) > td {
background-color: var(--highlight-color);
}
table caption {
margin: 0;
padding: 3px 0 3px 1em;
}
table p {
margin: 0;
}
/* pilcrow */
a.pilcrow {
margin-left: 3px;
opacity: 0.2;
user-select: none;
}
a.pilcrow[href] { color: var(--pilcrow-weak); }
a.pilcrow[href]:hover { text-decoration: none; }
@media not print {
:hover > a.pilcrow {
opacity: 1;
}
a.pilcrow[href]:hover {
color: var(--pilcrow-strong);
background-color: transparent;
}
}
@media print {
a.pilcrow {
display: none;
}
}
/* misc */
hr {
border: 0;
border-top: 1px solid var(--line-color);
}
.bcp14 {
font-variant: small-caps;
font-weight: 600;
font-size: var(--small-font-size);
}
.role {
font-variant: all-small-caps;
}
sub, sup {
line-height: 1;
font-size: 80%;
}
/* info block */
#identifiers {
margin: 0;
font-size: var(--small-font-size);
line-height: 18px;
--identifier-width: 15ch;
}
#identifiers dt {
width: var(--identifier-width);
min-width: var(--identifier-width);
clear: left;
float: left;
text-align: right;
margin-right: 1ch;
}
#identifiers dd {
margin: 0;
margin-left: calc(1em + var(--identifier-width)) !important;
min-width: 5em;
}
#identifiers .authors .author {
display: inline-block;
margin-right: 1.5em;
}
#identifiers .authors .org {
font-style: italic;
}
/* The prepared/rendered info at the very bottom of the page */
.docInfo {
color: #999;
font-size: 0.9em;
font-style: italic;
margin-top: 2em;
}
.docInfo .prepared {
float: left;
}
.docInfo .prepared {
float: right;
}
/* table of contents */
#toc {
padding: 0.75em 0 2em 0;
margin-bottom: 1em;
}
#toc nav ul {
margin: 0 0.5em 0 0;
padding: 0;
list-style: none;
}
#toc nav li {
line-height: 1.3em;
margin: 2px 0;
padding-left: 1.2em;
text-indent: -1.2em;
}
#toc a.xref {
white-space: normal;
}
/* references */
.references dt {
text-align: right;
font-weight: bold;
min-width: 10ch;
margin-right: 1.5ch;
}
.references dt:target::before {
content: "⇒";
width: 15px;
margin: 0 10px 0 -25px;
}
.references dd {
margin-left: 12ch !important;
overflow: auto;
}
.refInstance {
margin-bottom: 1.25em;
}
.references .ascii {
margin-bottom: 0.25em;
}
/* index */
#rfc\.index\.index + ul {
margin-left: 0;
}
/* authors */
address.vcard {
font-style: normal;
margin: 1em 0;
}
address.vcard .nameRole {
font-weight: 700;
margin-left: 0;
}
address.vcard .label {
margin: 0.5em 0;
}
address.vcard .type {
display: none;
}
.alternative-contact {
margin: 1.5em 0 1em;
}
hr.addr {
border-top: 1px dashed;
margin: 0;
color: #ddd;
max-width: calc(100% - 16px);
}
@media (min-width: 500px) {
#authors-addresses > section {
column-count: 2;
column-gap: 20px;
}
#authors-addresses > section > h2 {
column-span: all;
}
/* hack for break-inside: avoid-column */
#authors-addresses address {
display: inline-block;
break-inside: avoid-column;
}
}
.rfcEditorRemove p:first-of-type {
font-style: italic;
}
.cref {
background-color: rgba(249, 232, 105, 0.3);
padding: 2px 4px;
}
.crefSource {
font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 929px) {
#toc {
position: fixed;
z-index: 2;
top: 0;
right: 0;
padding: 1px 0 0 0;
margin: 0;
border-bottom: 1px solid #ccc;
opacity: 0.6;
}
#toc.active {
opacity: 1;
}
#toc h2 {
margin: 0;
padding: 2px 0 2px 6px;
padding-right: 1em;
font-size: 18px;
line-height: 24px;
min-width: 190px;
text-align: right;
background-color: #444;
color: white;
cursor: pointer;
}
#toc h2::before { /* css hamburger */
float: right;
position: relative;
width: 1em;
height: 1px;
left: -164px;
margin: 8px 0 0 0;
background: white none repeat scroll 0 0;
box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
content: "";
}
#toc nav {
display: none;
background-color: var(--background-color);
padding: 0.5em 1em 1em;
overflow: auto;
overscroll-behavior: contain;
height: calc(100vh - 48px);
border-left: 1px solid #ddd;
}
#toc.active nav {
display: block;
}
/* Make the collapsed ToC header render white on gray also when it's a link */
#toc h2 a,
#toc h2 a:link,
#toc h2 a:focus,
#toc h2 a:hover,
#toc a.toplink,
#toc a.toplink:hover {
color: white;
background-color: #444;
text-decoration: none;
}
#toc a.toplink {
margin-top: 2px;
}
}
/* alternative layout for wide screens */
@media screen and (min-width: 930px) {
body {
padding-right: 360px;
padding-right: calc(min(180px + 20%, 500px));
}
#toc {
position: fixed;
bottom: 0;
right: 0;
right: calc(50vw - 480px);
width: 312px;
margin: 0;
padding: 0;
z-index: 1;
}
#toc h2 {
margin: 0;
padding: 0.25em 1em 1em 0;
}
#toc nav {
display: block;
height: calc(90vh - 84px);
bottom: 0;
padding: 0.5em 0 2em;
overflow: auto;
overscroll-behavior: contain;
scrollbar-width: thin;
}
#toc nav > ul {
margin-bottom: 2em;
}
#toc ul {
margin: 0 0 0 4px;
font-size: var(--small-font-size);
}
#toc ul :is(p, li) {
margin: 2px 0;
line-height: 22px;
}
img { /* future proofing */
max-width: 100%;
height: auto;
}
}
/* pagination */
@media print {
body {
width: 100%;
}
p {
orphans: 3;
widows: 3;
}
#n-copyright-notice {
border-bottom: none;
}
#toc, #n-introduction {
page-break-before: always;
}
#toc {
border-top: none;
padding-top: 0;
}
figure, pre, .vcard {
page-break-inside: avoid;
}
h1, h2, h3, h4, h5, h6 {
page-break-after: avoid;
}
:is(h2, h3, h4, h5, h6)+*, dd {
page-break-before: avoid;
}
pre {
white-space: pre-wrap;
word-wrap: break-word;
font-size: 10pt;
}
table {
border: 1px solid #ddd;
}
td {
border-top: 1px solid #ddd;
}
.toplink {
display: none;
}
}
@page :first {
padding-top: 0;
@top-left {
content: normal;
border: none;
}
@top-center {
content: normal;
border: none;
}
@top-right {
content: normal;
border: none;
}
}
@page {
size: A4;
margin-bottom: 45mm;
padding-top: 20px;
}
/* Changes introduced to fix issues found during implementation */
/* Separate body from document info even without intervening H1 */
section {
clear: both;
}
/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
vertical-align: top;
}
/* Style section numbers with more space between number and title */
.section-number {
padding-right: 0.5em;
}
/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
float: right;
margin: 8px 0.5em 0;
}
/* Provide styling for table cell text alignment */
table .text-left {
text-align: left;
}
table .text-center {
text-align: center;
}
table .text-right {
text-align: right;
}
/* Make the alternative author contact information look less like just another
author, and group it closer with the primary author contact information */
.alternative-contact {
margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
margin: 0 0 0 2em;
}
/* With it being possible to set tables with alignment
left, center, and right, { width: 100%; } does not make sense */
table {
width: auto;
}
/* Avoid reference text that sits in a block with very wide left margin,
because of a long floating dt label.*/
.references dd {
overflow: visible;
}
/* Control caption placement */
caption {
caption-side: bottom;
}
/* Limit the width of the author address vcard, so names in right-to-left
script don't end up on the other side of the page. */
address.vcard {
max-width: 20em;
margin-right: auto;
}
/* For address alignment dependent on LTR or RTL scripts */
address div.left {
text-align: left;
}
address div.right {
text-align: right;
}
/* Dark mode. */
@media (prefers-color-scheme: dark) {
:root {
--background-color: #121212;
--text-color: #f0f0f0;
--title-color: #fff;
--link-color: #4da4f0;
--highlight-color: #282828;
--line-color: #444;
--pilcrow-weak: #444;
--pilcrow-strong: #666;
scrollbar-color: #777 #333;
}
}
/* SVG Trick: a prefix match works because only black and white are allowed */
svg :is([stroke="black"], [stroke^="#000"]) {
stroke: var(--text-color);
}
svg :is([stroke="white"], [stroke^="#fff"]) {
stroke: var(--background-color);
}
svg :is([fill="black"], [fill^="#000"], :not([fill])) {
fill: var(--text-color);
}
svg :is([fill="white"], [fill^="#fff"]) {
fill: var(--background-color);
}
</style>
</head>
<body class="xml2rfc">
<table class="ears">
<thead><tr>
<td class="left"></td>
<td class="center">oid4vc-haip-sd-jwt-vc</td>
<td class="right">November 2023</td>
</tr></thead>
<tfoot><tr>
<td class="left">Yasuda & Lodderstedt</td>
<td class="center">Standards Track</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-workgroup">Workgroup:</dt>
<dd class="workgroup">OpenID Connect</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2023-11-14" class="published">14 November 2023</time>
</dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
<div class="author-name">K. Yasuda</div>
<div class="org">Microsoft</div>
</div>
<div class="author">
<div class="author-name">T. Lodderstedt</div>
<div class="org">yes.com</div>
</div>
</dd>
</dl>
</div>
<h1 id="title">OpenID4VC High Assurance Interoperability Profile with SD-JWT VC</h1>
<section id="section-abstract">
<h2 id="abstract"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">This document defines a profile of OpenID for Verifiable Credentials in combination with the credential format SD-JWT VC. The aim is to select features and to define a set of requirements for the existing specifications to enable interoperability among Issuers, Wallets and Verifiers of Credentials where a high level of security and privacy is required. The profiled specifications include OpenID for Verifiable Credential Issuance <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#OIDF.OID4VCI" class="cite xref">OIDF.OID4VCI</a>]</span>, OpenID for Verifiable Presentations <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#OIDF.OID4VP" class="cite xref">OIDF.OID4VP</a>]</span>, Self-Issued OpenID Provider v2 <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#OIDF.SIOPv2" class="cite xref">OIDF.SIOPv2</a>]</span>, and SD-JWT VC <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-abstract-1" class="pilcrow">¶</a></p>
</section>
<div id="toc">
<section id="section-toc.1">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
</h2>
<nav class="toc"><ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
<p id="section-toc.1-1.1.1" class="keepWithNext"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-1" class="auto internal xref">1</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-introduction" class="internal xref">Introduction</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.1">
<p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-1.1" class="auto internal xref">1.1</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-audience-target-audience-us" class="internal xref">Audience Target audience/Usage</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
<p id="section-toc.1-1.2.1" class="keepWithNext"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-2" class="auto internal xref">2</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-terminology" class="internal xref">Terminology</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
<p id="section-toc.1-1.3.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3" class="auto internal xref">3</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-scope" class="internal xref">Scope</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1">
<p id="section-toc.1-1.3.2.1.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.1" class="auto internal xref">3.1</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-out-of-scope" class="internal xref">Out of Scope</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2">
<p id="section-toc.1-1.3.2.2.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.2" class="auto internal xref">3.2</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-scenarios-business-requirem" class="internal xref">Scenarios/Business Requirements</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.3">
<p id="section-toc.1-1.3.2.3.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.3" class="auto internal xref">3.3</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-standards-requirements" class="internal xref">Standards Requirements</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
<p id="section-toc.1-1.4.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4" class="auto internal xref">4</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-openid-for-verifiable-crede" class="internal xref">OpenID for Verifiable Credential Issuance</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.1">
