| openid4vc-high-assurance-interoperabilit | July 2025 | |
| Yasuda & Lodderstedt | Standards Track | [Page] |
This document defines a profile of OpenID for Verifiable Credentials in combination with the credential formats IETF SD-JWT VC [I-D.ietf-oauth-sd-jwt-vc] and ISO mdoc [ISO.18013-5]. The aim is to select features and to define a set of requirements for the existing specifications to enable interoperability among Issuers, Wallets and Verifiers of Credentials where a high level of security and privacy is required. The profiled specifications include OpenID for Verifiable Credential Issuance [OIDF.OID4VCI], OpenID for Verifiable Presentations [OIDF.OID4VP], IETF SD-JWT VC [I-D.ietf-oauth-sd-jwt-vc], and ISO mdoc [ISO.18013-5].¶
This document defines a set of requirements for the existing specifications to enable interoperability among Issuers, Wallets and Verifiers of Credentials where a high level of security and privacy is required. This document is an interoperability profile that can be used by implementations in various contexts, be it a certain industry or a certain regulatory environment.¶
This document is not a specification, but a profile. It refers to the specifications required for implementations to interoperate among each other and for the optionalities mentioned in the referenced specifications, defines the set of features to be mandatory to implement.¶
The profile uses OpenID for Verifiable Credential Issuance [OIDF.OID4VCI] and OpenID for Verifiable Presentations [OIDF.OID4VP] as the base protocols for issuance and presentation of Credentials, respectively. The credential formats used are IETF SD-JWT VC as specified in [I-D.ietf-oauth-sd-jwt-vc] and ISO mdoc [ISO.18013-5]. Additionally, considerations are given on how the issuance of Credentials in both IETF SD-JWT VC [I-D.ietf-oauth-sd-jwt-vc] and ISO mdoc [ISO.18013-5] formats can be performed in the same transaction.¶
A full list of the open standards used in this profile can be found in Overview of the Open Standards Requirements (reference).¶
The audience of the document is implementers that require a high level of security and privacy for their solutions. A non-exhaustive list of the interested parties includes anyone implementing eIDAS 2.0, California Department of Motor Vehicles, Open Wallet Foundation (OWF), IDunion, GAIN, and the Trusted Web project of the Japanese government, but is expected to grow to include other jurisdictions and private sector companies.¶
This specification uses the terms "Holder", "Issuer", "Verifier", "Wallet", "Wallet Attestation", "Credential Type" and "Verifiable Credential" as defined in [OIDF.OID4VCI] and [OIDF.OID4VP].¶
This specification enables interoperable implementations of the following flows:¶
Implementations of this specification do not have to implement all of the flows listed above, but they MUST be compliant to all of the requirements for a particular flow they chose to implement.¶
A parameter that is listed as optional to be implemented in a specification that is being profiled (i.e., OpenID4VCI, OpenID4VP, W3C Digital Credentials API, IETF SD-JWT VC, and ISO mdoc) remains optional unless it is stated otherwise in this specification.¶
Profile of OpenID4VCI defines Wallet Attestation and Key Attestation.¶
Profile of IETF SD-JWT VC defines the following aspects * Status management of the Credentials, including revocation * Cryptographic Key Binding * Issuer key resolution * Issuer identification (as prerequisite for trust management)¶
Mandatory to implement crypto suites are defined for all of the flows.¶