<p id="section-toc.1-1.4.2.1.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.1" class="auto internal xref">4.1</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-offer" class="internal xref">Credential Offer</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2">
<p id="section-toc.1-1.4.2.2.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.2" class="auto internal xref">4.2</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-authorization-endpoint" class="internal xref">Authorization Endpoint</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3">
<p id="section-toc.1-1.4.2.3.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3" class="auto internal xref">4.3</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-token-endpoint" class="internal xref">Token Endpoint</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3.2.1">
<p id="section-toc.1-1.4.2.3.2.1.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1" class="auto internal xref">4.3.1</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-wallet-attestation-schema" class="internal xref">Wallet Attestation Schema</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.4">
<p id="section-toc.1-1.4.2.4.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.4" class="auto internal xref">4.4</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-endpoint" class="internal xref">Credential Endpoint</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.5">
<p id="section-toc.1-1.4.2.5.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.5" class="auto internal xref">4.5</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-server-metadata" class="internal xref">Server Metadata</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
<p id="section-toc.1-1.5.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5" class="auto internal xref">5</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-openid-for-verifiable-prese" class="internal xref">OpenID for Verifiable Presentations</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
<p id="section-toc.1-1.6.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-6" class="auto internal xref">6</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-self-issued-op-v2" class="internal xref">Self-Issued OP v2</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
<p id="section-toc.1-1.7.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7" class="auto internal xref">7</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-sd-jwt-vcs" class="internal xref">SD-JWT VCs</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1">
<p id="section-toc.1-1.7.2.1.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.1" class="auto internal xref">7.1</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-issuer-identification-and-k" class="internal xref">Issuer identification and key resolution to validate an issued Credential</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1.2.1">
<p id="section-toc.1-1.7.2.1.2.1.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.1.1" class="auto internal xref">7.1.1</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-cryptographic-holder-bindin" class="internal xref">Cryptographic Holder Binding between VC and VP</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2">
<p id="section-toc.1-1.7.2.2.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2" class="auto internal xref">7.2</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-openid4vc-credential-format" class="internal xref">OpenID4VC Credential Format Profile</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2.2.1">
<p id="section-toc.1-1.7.2.2.2.1.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.1" class="auto internal xref">7.2.1</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-format-identifier" class="internal xref">Format Identifier</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2.2.2">
<p id="section-toc.1-1.7.2.2.2.2.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2" class="auto internal xref">7.2.2</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-issuer-metadata" class="internal xref">Credential Issuer Metadata</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2.2.3">
<p id="section-toc.1-1.7.2.2.2.3.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.3" class="auto internal xref">7.2.3</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-offer-2" class="internal xref">Credential Offer</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2.2.4">
<p id="section-toc.1-1.7.2.2.2.4.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.4" class="auto internal xref">7.2.4</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-authorization-details" class="internal xref">Authorization Details</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2.2.5">
<p id="section-toc.1-1.7.2.2.2.5.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.5" class="auto internal xref">7.2.5</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-request" class="internal xref">Credential Request</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2.2.6">
<p id="section-toc.1-1.7.2.2.2.6.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.6" class="auto internal xref">7.2.6</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-response" class="internal xref">Credential Response</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2.2.7">
<p id="section-toc.1-1.7.2.2.2.7.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.7" class="auto internal xref">7.2.7</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-verifier-metadata" class="internal xref">Verifier Metadata</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2.2.8">
<p id="section-toc.1-1.7.2.2.2.8.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.8" class="auto internal xref">7.2.8</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-presentation-definition" class="internal xref">Presentation Definition</a></p>
</li>
</ul>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
<p id="section-toc.1-1.8.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-8" class="auto internal xref">8</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-crypto-suites" class="internal xref">Crypto Suites</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
<p id="section-toc.1-1.9.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-9" class="auto internal xref">9</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-implementations-considerati" class="internal xref">Implementations Considerations</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.1">
<p id="section-toc.1-1.9.2.1.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-9.1" class="auto internal xref">9.1</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-validity-period-of-the-sign" class="internal xref">Validity Period of the Signature and the Claim Values</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
<p id="section-toc.1-1.10.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-10" class="auto internal xref">10</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-references" class="internal xref">References</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.1">
<p id="section-toc.1-1.10.2.1.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-10.1" class="auto internal xref">10.1</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-normative-references" class="internal xref">Normative References</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.2">
<p id="section-toc.1-1.10.2.2.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-10.2" class="auto internal xref">10.2</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-informative-references" class="internal xref">Informative References</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
<p id="section-toc.1-1.11.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#appendix-A" class="auto internal xref">Appendix A</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-combined-issuance-of-sd-jwt" class="internal xref">Combined Issuance of SD-JWT VC and mdocs</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12">
<p id="section-toc.1-1.12.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#appendix-B" class="auto internal xref">Appendix B</a>. <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-json-schema-for-the-support" class="internal xref">JSON Schema for the supported Presentation Definition properties</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13">
<p id="section-toc.1-1.13.1"><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#appendix-C" class="auto internal xref"></a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-authors-addresses" class="internal xref">Authors' Addresses</a></p>
</li>
</ul>
</nav>
</section>
</div>
<div id="introduction">
<section id="section-1">
<h2 id="name-introduction">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-1" class="section-number selfRef">1. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-introduction" class="section-name selfRef">Introduction</a>
</h2>
<p id="section-1-1">This document defines a set of requirements for the existing specifications to enable interoperability among Issuers, Wallets and Verifiers of Credentials where a high level of security and privacy is required. This document is an interoperability profile that can be used by implementations in various contexts, be it a certain industry or a certain regulatory environment.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-1-1" class="pilcrow">¶</a></p>
<p id="section-1-2">This document is not a specification, but a profile. It refers to the specifications required for implementations to interoperate among each other and for the optionalities mentioned in the referenced specifications, defines the set of features to be mandatory to implement.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-1-2" class="pilcrow">¶</a></p>
<p id="section-1-3">The profile uses OpenID for Verifiable Credential Issuance <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#OIDF.OID4VCI" class="cite xref">OIDF.OID4VCI</a>]</span> and OpenID for Verifiable Presentations <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#OIDF.OID4VP" class="cite xref">OIDF.OID4VP</a>]</span> as the base protocols for issuance and presentation of Credentials, respectively. The credential format used is SD-JWT VC as specified in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span>. Additionally, considerations are given on how deployments can perform a combined issuance of credentials in both SD-JWT VC and ISO mdoc <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#ISO.18013-5" class="cite xref">ISO.18013-5</a>]</span> formats.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-1-3" class="pilcrow">¶</a></p>
<p id="section-1-4">A full list of the open standards used in this profile can be found in Overview of the Open Standards Requirements (reference).<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-1-4" class="pilcrow">¶</a></p>
<div id="audience-target-audience-usage">
<section id="section-1.1">
<h3 id="name-audience-target-audience-us">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-1.1" class="section-number selfRef">1.1. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-audience-target-audience-us" class="section-name selfRef">Audience Target audience/Usage</a>
</h3>
<p id="section-1.1-1">The audience of the document is implementers that require a high level of security and privacy for their solutions. A non-exhaustive list of the interested parties includes eIDAS 2.0, California Department of Motor Vehicles, Open Wallet Foundation (OWF), IDunion, GAIN, and the Trusted Web project of the Japanese government, but is expected to grow to include other jurisdictions and private sector companies.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-1.1-1" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="terminology">
<section id="section-2">
<h2 id="name-terminology">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-2" class="section-number selfRef">2. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-terminology" class="section-name selfRef">Terminology</a>
</h2>
<p id="section-2-1">This specification uses the terms "Holder", "Issuer", "Verifier", and "Verifiable Credential" as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-2-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="scope">
<section id="section-3">
<h2 id="name-scope">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3" class="section-number selfRef">3. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-scope" class="section-name selfRef">Scope</a>
</h2>
<p id="section-3-1">The following aspects are in scope of this interoperability profile:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-3-2.1">Protocol for issuance of the Verifiable Credentials (can be both remote and in-person) (OID4VCI)<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-2.2">Protocol for online presentation of Verifiable Credentials (can be both remote and in-person) (OID4VP)<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-2.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-2.3">Protocol for User Authentication by the Wallet at a Verifier (SIOP v2)<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-2.3" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-2.4">Wallet Attestation (during Credential issuance)<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-2.4" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-2.5">Credential Format (SD-JWT VC)<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-2.5" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-2.6">Status Management of the Credentials, including revocation<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-2.6" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-2.7">Cryptographic Holder Binding<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-2.7" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-2.8">Issuer key resolution<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-2.8" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-2.9">Issuer identification (as prerequisite for trust management)<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-2.9" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-2.10">Crypto Suites<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-2.10" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-3-3">Assumptions made are the following:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-3" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-3-4.1">The issuers and verifiers cannot pre-discover wallet’s capability<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-4.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-4.2">The issuer is talking to the wallet supporting the features defined in this profile (via wallet invocation mechanism)<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-4.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3-4.3">There are mechanisms in place for the verifiers and issuers to discover each other’s capability<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3-4.3" class="pilcrow">¶</a>
</li>
</ul>
<div id="out-of-scope">
<section id="section-3.1">
<h3 id="name-out-of-scope">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.1" class="section-number selfRef">3.1. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-out-of-scope" class="section-name selfRef">Out of Scope</a>
</h3>
<p id="section-3.1-1">The following items are out of scope for the current version of this document, but might be added in future versions:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.1-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-3.1-2.1">Trust Management, i.e. authorization of an issuer to issue certain types of credentials, authorization of the Wallet to be issued certain types of credentials, authorization of the Verifier to receive certain types of credentials.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.1-2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3.1-2.2">Protocol for presentation of Verifiable Credentials for offline use-cases, e.g. over BLE.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.1-2.2" class="pilcrow">¶</a>
</li>
</ul>
</section>
</div>
<div id="scenarios-business-requirements">
<section id="section-3.2">
<h3 id="name-scenarios-business-requirem">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.2" class="section-number selfRef">3.2. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-scenarios-business-requirem" class="section-name selfRef">Scenarios/Business Requirements</a>
</h3>
<ul class="compact">
<li class="compact" id="section-3.2-1.1">Combined Issuance of SD-JWT VC and mdoc<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.2-1.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3.2-1.2">Both issuer-initiated and wallet-initiated issuance<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.2-1.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-3.2-1.3">eIDAS PID and (Q)EAA as defined in eIDAS ARF 1.0<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.2-1.3" class="pilcrow">¶</a>
</li>
</ul>
</section>
</div>
<div id="standards-requirements">
<section id="section-3.3">
<h3 id="name-standards-requirements">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.3" class="section-number selfRef">3.3. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-standards-requirements" class="section-name selfRef">Standards Requirements</a>
</h3>
<p id="section-3.3-1">Unless explicitly stated, all normative requirements apply to all participating entities: Issuers, Wallets and Verifiers.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-3.3-1" class="pilcrow">¶</a></p>
<table class="center" id="table-1">
<caption><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#table-1" class="selfRef">Table 1</a></caption>
<thead>
<tr>
<th class="text-left" rowspan="1" colspan="1">(as defined in this profile)</th>
<th class="text-left" rowspan="1" colspan="1">Issuer</th>
<th class="text-left" rowspan="1" colspan="1">Wallet</th>
<th class="text-left" rowspan="1" colspan="1">Verifier</th>
</tr>
</thead>
<tbody>
<tr>
<td class="text-left" rowspan="1" colspan="1">OID4VP</td>
<td class="text-left" rowspan="1" colspan="1">N/A</td>
<td class="text-left" rowspan="1" colspan="1">MUST</td>
<td class="text-left" rowspan="1" colspan="1">MUST</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">OID4VCI</td>
<td class="text-left" rowspan="1" colspan="1">MUST</td>
<td class="text-left" rowspan="1" colspan="1">MUST</td>
<td class="text-left" rowspan="1" colspan="1">N/A</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">SIOPv2</td>
<td class="text-left" rowspan="1" colspan="1">N/A</td>
<td class="text-left" rowspan="1" colspan="1">MUST</td>
<td class="text-left" rowspan="1" colspan="1">SHOULD</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">SD-JWT VC profile as defined in <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#sd-jwt-vc" class="auto internal xref">Section 7</a>
</td>
<td class="text-left" rowspan="1" colspan="1">MUST</td>
<td class="text-left" rowspan="1" colspan="1">MUST</td>
<td class="text-left" rowspan="1" colspan="1">MUST</td>
</tr>
</tbody>
</table>
</section>
</div>
</section>
</div>
<div id="openid-for-verifiable-credential-issuance">
<section id="section-4">
<h2 id="name-openid-for-verifiable-crede">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4" class="section-number selfRef">4. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-openid-for-verifiable-crede" class="section-name selfRef">OpenID for Verifiable Credential Issuance</a>
</h2>
<p id="section-4-1">Implementations of this profile:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-4-2.1">MUST support both pre-auth code flow and authorization code flow.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4-2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4-2.2">MUST support protocol extensions for SD-JWT VC credential format profile as defined in this specification <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#vc_sd_jwt_profile" class="auto internal xref">Section 7.2</a>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4-2.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4-2.3">MUST support sender-constrained Tokens using a mechanism as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-dpop" class="cite xref">I-D.ietf-oauth-dpop</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4-2.3" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4-2.4">MUST support <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC7636" class="cite xref">RFC7636</a>]</span> with <code>S256</code> as the code challenge method.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4-2.4" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-4-3">Both Wallet initiated and Issuer initiated issuance is supported.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4-3" class="pilcrow">¶</a></p>
<div id="credential-offer">
<section id="section-4.1">
<h3 id="name-credential-offer">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.1" class="section-number selfRef">4.1. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-offer" class="section-name selfRef">Credential Offer</a>
</h3>
<ul class="compact">
<li class="compact" id="section-4.1-1.1">The Grant Types <code>authorization_code</code> and <code>urn:ietf:params:oauth:grant-type:pre-authorized_code</code> MUST be supported as defined in Section 4.1.1 in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#OIDF.OID4VCI" class="cite xref">OIDF.OID4VCI</a>]</span><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.1-1.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.1-1.2">For Grant Type <code>authorization_code</code>, the Issuer MUST include a scope value in order to allow the Wallet to identify the desired credential type. The wallet MUST use that value in the <code>scope</code> Authorization parameter. For Grant Type <code>urn:ietf:params:oauth:grant-type:pre-authorized_code</code>, the pre-authorized code is used by the issuer to identify the credential type(s). (pending OID4VCI PR#519)<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.1-1.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.1-1.3">As a way to invoke the Wallet, at least a custom URL scheme <code>haip://</code> MUST be supported. Implementations MAY support other ways to invoke the wallets as agreed by trust frameworks/ecosystems/jurisdictions, not limited to using other custom URL schemes.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.1-1.3" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-4.1-2">Note: The Authorization Code flow does not require a Credential Offer from the Issuer to the Wallet. However, it is included in the feature set of the Credential Offer because it might be easier to implement with existing libraries and on top of existing implementations than the pre-authorized code Grant Type.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.1-2" class="pilcrow">¶</a></p>
<p id="section-4.1-3">Both sending Credential Offer same-device and cross-device is supported.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authorization-endpoint">
<section id="section-4.2">
<h3 id="name-authorization-endpoint">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.2" class="section-number selfRef">4.2. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-authorization-endpoint" class="section-name selfRef">Authorization Endpoint</a>
</h3>
<ul class="compact">
<li class="compact" id="section-4.2-1.1">MUST use Pushed Authorization Requests (PAR) <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC9126" class="cite xref">RFC9126</a>]</span> to send the Authorization Request.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.2-1.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.2-1.2">Wallets MUST authenticate itself at the PAR endpoint using the same rules as defined in <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#token-endpoint" class="auto internal xref">Section 4.3</a> for client authentication at the token endpoint.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.2-1.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.2-1.3">MUST use <code>scope</code> parameter to communicate credential type(s) to be issued. The scope value MUST map to a specific Credential type. The scope value may be pre-agreed, obtained from the Credential Offer, or the Credential Issuer Metadata.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.2-1.3" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.2-1.4">The <code>client_id</code> value in the PAR request MUST be a string that the Wallet has used as the <code>sub</code> value in the client attestation JWT.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.2-1.4" class="pilcrow">¶</a>