Note that when OpenID4VP is used, the Wallet and the Verifier can either be remote or in-person.¶
Assumptions made are the following:¶
The standards that are being profiled in this specification are:¶
Note that these standards in turn build upon other underlying standards, and requirements in those underlying standards also need to be followed.¶
The following items are out of scope for the current version of this document, but might be added in future versions:¶
Both the Wallet and the Credential Issuer:¶
S256 as the code challenge method.¶
Both Wallet initiated and Issuer initiated issuance is supported.¶
authorization_code MUST be supported as defined in Section 4.1.1 in [OIDF.OID4VCI]¶
authorization_code, the Issuer MUST include a scope value in order to allow the Wallet to identify the desired Credential Type. The Wallet MUST use that value in the scope Authorization parameter.¶
haip:// MUST be supported. Implementations MAY support other ways to invoke the Wallets as agreed by trust frameworks/ecosystems/jurisdictions, not limited to using other custom URL schemes.¶
Note: The Authorization Code flow does not require a Credential Offer from the Issuer to the Wallet. However, it is included in the feature set to allow for Issuer initiated Credential issuance.¶
Both Issuer and Wallet MUST support Credential Offer in both same-device and cross-device flows.¶
Note: It is RECOMMENDED to use ephemeral client attestation JWTs for client authentication in order to prevent linkability across Credential Issuers.¶
Note: Issuers SHOULD be mindful of how long the usage of the refresh token is allowed to refresh a credential, as opposed to starting the issuance flow from the beginning. For example, if the User is trying to refresh a Credential more than a year after its original issuance, the usage of the refresh tokens is NOT RECOMMENDED.¶
Wallets MUST use Wallet Attestations as defined in Annex E of [OIDF.OID4VCI].¶
The public key certificate, and optionally a trust certificate chain, used to validate the signature on the Wallet Attestation MUST be included in the x5c JOSE header of the Client Attestation JWT.¶
The following proof types MUST be supported:¶
Wallets MUST support key attestations as defined in Annex D of [OIDF.OID4VCI]. If batch issuance is used, all public keys used in Credential Request SHOULD be attested within a single key attestation.¶
Requirements for both the Wallet and the Verifier:¶
haip:// MUST be supported. Implementations MAY support other ways to invoke the Wallets as agreed by trust frameworks/ecosystems/jurisdictions, not limited to using other custom URL schemes.¶
vp_token.¶
direct_post.jwt. The Verifier MUST return redirect_uri in response to the HTTP POST request from the Wallet, where the Wallet redirects the User to, as defined in Section 8.2 of [OIDF.OID4VP]. Implementation considerations for the response mode direct_post.jwt are given in Section 14.3 of [OIDF.OID4VP].¶
request_uri parameter as defined in JWT-Secured Authorization Request (JAR) [RFC9101].¶
x509_san_dns or verifier_attestation. The Wallet MUST support both. The Verifier MUST support at least one.¶
kid MUST be used to identify the respective key.¶
The following requirements apply for both, the Wallet and the Verifier, unless specified otherwise:¶
MUST support Annex A in [OIDF.OID4VP] that defines how to use OpenID4VP over the W3C Digital Credentials API.¶
dc_api.jwt. The response MUST be encrypted.¶
alg (algorithm) header parameter (see Section 4.1.1 of [RFC7516])
value ECDH-ES (as defined in Section 4.6 of [RFC7518]), with key agreement utilizing keys on the P-256 curve (see Section 6.2.1.1 of [RFC7518]) MUST be supported.