</li>
</ul>
</section>
</div>
<div id="token-endpoint">
<section id="section-4.3">
<h3 id="name-token-endpoint">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3" class="section-number selfRef">4.3. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-token-endpoint" class="section-name selfRef">Token Endpoint</a>
</h3>
<ul class="compact">
<li class="compact" id="section-4.3-1.1">The Wallets MUST perform client authentication as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-attestation-based-client-auth" class="cite xref">I-D.ietf-oauth-attestation-based-client-auth</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3-1.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3-1.2">Refresh tokens MUST be supported for credential refresh.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3-1.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3-1.3">Wallets MUST support deferred authorization by being able to process the Token error response parameters <code>authorization_pending</code> and <code>slow_down</code>, and the credential offer parameter <code>interval</code>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3-1.3" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3-1.4">The Wallet Attestation JWT scheme is defined in <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#wallet-attestation-schema" class="auto internal xref">Section 4.3.1</a>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3-1.4" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-4.3-2">Note: It is RECOMMENDED to use ephemeral client attestation JWTs for client authentication in order to prevent linkability across Credential Issuers.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3-2" class="pilcrow">¶</a></p>
<p id="section-4.3-3">Note: Issuers should be mindful of how long the usage of the refresh token is allowed to refresh a credential, as opposed to starting the issuance flow from the beginning. For example, if the User is trying to refresh a credential more than a year after its original issuance, the usage of the refresh tokens is NOT RECOMMENDED.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3-3" class="pilcrow">¶</a></p>
<div id="wallet-attestation-schema">
<section id="section-4.3.1">
<h4 id="name-wallet-attestation-schema">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1" class="section-number selfRef">4.3.1. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-wallet-attestation-schema" class="section-name selfRef">Wallet Attestation Schema</a>
</h4>
<p id="section-4.3.1-1">Wallets MUST use attestations following the definition given in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-attestation-based-client-auth" class="cite xref">I-D.ietf-oauth-attestation-based-client-auth</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-1" class="pilcrow">¶</a></p>
<p id="section-4.3.1-2">In addition to this definition, the Wallet Attestation MAY contain the following claims in the <code>cnf</code> element:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-2" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-4.3.1-3.1">
<p id="section-4.3.1-3.1.1"><code>key_type</code>: OPTIONAL. JSON String that asserts the security mechanism the Wallet uses to manage the private key associated with the public key given in the <code>cnf</code> claim. This mechanism is based on the capabilities of the execution environent of the Wallet, this might be a secure element (in case of a wallet residing on a smartphone) or a Cloud-HSM (in case of a cloud Wallet). This specification defines the following values for <code>key_type</code>:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.1.1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-4.3.1-3.1.2.1">
<code>software</code>: It MUST be used when the Wallet uses software-based key management.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.1.2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3.1-3.1.2.2">
<code>hardware</code>: It MUST be used when the wallet uses hardware-based key management.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.1.2.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3.1-3.1.2.3">
<code>tee</code>: It SHOULD be used when the Wallet uses the Trusted Execution Environment for key management.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.1.2.3" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3.1-3.1.2.4">
<code>secure_enclave</code>: It SHOULD be used when the Wallet uses the Secure Enclave for key management.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.1.2.4" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3.1-3.1.2.5">
<code>strong_box</code>: It SHOULD be used when the Wallet uses the Strongbox for key management.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.1.2.5" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3.1-3.1.2.6">
<code>secure_element</code>: It SHOULD be used when the Wallet uses a Secure Element for key management.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.1.2.6" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3.1-3.1.2.7">
<code>hsm</code>: It SHOULD be used when the Wallet uses Hardware Security Module (HSM).<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.1.2.7" class="pilcrow">¶</a>
</li>
</ul>
</li>
<li class="compact" id="section-4.3.1-3.2">
<p id="section-4.3.1-3.2.1"><code>user_authentication</code>: OPTIONAL. JSON String that asserts the security mechanism the Wallet uses to authenticate the user to authorize access to the private key associated with the public key given in the <code>cnf</code> claim. This specification defines the following values for <code>user_authentication</code>:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.2.1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-4.3.1-3.2.2.1">
<code>system_biometry</code>: It MUST be used when the key usage is authorized by the mobile operating system using a biometric factor.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.2.2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3.1-3.2.2.2">
<code>system_pin</code>: It MUST be used when the key usage is authorized by the mobile operating system using personal identification number (PIN).<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.2.2.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3.1-3.2.2.3">
<code>internal_biometry</code>: It MUST be used when the key usage is authorized by the Wallet using a biometric factor.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.2.2.3" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3.1-3.2.2.4">
<code>internal_pin</code>: It MUST be used when the key usage is authorized by the Wallet using PIN.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.2.2.4" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-4.3.1-3.2.2.5">
<code>secure_element_pin</code> It MUST be used when the key usage is authorized by the secure element managing the key itself using PIN.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-3.2.2.5" class="pilcrow">¶</a>
</li>
</ul>
</li>
</ul>
<p id="section-4.3.1-4">The Wallet Attestation MAY also contain the following claim:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-4" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-4.3.1-5.1">
<code>aal</code>: OPTIONAL. JSON String asserting the authentication level of the Wallet and the key as asserted in the <code>cnf</code> claim.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-5.1" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-4.3.1-6">To obtain the issuer's Public key for verification, wallet attestions MUST support web-based key resolution as defined in Section 5 of <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.terbu-sd-jwt-vc" class="cite xref">I-D.terbu-sd-jwt-vc</a>]</span>. The JOSE header <code>kid</code> MUST be used to identify the respective key.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-6" class="pilcrow">¶</a></p>
<p id="section-4.3.1-7">This is an example of a Wallet Instance Attestation:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-7" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-4.3.1-8">
<pre>{
"typ": "wallet-attestation+jwt",
"alg": "ES256",
"kid": "1"
}
.
{
"iss": "<identifier of the issuer of this wallet attestation>",
"sub": "<`client_id` of the OAuth client>",
"iat": 1516247022,
"exp": 1541493724,
"aal" : "https://trust-list.eu/aal/high",
"cnf": {
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
"y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
},
"key_type": "strong_box",
"user_authentication": "system_pin",
}
}
</pre><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.3.1-8" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="credential-endpoint">
<section id="section-4.4">
<h3 id="name-credential-endpoint">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.4" class="section-number selfRef">4.4. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-endpoint" class="section-name selfRef">Credential Endpoint</a>
</h3>
<ul class="compact">
<li class="compact" id="section-4.4-1.1">The <code>JWT</code> proof type MUST be supported.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.4-1.1" class="pilcrow">¶</a>
</li>
</ul>
</section>
</div>
<div id="server-metadata">
<section id="section-4.5">
<h3 id="name-server-metadata">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.5" class="section-number selfRef">4.5. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-server-metadata" class="section-name selfRef">Server Metadata</a>
</h3>
<ul class="compact">
<li class="compact" id="section-4.5-1.1">The Credential Issuer MUST publish a mapping of every Credential Type it supports to a scope value.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-4.5-1.1" class="pilcrow">¶</a>
</li>
</ul>
</section>
</div>
</section>
</div>
<div id="openid-for-verifiable-presentations">
<section id="section-5">
<h2 id="name-openid-for-verifiable-prese">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5" class="section-number selfRef">5. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-openid-for-verifiable-prese" class="section-name selfRef">OpenID for Verifiable Presentations</a>
</h2>
<ul class="normal">
<li class="normal" id="section-5-1.1">MUST support protocol extensions for SD-JWT VC credential format profile as defined in this specification <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#vc_sd_jwt_profile" class="auto internal xref">Section 7.2</a>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.1" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-5-1.2">As a way to invoke the Wallet, at least a custom URL scheme <code>haip://</code> MUST be supported. Implementations MAY support other ways to invoke the wallets as agreed by trust frameworks/ecosystems/jurisdictions, not limited to using other custom URL schemes.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.2" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-5-1.3">Response type MUST be <code>vp_token</code>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.3" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-5-1.4">Response mode MUST be <code>direct_post</code> with <code>redirect_uri</code> as defined in Section 6.2 of <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#OIDF.OID4VP" class="cite xref">OIDF.OID4VP</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.4" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-5-1.5">Authorization Request MUST be sent using the <code>request_uri</code> parameter as defined in JWT-Secured Authorization Request (JAR) <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC9101" class="cite xref">RFC9101</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.5" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-5-1.6">
<code>client_id_scheme</code> parameter MUST be present in the Authorization Request.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.6" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-5-1.7">
<code>client_id_scheme</code> value MUST be either <code>x509_san_dns</code> or <code>verifier_attestation</code>. Wallet MUST support both. Verifier MUST support at least one. (pending OID4VCI PR #524 for verifier_attestation)<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.7" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-5-1.8">To obtain the issuer's public key for verification, verifiers MUST support web-based key resolution as defined in Section 5 of <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span>. The JOSE header <code>kid</code> MUST be used to identify the respective key.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.8" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-5-1.9">Presentation Definition JSON object MUST be sent using a <code>presentation_definition</code> parameter.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.9" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-5-1.10">
<p id="section-5-1.10.1">The following features from the DIF Presentation Exchange v2.0.0 MUST be supported. A JSON schema for the supported features is in <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#presentation-definition-schema" class="auto internal xref">Appendix B</a>:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.10.1" class="pilcrow">¶</a></p>
<ul class="compact normal">
<li class="compact normal" id="section-5-1.10.2.1">In the <code>presentation_definition</code> object, <code>id</code>, <code>input_descriptors</code> and <code>submission_requirements</code> properties MUST be supported.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.10.2.1" class="pilcrow">¶</a>
</li>
<li class="compact normal" id="section-5-1.10.2.2">In the <code>input-descriptors</code> object, <code>id</code>, <code>name</code>, <code>purpose</code>, <code>group</code>, <code>format</code>, and <code>constraints</code> properties MUST be supported. In the <code>constraints</code> object, <code>limit_disclosure</code>, and <code>fields</code> properties MUST be supported. In the <code>fields</code> object, <code>path</code> and <code>filter</code> properties MUST be supported. A <code>path</code> MUST contain exactly one entry with a static path to a certain claim. A <code>filter</code> MUST only contain <code>type</code> elements of value <code>string</code> and <code>const</code> elements.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.10.2.2" class="pilcrow">¶</a>
</li>
<li class="compact normal" id="section-5-1.10.2.3">In the <code>submission_requirements</code> object, <code>name</code>, <code>rule (</code>pick<code>only)</code>, <code>count</code>, <code>from</code> properties MUST be supported.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-5-1.10.2.3" class="pilcrow">¶</a>
</li>
</ul>
</li>
</ul>
</section>
</div>
<div id="self-issued-op-v2">
<section id="section-6">
<h2 id="name-self-issued-op-v2">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-6" class="section-number selfRef">6. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-self-issued-op-v2" class="section-name selfRef">Self-Issued OP v2</a>
</h2>
<p id="section-6-1">To authenticate the user, subject identifier in a Self-Issued ID Token MUST be used as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#OIDF.SIOPv2" class="cite xref">OIDF.SIOPv2</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-6-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-6-2.1">As a way to invoke the Wallet, at least a custom URL scheme <code>haip://</code> MUST be supported. Implementations MAY support other ways to invoke the wallets as agreed by trust frameworks/ecosystems/jurisdictions, not limited to using other custom URL schemes.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-6-2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-6-2.2">
<code>subject_syntax_types_supported</code> value MUST be <code>urn:ietf:params:oauth:jwk-thumbprint</code><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-6-2.2" class="pilcrow">¶</a>
</li>
</ul>
</section>
</div>
<div id="sd-jwt-vc">
<section id="section-7">
<h2 id="name-sd-jwt-vcs">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7" class="section-number selfRef">7. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-sd-jwt-vcs" class="section-name selfRef">SD-JWT VCs</a>
</h2>
<p id="section-7-1">As credential format, SD-JWT VCs as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span> MUST be used.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-1" class="pilcrow">¶</a></p>
<p id="section-7-2">In addition, this profile defines the following additional requirements.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-2" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-7-3.1">Compact serialization MUST be supported as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-selective-disclosure-jwt" class="cite xref">I-D.ietf-oauth-selective-disclosure-jwt</a>]</span>. JSON serialization MAY be supported.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-3.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7-3.2">The following JWT Claims MUST be supported Content (differentiate issuance & presentation)<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-3.2" class="pilcrow">¶</a>
</li>
</ul>
<table class="center" id="table-2">
<caption><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#table-2" class="selfRef">Table 2</a></caption>
<thead>
<tr>
<th class="text-left" rowspan="1" colspan="1">Claim</th>
<th class="text-left" rowspan="1" colspan="1">SD-JWT as issued by the Issuer</th>
<th class="text-left" rowspan="1" colspan="1">Normative Definition</th>
</tr>
</thead>
<tbody>
<tr>
<td class="text-left" rowspan="1" colspan="1">iss</td>
<td class="text-left" rowspan="1" colspan="1">MUST</td>
<td class="text-left" rowspan="1" colspan="1">
<span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC7519" class="cite xref">RFC7519</a>]</span>, Section 4.1.1</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">iat</td>
<td class="text-left" rowspan="1" colspan="1">MUST</td>
<td class="text-left" rowspan="1" colspan="1">
<span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC7519" class="cite xref">RFC7519</a>]</span>, Section 4.1.6</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">exp</td>
<td class="text-left" rowspan="1" colspan="1">SHOULD (at the discretion of the issuer)</td>
<td class="text-left" rowspan="1" colspan="1">
<span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC7519" class="cite xref">RFC7519</a>]</span>, Section 4.1.4</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">cnf</td>
<td class="text-left" rowspan="1" colspan="1"> MUST</td>
<td class="text-left" rowspan="1" colspan="1">
<span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC7800" class="cite xref">RFC7800</a>]</span>
</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">vct</td>
<td class="text-left" rowspan="1" colspan="1"> MUST</td>
<td class="text-left" rowspan="1" colspan="1">
<span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span>
</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">status</td>
<td class="text-left" rowspan="1" colspan="1">SHOULD (at the discretion of the issuer)</td>
<td class="text-left" rowspan="1" colspan="1">
<span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.looker-oauth-jwt-cwt-status-list" class="cite xref">I-D.looker-oauth-jwt-cwt-status-list</a>]</span>
</td>
</tr>
</tbody>
</table>
<ul class="compact">
<li class="compact" id="section-7-5.1">The Issuer MUST NOT make any of the JWT Claims in the table above to be selectively disclosable, so that they are always present in the SD-JWT-VC presented by the Holder.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-5.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7-5.2">It is at the discretion of the Issuer whether to use <code>exp</code> claim and/or a <code>status</code> claim to express the validity period of an SD-JWT-VC. The wallet and the verifier MUST support both mechanisms.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-5.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7-5.3">The <code>iss</code> claim MUST be an HTTPS URL. The <code>iss</code> value is used to obtain Issuer’s signing key as defined in <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#issuer-key-resolution" class="auto internal xref">Section 7.1</a>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-5.3" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7-5.4">The <code>vct</code> JWT claim as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-5.4" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7-5.5">The <code>cnf</code> claim <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC7800" class="cite xref">RFC7800</a>]</span> MUST conform to the definition given in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span>. Implementations conforming to this profile MUST include the JSON Web Key <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC7517" class="cite xref">RFC7517</a>]</span> in the <code>jwk</code> sub claim.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-5.5" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-7-6">Note: Currently this profile only supports presentation of credentials with cryptographic Holder Binding: the holder's signature is required to proof the credential is presented by the holder it was issued to. This profile might support claim-based and biometrics-based holder binding once OpenID for Verifiable Credentials adds support for other forms of Holder Binding. See <a href="https://bitbucket.org/openid/connect/issues/1537/presenting-vc-without-a-vp-using-openid4vp">https://bitbucket.org/openid/connect/issues/1537/presenting-vc-without-a-vp-using-openid4vp</a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-6" class="pilcrow">¶</a></p>
<p id="section-7-7">Note: Re-using the same Credential across Verifiers, or re-using the same JWK value across multiple Credentials gives colluding Verifiers a mechanism to correlate the User. There are currently two known ways to address this with SD-JWT VCs. First is to issue multiple instances of the same credentials with different JWK values, so that if each instance of the credential is used at only one Verifier, it can be reused multiple times. Another is to use each credential only once (ephemeral credentials). It is RECOMMENDED to adopt one of these mechanisms.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-7" class="pilcrow">¶</a></p>
<p id="section-7-8">Note: If there is a requirement to communicate information about the verification status and identity assurance data of the claims about the subject, the syntax defined by <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#OIDF.ekyc-ida" class="cite xref">OIDF.ekyc-ida</a>]</span> SHOULD be used. It is up to each jurisdiction and ecosystem, whether to require it to the implementers of this profile.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-8" class="pilcrow">¶</a></p>
<p id="section-7-9">Note: If there is a requirement to provide the Subject’s identifier assigned and maintained by the Issuer, <code>sub</code> claim MAY be used. There is no requirement for a binding to exist between <code>sub</code> and <code>cnf</code> claims. See Implementation Considerations section in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-9" class="pilcrow">¶</a></p>
<p id="section-7-10">Note: In some credential types, it is not desirable to include an expiration date (eg: diploma attestation). Therefore, this profile leaves its inclusion to the Issuer, or the body defining the respective credential type.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7-10" class="pilcrow">¶</a></p>
<div id="issuer-key-resolution">
<section id="section-7.1">
<h3 id="name-issuer-identification-and-k">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.1" class="section-number selfRef">7.1. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-issuer-identification-and-k" class="section-name selfRef">Issuer identification and key resolution to validate an issued Credential</a>
</h3>
<p id="section-7.1-1">This profile supports two ways to represent and resolve the key required to validate the issuer signature of an SD-JWT VC, the web PKI-based key resolution and the x.509 certificates.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.1-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-7.1-2.1">Web-based key resolution: The key used to validate the Issuer’s signature on the SD-JWT VC MUST be obtained from the SD-JWT VC issuer's metadata as defined in Section 5 of <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span>. The JOSE header <code>kid</code> MUST be used to identify the respective key.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.1-2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7.1-2.2">x.509 certificates: the SD-JWT VC contains the issuer's certificate along with a trust chain in the <code>x5c</code> JOSE header. In this case, the <code>iss</code> value MUST be an URL with a FQDN matching a <code>dNSName</code> Subject Alternative Name (SAN) <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC5280" class="cite xref">RFC5280</a>]</span> entry in the leaf certificate.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.1-2.2" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-7.1-3">Note: The issuer MAY decide to support both options. In which case, it is at the discretion of the Wallet and the Verifier which key to use for the issuer signature validation.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.1-3" class="pilcrow">¶</a></p>
<div id="cryptographic-holder-binding-between-vc-and-vp">
<section id="section-7.1.1">
<h4 id="name-cryptographic-holder-bindin">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.1.1" class="section-number selfRef">7.1.1. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-cryptographic-holder-bindin" class="section-name selfRef">Cryptographic Holder Binding between VC and VP</a>
</h4>
<ul class="compact">
<li class="compact" id="section-7.1.1-1.1">For Cryptographic Holder Binding, a KB-JWT as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span> MUST always be present when presenting an SD-JWT VC.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.1.1-1.1" class="pilcrow">¶</a>
</li>
</ul>
</section>
</div>
</section>
</div>
<div id="vc_sd_jwt_profile">
<section id="section-7.2">
<h3 id="name-openid4vc-credential-format">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2" class="section-number selfRef">7.2. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-openid4vc-credential-format" class="section-name selfRef">OpenID4VC Credential Format Profile</a>
</h3>
<p id="section-7.2-1">This section specifies how SD-JWT VCs as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span> are used in conjunction with the OpenID4VC specifications.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2-1" class="pilcrow">¶</a></p>
<div id="format-identifier">
<section id="section-7.2.1">
<h4 id="name-format-identifier">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.1" class="section-number selfRef">7.2.1. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-format-identifier" class="section-name selfRef">Format Identifier</a>
</h4>
<p id="section-7.2.1-1">The Credential format identifier is <code>vc+sd-jwt</code>. This format identifier is used in issuance and presentation requests.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.1-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="server_metadata_vc_sd-jwt">
<section id="section-7.2.2">
<h4 id="name-credential-issuer-metadata">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2" class="section-number selfRef">7.2.2. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-issuer-metadata" class="section-name selfRef">Credential Issuer Metadata</a>
</h4>
<p id="section-7.2.2-1">The following additional Credential Issuer metadata are defined for this Credential format to be used in addition to those defined in Section 10.2 of <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#OIDF.OID4VCI" class="cite xref">OIDF.OID4VCI</a>]</span>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-7.2.2-2.1">
<p id="section-7.2.2-2.1.1"><code>credential_definition</code>: REQUIRED. JSON object containing the detailed description of the credential type. It consists at least of the following three sub elements:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-2.1.1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-7.2.2-2.1.2.1">
<code>vct</code>: REQUIRED. JSON string designating the type of a credential as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#I-D.ietf-oauth-sd-jwt-vc" class="cite xref">I-D.ietf-oauth-sd-jwt-vc</a>]</span>, Section 4.2.2.1.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-2.1.2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7.2.2-2.1.2.2">
<p id="section-7.2.2-2.1.2.2.1"><code>claims</code>: OPTIONAL. A JSON object containing a list of name/value pairs, where each name identifies a claim offered in the Credential. The value can be another such object (nested data structures), or an array of such objects. To express the specifics about the claim, the most deeply nested value MAY be a JSON object that includes a following non-exhaustive list of parameters defined by this specification:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-2.1.2.2.1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-7.2.2-2.1.2.2.2.1">
<code>mandatory</code>: OPTIONAL. Boolean which when set to <code>true</code> indicates the claim MUST be present in the issued Credential. If the <code>mandatory</code> property is omitted its default should be assumed to be <code>false</code>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-2.1.2.2.2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7.2.2-2.1.2.2.2.2">
<code>value_type</code>: OPTIONAL. String value determining type of value of the claim. A non-exhaustive list of valid values defined by this specification are <code>string</code>, <code>number</code>, and image media types such as <code>image/jpeg</code> as defined in IANA media type registry for images (<a href="https://www.iana.org/assignments/media-types/media-types.xhtml#image">https://www.iana.org/assignments/media-types/media-types.xhtml#image</a>).<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-2.1.2.2.2.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7.2.2-2.1.2.2.2.3">
<p id="section-7.2.2-2.1.2.2.2.3.1"><code>display</code>: OPTIONAL. An array of objects, where each object contains display properties of a certain claim in the Credential for a certain language. Below is a non-exhaustive list of valid parameters that MAY be included:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-2.1.2.2.2.3.1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-7.2.2-2.1.2.2.2.3.2.1">
<code>name</code>: OPTIONAL. String value of a display name for the claim.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-2.1.2.2.2.3.2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7.2.2-2.1.2.2.2.3.2.2">
<code>locale</code>: OPTIONAL. String value that identifies language of this object represented as language tag values defined in BCP47 <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC5646" class="cite xref">RFC5646</a>]</span>. There MUST be only one object for each language identifier.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-2.1.2.2.2.3.2.2" class="pilcrow">¶</a>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li class="compact" id="section-7.2.2-2.2">
<code>order</code>: OPTIONAL. An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-2.2" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-7.2.2-3">The following is a non-normative example of an object comprising <code>credentials_supported</code> parameter of Credential format <code>vc+sd-jwt</code>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-3" class="pilcrow">¶</a></p>
<div class="breakable lang-json sourcecode" id="section-7.2.2-4">
<pre>{
"format": "vc+sd-jwt",
"scope": "IdentityCredential_SD-JWT-VC",
"cryptographic_binding_methods_supported": [
"did:example"
],
"cryptographic_suites_supported": [
"ES256K"
],
"display": [
{
"name": "IdentityCredential",
"locale": "en-US",
"background_color": "#12107c",
"text_color": "#FFFFFF"
}
],
"credential_definition": {
"type": "IdentityCredential",
"claims": {
"given_name": {
"display": [
{
"name": "Given Name",
"locale": "en-US"
},
{
"name": "Vorname",
"locale": "de-DE"
}
]
},
"last_name": {
"display": [
{
"name": "Surname",
"locale": "en-US"
},
{
"name": "Nachname",
"locale": "de-DE"
}
]
},
"email": {},
"phone_number": {},
"address": {
"street_address": {},
"locality": {},
"region": {},
"country": {}
},
"birthdate": {},
"is_over_18": {},
"is_over_21": {},
"is_over_65": {}
}
}
}
{
"type": "IdentityCredential",
"given_name": "John",
"family_name": "Doe",
}
</pre><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.2-4" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="credential-offer-1">
<section id="section-7.2.3">
<h4 id="name-credential-offer-2">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.3" class="section-number selfRef">7.2.3. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-offer-2" class="section-name selfRef">Credential Offer</a>
</h4>
<p id="section-7.2.3-1">The following additional claims are defined for this Credential format.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.3-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-7.2.3-2.1">
<code>credential_definition</code>: REQUIRED. JSON object containing the detailed description of the credential type. It MUST contain at least <code>type</code> property as defined in <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#server_metadata_vc_sd-jwt" class="auto internal xref">Section 7.2.2</a>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.3-2.1" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-7.2.3-3">The following is a non-normative example of an object comprising <code>credentials_supported</code> parameter of Credential format <code>vc+sd-jwt</code>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.3-3" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-7.2.3-4">
<pre>{
"credential_issuer": "https://credential-issuer.example.com",
"credentials": [
"IdentityCredential_SD-JWT-VC"
],
"grants": {
"authorization_code": {
"issuer_state": "eyJhbGciOiJSU0Et...FYUaBy"
}
}
}
</pre><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.3-4" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="authorization_vc_sd-jwt">
<section id="section-7.2.4">
<h4 id="name-authorization-details">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.4" class="section-number selfRef">7.2.4. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-authorization-details" class="section-name selfRef">Authorization Details</a>
</h4>
<p id="section-7.2.4-1">The following additional claims are defined for authorization details of type <code>openid_credential</code> and this Credential format.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.4-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-7.2.4-2.1">
<code>credential_definition</code>: REQUIRED. JSON object containing the detailed description of the credential type. It MUST contain at least <code>type</code> property as defined in <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#server_metadata_vc_sd-jwt" class="auto internal xref">Section 7.2.2</a>. It MAY contain <code>claims</code> property as defined in <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#server_metadata_vc_sd-jwt" class="auto internal xref">Section 7.2.2</a>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.4-2.1" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-7.2.4-3">The following is a non-normative example of an authorization details object with Credential format <code>vc+sd-jwt</code>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.4-3" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-7.2.4-4">
<pre>[
{
"type": "openid_credential",
"format": "vc+sd-jwt",
"credential_definition": {
"type": "IdentityCredential"
}
}
]
</pre><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.4-4" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="credential-request">
<section id="section-7.2.5">
<h4 id="name-credential-request">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.5" class="section-number selfRef">7.2.5. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-request" class="section-name selfRef">Credential Request</a>
</h4>
<p id="section-7.2.5-1">The following additional parameters are defined for Credential Requests and this Credential format.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.5-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-7.2.5-2.1">
<code>credential_definition</code>: REQUIRED. JSON object containing the detailed description of the credential type. It MUST contain at least <code>vct</code> property as defined in <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#server_metadata_vc_sd-jwt" class="auto internal xref">Section 7.2.2</a>. It MAY contain <code>claims</code> property as defined in <a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#server_metadata_vc_sd-jwt" class="auto internal xref">Section 7.2.2</a>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.5-2.1" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-7.2.5-3">The following is a non-normative example of a Credential Request with Credential format <code>vc+sd-jwt</code>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.5-3" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-7.2.5-4">
<pre>{
"format": "vc+sd-jwt",
"credential_definition": {
"type": "IdentityCredential"
},
"proof": {
"proof_type": "jwt",
"jwt":"eyJraWQiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEva2V5cy8
xIiwiYWxnIjoiRVMyNTYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR
0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJpYXQiOiIyMDE4LTA5LTE0VDIxOjE5OjEwWiIsIm5vbm
NlIjoidFppZ25zbkZicCJ9.ewdkIkPV50iOeBUqMXCC_aZKPxgihac0aW9EkL1nOzM"
}
}
</pre><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.5-4" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="credential_response_jwt_vc_json">
<section id="section-7.2.6">
<h4 id="name-credential-response">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.6" class="section-number selfRef">7.2.6. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-credential-response" class="section-name selfRef">Credential Response</a>
</h4>
<p id="section-7.2.6-1">The value of the <code>credential</code> claim in the Credential Response MUST be a JSON string that is an SD-JWT VC. Credentials of this format are already suitable for transfer and, therefore, they need not and MUST NOT be re-encoded.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.6-1" class="pilcrow">¶</a></p>
<p id="section-7.2.6-2">The following is a non-normative example of a Credential Response with Credential format <code>vc+sd-jwt</code>.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.6-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="verifier-metadata">
<section id="section-7.2.7">
<h4 id="name-verifier-metadata">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.7" class="section-number selfRef">7.2.7. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-verifier-metadata" class="section-name selfRef">Verifier Metadata</a>
</h4>
<p id="section-7.2.7-1">The Verifier SHOULD add a <code>vp_formats_supported</code> element to its metadata (e.g. in the <code>client_metadata</code> authorization request parameter) to let the wallet know what protection algorithms it supports in conjunction with SD-JWT VCs. The format element MUST have the key <code>vc+sd-jwt</code>, the value is an object consisting of the following elements:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.7-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-7.2.7-2.1">
<code>sd-jwt_alg_values</code>: OPTIONAL. A JSON array containing identifiers of cryptographic algorithms the verifier supports for protection of a SD-JWT. If present, the <code>alg</code> JOSE header (as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC7515" class="cite xref">RFC7515</a>]</span>) of the presented SD-JWT MUST match one of the array values.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.7-2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-7.2.7-2.2">
<code>kb-jwt_alg_values</code>: OPTIONAL. A JSON array containing identifiers of cryptographic algorithms the verifier supports for protection of a KB-JWT. If present, the <code>alg</code> JOSE header (as defined in <span>[<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#RFC7515" class="cite xref">RFC7515</a>]</span>) of the presented KB-JWT MUST match one of the array values.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.7-2.2" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-7.2.7-3">The following is a non-normative example of <code>client_metadata</code> request parameter value in a request to present a SD-JWT VC.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.7-3" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-7.2.7-4">
<pre>{
"vp_formats": {
"vc+sd-jwt": {
"sd-jwt_alg_values": [
"ES256",
"ES384"
],
"kb-jwt_alg_values": [
"ES256",
"ES384"
]
}
}
}
</pre><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.7-4" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="presentation-definition">
<section id="section-7.2.8">
<h4 id="name-presentation-definition">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.8" class="section-number selfRef">7.2.8. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-presentation-definition" class="section-name selfRef">Presentation Definition</a>
</h4>
<p id="section-7.2.8-1">The presentation of a SD-JWT VC is requested by adding an object named <code>vc+sd-jwt</code> to the <code>format</code> object of an <code>input_descriptor</code>. The object is empty.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.8-1" class="pilcrow">¶</a></p>
<p id="section-7.2.8-2">The following is a non-normative example of a presentation definition for a SD-JWT VC.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.8-2" class="pilcrow">¶</a></p>
<div class="lang-json sourcecode" id="section-7.2.8-3">
<pre>{
"id": "d76c51b7-ea90-49bb-8368-6b3d194fc131",
"input_descriptors": [
{
"id": "IdentityCredential",
"format": {
"vc+sd-jwt": {}
},
"constraints": {
"limit_disclosure": "required",
"fields": [
{
"path": [
"$.type"
],
"filter": {
"type": "string",
"const": "IdentityCredential"
}
},
{
"path": [
"$.family_name"
]
},
{
"path": [
"$.given_name"
]
}
]
}
}
]
}
</pre><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-7.2.8-3" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="crypto-suites">
<section id="section-8">
<h2 id="name-crypto-suites">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-8" class="section-number selfRef">8. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-crypto-suites" class="section-name selfRef">Crypto Suites</a>
</h2>
<p id="section-8-1">Issuers, holders and verifiers MUST support P-256 (secp256r1) as a key type with ES256 JWT algorithm for signing and signature validation whenever this profiles requires to do so:<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-8-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="section-8-2.1">SD-JWT-VC<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-8-2.1" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-8-2.2">Wallet Instance Attestation<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-8-2.2" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-8-2.3">DPoP<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-8-2.3" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-8-2.4">HB JWT<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-8-2.4" class="pilcrow">¶</a>
</li>
<li class="compact" id="section-8-2.5">Authorization request during presentation<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-8-2.5" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-8-3">SHA256 MUST be supported by all the entities as the hash algorithm to generate and validate the digests in the SD-JWT VC.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-8-3" class="pilcrow">¶</a></p>
<p id="section-8-4">Note: When using this profile with other cryptosuites, it is recommended to be explicit about which entity is required to support which curve for signing and/or signature validation<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-8-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="implementations-considerations">
<section id="section-9">
<h2 id="name-implementations-considerati">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-9" class="section-number selfRef">9. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-implementations-considerati" class="section-name selfRef">Implementations Considerations</a>
</h2>
<div id="validity-period-of-the-signature-and-the-claim-values">
<section id="section-9.1">
<h3 id="name-validity-period-of-the-sign">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-9.1" class="section-number selfRef">9.1. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-validity-period-of-the-sign" class="section-name selfRef">Validity Period of the Signature and the Claim Values</a>
</h3>
<p id="section-9.1-1"><code>iat</code> and <code>exp</code> JWT claims express both the validity period of both the signature and the claims about the subject, unless there is a separate claim used to express the validity of the claims.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-9.1-1" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<section id="section-10">
<h2 id="name-references">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-10" class="section-number selfRef">10. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-references" class="section-name selfRef">References</a>
</h2>
<section id="section-10.1">
<h3 id="name-normative-references">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-10.1" class="section-number selfRef">10.1. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-normative-references" class="section-name selfRef">Normative References</a>
</h3>
<dl class="references">
<dt id="I-D.ietf-oauth-attestation-based-client-auth">[I-D.ietf-oauth-attestation-based-client-auth]</dt>
<dd>
<span class="refAuthor">Looker, T.</span> and <span class="refAuthor">P. Bastian</span>, <span class="refTitle">"OAuth 2.0 Attestation-Based Client Authentication"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-oauth-attestation-based-client-auth-01</span>, <time datetime="2023-10-23" class="refDate">23 October 2023</time>, <span><<a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-attestation-based-client-auth-01">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-attestation-based-client-auth-01</a>></span>. </dd>
<dd class="break"></dd>
<dt id="I-D.ietf-oauth-dpop">[I-D.ietf-oauth-dpop]</dt>
<dd>
<span class="refAuthor">Fett, D.</span>, <span class="refAuthor">Campbell, B.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Jones, M. B.</span>, and <span class="refAuthor">D. Waite</span>, <span class="refTitle">"OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-oauth-dpop-16</span>, <time datetime="2023-04-13" class="refDate">13 April 2023</time>, <span><<a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-16">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-16</a>></span>. </dd>
<dd class="break"></dd>
<dt id="I-D.ietf-oauth-sd-jwt-vc">[I-D.ietf-oauth-sd-jwt-vc]</dt>
<dd>
<span class="refAuthor">Terbu, O.</span> and <span class="refAuthor">D. Fett</span>, <span class="refTitle">"SD-JWT-based Verifiable Credentials (SD-JWT VC)"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-oauth-sd-jwt-vc-01</span>, <time datetime="2023-10-23" class="refDate">23 October 2023</time>, <span><<a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-01">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-01</a>></span>. </dd>
<dd class="break"></dd>
<dt id="I-D.ietf-oauth-selective-disclosure-jwt">[I-D.ietf-oauth-selective-disclosure-jwt]</dt>
<dd>
<span class="refAuthor">Fett, D.</span>, <span class="refAuthor">Yasuda, K.</span>, and <span class="refAuthor">B. Campbell</span>, <span class="refTitle">"Selective Disclosure for JWTs (SD-JWT)"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-oauth-selective-disclosure-jwt-06</span>, <time datetime="2023-10-23" class="refDate">23 October 2023</time>, <span><<a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-06">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-06</a>></span>. </dd>
<dd class="break"></dd>
<dt id="I-D.looker-oauth-jwt-cwt-status-list">[I-D.looker-oauth-jwt-cwt-status-list]</dt>
<dd>
<span class="refAuthor">Looker, T.</span> and <span class="refAuthor">P. Bastian</span>, <span class="refTitle">"JWT and CWT Status List"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-looker-oauth-jwt-cwt-status-list-01</span>, <time datetime="2023-07-10" class="refDate">10 July 2023</time>, <span><<a href="https://datatracker.ietf.org/doc/html/draft-looker-oauth-jwt-cwt-status-list-01">https://datatracker.ietf.org/doc/html/draft-looker-oauth-jwt-cwt-status-list-01</a>></span>. </dd>
<dd class="break"></dd>
<dt id="I-D.terbu-sd-jwt-vc">[I-D.terbu-sd-jwt-vc]</dt>
<dd>
<span class="refAuthor">Terbu, O.</span> and <span class="refAuthor">D. Fett</span>, <span class="refTitle">"SD-JWT-based Verifiable Credentials with JSON payloads (SD-JWT VC)"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-terbu-sd-jwt-vc-02</span>, <time datetime="2023-05-26" class="refDate">26 May 2023</time>, <span><<a href="https://datatracker.ietf.org/doc/html/draft-terbu-sd-jwt-vc-02">https://datatracker.ietf.org/doc/html/draft-terbu-sd-jwt-vc-02</a>></span>. </dd>
<dd class="break"></dd>
<dt id="OIDF.OID4VCI">[OIDF.OID4VCI]</dt>
<dd>
<span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Yasuda, K.</span>, and <span class="refAuthor">T. Looker</span>, <span class="refTitle">"OpenID for Verifiable Credential Issuance"</span>, <time datetime="2022-06-20" class="refDate">20 June 2022</time>, <span><<a href="https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html">https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html</a>></span>. </dd>
<dd class="break"></dd>
<dt id="OIDF.OID4VP">[OIDF.OID4VP]</dt>
<dd>
<span class="refAuthor">Terbu, O.</span>, <span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Yasuda, K.</span>, <span class="refAuthor">Lemmon, A.</span>, and <span class="refAuthor">T. Looker</span>, <span class="refTitle">"OpenID for Verifiable Presentations"</span>, <time datetime="2022-06-20" class="refDate">20 June 2022</time>, <span><<a href="https://openid.net/specs/openid-4-verifiable-presentations-1_0.html">https://openid.net/specs/openid-4-verifiable-presentations-1_0.html</a>></span>. </dd>
<dd class="break"></dd>
<dt id="OIDF.SIOPv2">[OIDF.SIOPv2]</dt>
<dd>
<span class="refAuthor">Microsoft</span>, <span class="refAuthor">Jones, M. B.</span>, and <span class="refAuthor">T. Lodderstedt</span>, <span class="refTitle">"Self-Issued OpenID Provider V2"</span>, <time datetime="2021-12-18" class="refDate">18 December 2021</time>, <span><<a href="https://openid.net/specs/openid-connect-self-issued-v2-1_0.html">https://openid.net/specs/openid-connect-self-issued-v2-1_0.html</a>></span>. </dd>
<dd class="break"></dd>
<dt id="OIDF.ekyc-ida">[OIDF.ekyc-ida]</dt>
<dd>
<span class="refAuthor">yes</span>, <span class="refAuthor">Fett, D.</span>, <span class="refAuthor">Haine, M.</span>, <span class="refAuthor">Pulido, A.</span>, <span class="refAuthor">Lehmann, K.</span>, and <span class="refAuthor">K. Koiwai</span>, <span class="refTitle">"OpenID Connect for Identity Assurance 1.0"</span>, <time datetime="2022-08-19" class="refDate">19 August 2022</time>, <span><<a href="https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID4.html">https://openid.net/specs/openid-connect-4-identity-assurance-1_0-ID4.html</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC5280">[RFC5280]</dt>
<dd>
<span class="refAuthor">Cooper, D.</span>, <span class="refAuthor">Santesson, S.</span>, <span class="refAuthor">Farrell, S.</span>, <span class="refAuthor">Boeyen, S.</span>, <span class="refAuthor">Housley, R.</span>, and <span class="refAuthor">W. Polk</span>, <span class="refTitle">"Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"</span>, <span class="seriesInfo">RFC 5280</span>, <span class="seriesInfo">DOI 10.17487/RFC5280</span>, <time datetime="2008-05" class="refDate">May 2008</time>, <span><<a href="https://www.rfc-editor.org/info/rfc5280">https://www.rfc-editor.org/info/rfc5280</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC5646">[RFC5646]</dt>
<dd>
<span class="refAuthor">Phillips, A., Ed.</span> and <span class="refAuthor">M. Davis, Ed.</span>, <span class="refTitle">"Tags for Identifying Languages"</span>, <span class="seriesInfo">BCP 47</span>, <span class="seriesInfo">RFC 5646</span>, <span class="seriesInfo">DOI 10.17487/RFC5646</span>, <time datetime="2009-09" class="refDate">September 2009</time>, <span><<a href="https://www.rfc-editor.org/info/rfc5646">https://www.rfc-editor.org/info/rfc5646</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC7515">[RFC7515]</dt>
<dd>
<span class="refAuthor">Jones, M.</span>, <span class="refAuthor">Bradley, J.</span>, and <span class="refAuthor">N. Sakimura</span>, <span class="refTitle">"JSON Web Signature (JWS)"</span>, <span class="seriesInfo">RFC 7515</span>, <span class="seriesInfo">DOI 10.17487/RFC7515</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span><<a href="https://www.rfc-editor.org/info/rfc7515">https://www.rfc-editor.org/info/rfc7515</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC7517">[RFC7517]</dt>
<dd>
<span class="refAuthor">Jones, M.</span>, <span class="refTitle">"JSON Web Key (JWK)"</span>, <span class="seriesInfo">RFC 7517</span>, <span class="seriesInfo">DOI 10.17487/RFC7517</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span><<a href="https://www.rfc-editor.org/info/rfc7517">https://www.rfc-editor.org/info/rfc7517</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC7519">[RFC7519]</dt>
<dd>
<span class="refAuthor">Jones, M.</span>, <span class="refAuthor">Bradley, J.</span>, and <span class="refAuthor">N. Sakimura</span>, <span class="refTitle">"JSON Web Token (JWT)"</span>, <span class="seriesInfo">RFC 7519</span>, <span class="seriesInfo">DOI 10.17487/RFC7519</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span><<a href="https://www.rfc-editor.org/info/rfc7519">https://www.rfc-editor.org/info/rfc7519</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC7636">[RFC7636]</dt>
<dd>
<span class="refAuthor">Sakimura, N., Ed.</span>, <span class="refAuthor">Bradley, J.</span>, and <span class="refAuthor">N. Agarwal</span>, <span class="refTitle">"Proof Key for Code Exchange by OAuth Public Clients"</span>, <span class="seriesInfo">RFC 7636</span>, <span class="seriesInfo">DOI 10.17487/RFC7636</span>, <time datetime="2015-09" class="refDate">September 2015</time>, <span><<a href="https://www.rfc-editor.org/info/rfc7636">https://www.rfc-editor.org/info/rfc7636</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC7800">[RFC7800]</dt>
<dd>
<span class="refAuthor">Jones, M.</span>, <span class="refAuthor">Bradley, J.</span>, and <span class="refAuthor">H. Tschofenig</span>, <span class="refTitle">"Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)"</span>, <span class="seriesInfo">RFC 7800</span>, <span class="seriesInfo">DOI 10.17487/RFC7800</span>, <time datetime="2016-04" class="refDate">April 2016</time>, <span><<a href="https://www.rfc-editor.org/info/rfc7800">https://www.rfc-editor.org/info/rfc7800</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9101">[RFC9101]</dt>
<dd>
<span class="refAuthor">Sakimura, N.</span>, <span class="refAuthor">Bradley, J.</span>, and <span class="refAuthor">M. Jones</span>, <span class="refTitle">"The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)"</span>, <span class="seriesInfo">RFC 9101</span>, <span class="seriesInfo">DOI 10.17487/RFC9101</span>, <time datetime="2021-08" class="refDate">August 2021</time>, <span><<a href="https://www.rfc-editor.org/info/rfc9101">https://www.rfc-editor.org/info/rfc9101</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC9126">[RFC9126]</dt>
<dd>
<span class="refAuthor">Lodderstedt, T.</span>, <span class="refAuthor">Campbell, B.</span>, <span class="refAuthor">Sakimura, N.</span>, <span class="refAuthor">Tonge, D.</span>, and <span class="refAuthor">F. Skokan</span>, <span class="refTitle">"OAuth 2.0 Pushed Authorization Requests"</span>, <span class="seriesInfo">RFC 9126</span>, <span class="seriesInfo">DOI 10.17487/RFC9126</span>, <time datetime="2021-09" class="refDate">September 2021</time>, <span><<a href="https://www.rfc-editor.org/info/rfc9126">https://www.rfc-editor.org/info/rfc9126</a>></span>. </dd>
<dd class="break"></dd>
</dl>
</section>
<section id="section-10.2">
<h3 id="name-informative-references">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#section-10.2" class="section-number selfRef">10.2. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-informative-references" class="section-name selfRef">Informative References</a>
</h3>
<dl class="references">
<dt id="ISO.18013-5">[ISO.18013-5]</dt>
<dd>
<span class="refAuthor">ISO/IEC JTC 1/SC 17 Cards and security devices for personal identification</span>, <span class="refTitle">"ISO/IEC 18013-5:2021 Personal identification — ISO-compliant driving license — Part 5: Mobile driving license (mDL) application"</span>, <time datetime="2021" class="refDate">2021</time>, <span><<a href="https://www.iso.org/standard/69084.html">https://www.iso.org/standard/69084.html</a>></span>. </dd>
<dd class="break"></dd>
</dl>
</section>
</section>
<div id="combined-issuance-of-sd-jwt-vc-and-mdocs">
<section id="appendix-A">
<h2 id="name-combined-issuance-of-sd-jwt">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#appendix-A" class="section-number selfRef">Appendix A. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-combined-issuance-of-sd-jwt" class="section-name selfRef">Combined Issuance of SD-JWT VC and mdocs</a>
</h2>
<ul class="compact">
<li class="compact" id="appendix-A-1.1">If combined issuance is required, the Batch Credential Endpoint MUST be supported.<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#appendix-A-1.1" class="pilcrow">¶</a>
</li>
</ul>
</section>
</div>
<div id="presentation-definition-schema">
<section id="appendix-B">
<h2 id="name-json-schema-for-the-support">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#appendix-B" class="section-number selfRef">Appendix B. </a><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-json-schema-for-the-support" class="section-name selfRef">JSON Schema for the supported Presentation Definition properties</a>
</h2>
<div class="breakable lang-json sourcecode" id="appendix-B-1">
<pre>{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Presentation Definition for a High Assurance Profile",
"type": "object",
"properties": {
"presentation_definition": {
"$ref": "#/definitions/presentation_definition"
}
},
"definitions": {
"presentation_definition": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"input_descriptors": {
"type": "array",
"items": {
"$ref": "#/definitions/input_descriptor"
}
},
"submission_requirements": {
"type": "array",
"items": {
"$ref": "#/definitions/submission_requirement"
}
}
},
"required": [
"id",
"input_descriptors"
],
"additionalProperties": false
},
"input_descriptor": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"purpose": {
"type": "string"
},
"format": {
"$ref": "http://identity.foundation/claim-format-registry/schemas/presentation-definition-claim-format-designations.json"
},
"group": {
"type": "array",
"items": {
"type": "string"
}
},
"constraints": {
"type": "object",
"additionalProperties": false,
"properties": {
"limit_disclosure": {
"type": "string",
"enum": [
"required",
"preferred"
]
},
"fields": {
"type": "array",
"items": {
"path": {
"type": "array",
"items": {
"type": "string"
}
},
"filter": {
"$ref": "http://json-schema.org/draft-07/schema#"
}
}
}
}
}
},
"required": [
"id",
"constraints"
]
},
"submission_requirement": {
"type": "object",
"oneOf": [
{
"properties": {
"name": {
"type": "string"
},
"rule": {
"type": "string",
"enum": [
"pick"
]
},
"count": {
"type": "integer",
"minimum": 1
},
"from": {
"type": "string"
}
},
"required": [
"rule",
"from"
],
"additionalProperties": false
}
]
}
}
}
</pre><a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#appendix-B-1" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="authors-addresses">
<section id="appendix-C">
<h2 id="name-authors-addresses">
<a href="https://vcstuff.github.io/oid4vc-haip-sd-jwt-vc/draft-oid4vc-haip-sd-jwt-vc.html#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
</h2>
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Kristina Yasuda</span></div>
<div dir="auto" class="left"><span class="org">Microsoft</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:kristina.yasuda@microsoft.com" class="email">kristina.yasuda@microsoft.com</a>
</div>
</address>
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Torsten Lodderstedt</span></div>
<div dir="auto" class="left"><span class="org">yes.com</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:torsten@lodderstedt.net" class="email">torsten@lodderstedt.net</a>
</div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
toc.classList.remove("active");
});
</script>
</body></html>