The JWE enc (encryption algorithm) header parameter (see Section 4.1.2 of [RFC7516]) value A128GCM (as defined in Section 5.3 of [RFC7518]) MUST be supported.¶
Requirements for both the Wallet and the Verifier:¶
intent_to_retain defined in Annex B.3.1 of [OIDF.OID4VP] MUST be present.¶
DeviceResponse (as defined in 8.3.2.1.2.2 of [ISO.18013-5]), each matching to a respective DCQL query. Therefore, the resulting vp_token contains multiple DeviceResponse instances.¶
Note that the Credential Format Identifier and SessionTranscript CBOR structure are defined in [OIDF.OID4VP].¶
Requirements for both the Wallet and the Verifier:¶
dc+sd-jwt.¶
This profile defines the following additional requirements for IETF SD-JWT VCs as defined in [I-D.ietf-oauth-sd-jwt-vc].¶
| Claim | SD-JWT as issued by the Issuer | Normative Definition |
|---|---|---|
| iss | MUST | [RFC7519], Section 4.1.1 |
| iat | MUST | [RFC7519], Section 4.1.6 |
| exp | SHOULD (at the discretion of the Issuer) | [RFC7519], Section 4.1.4 |
| cnf | MUST | [RFC7800] |
| vct | MUST | [I-D.ietf-oauth-sd-jwt-vc] |
| status | SHOULD (at the discretion of the Issuer) | [I-D.ietf-oauth-status-list] |
exp claim and/or a status claim to express the validity period of an SD-JWT-VC. The Wallet and the verifier MUST support both mechanisms.¶
iss claim MUST be an HTTPS URL. The iss value is used to obtain Issuer's signing key as defined in Section 7.1.¶
vct JWT claim as defined in [I-D.ietf-oauth-sd-jwt-vc].¶
cnf claim [RFC7800] MUST conform to the definition given in [I-D.ietf-oauth-sd-jwt-vc]. Implementations conforming to this profile MUST include the JSON Web Key [RFC7517] in the jwk sub claim.¶
Any of the flows defined in this specification MUST be used with cryptographic holder binding.¶
Note: Re-using the same Credential across Verifiers, or re-using the same JWK value across multiple Credentials gives colluding Verifiers a mechanism to correlate the User. There are currently two known ways to address this with SD-JWT VCs. First is to issue multiple instances of the same Credentials with different JWK values, so that if each instance of the Credential is used at only one Verifier, it can be reused multiple times. Another is to use each Credential only once (ephemeral Credentials). It is RECOMMENDED to adopt one of these mechanisms.¶
Note: If there is a requirement to communicate information about the verification status and identity assurance data of the claims about the subject, the syntax defined by [OIDF.ekyc-ida] SHOULD be used. It is up to each jurisdiction and ecosystem, whether to require it to the implementers of this profile.¶
Note: If there is a requirement to provide the Subject’s identifier assigned and maintained by the Issuer, the sub claim MAY be used. There is no requirement for a binding to exist between the sub and cnf claims. See the Implementation Considerations section in [I-D.ietf-oauth-sd-jwt-vc].¶
Note: In some Credential Types, it is not desirable to include an expiration date (eg: diploma attestation). Therefore, this profile leaves its inclusion to the Issuer, or the body defining the respective Credential Type.¶
This profile supports two ways to represent and resolve the key required to validate the Issuer signature of an SD-JWT VC, the web PKI-based key resolution and the x.509 certificates.¶
kid MUST be used to identify the respective key.¶
x5c JOSE header. In this case, the iss value MUST be an URL with a FQDN matching a dNSName Subject Alternative Name (SAN) [RFC5280] entry in the leaf certificate.¶
Note: The Issuer MAY decide to support both options. In which case, it is at the discretion of the Wallet and the Verifier which key to use for the Issuer signature validation.¶
A Credential Format Profile for Credentials complying with IETF SD-JWT VCs [I-D.ietf-oauth-sd-jwt-vc] is defined in Annex A.3 of [OIDF.OID4VCI] and Annex A.4 of [OIDF.OID4VP].¶
Cryptography is required by the following operations:¶
Issuers, Holders, and Verifiers MUST support P-256 (secp256r1) as a key type with the ES256 JWT algorithm [RFC7518] for the creation and the verification of the above signatures.¶
When using this profile alongside other cryptosuites, each entity SHOULD make it explicit in its metadata which other algorithms and key types are supported for the cryptographic operations.¶
The hash algorithm SHA-256 MUST be supported by all the entities to generate and validate the digests in the IETF SD-JWT VC and ISO mdoc.¶
When using this profile alongside other hash algorithms, each entity SHOULD make it explicit in its metadata which other algorithms are supported.¶
iat and exp JWT claims express both the validity period of both the signature and the claims about the subject, unless there is a separate claim used to express the validity of the claims.¶
The security considerations in [OIDF.OID4VCI] and [OIDF.OID4VP] apply.¶
We would like to thank Paul Bastian, Christian Bormann, Mike Jones, Oliver Terbu, Daniel Fett, and Giuseppe De Marco for their valuable feedback and contributions to this specification.¶
Copyright (c) 2025 The OpenID Foundation.¶
The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft, Final Specification, or Final Specification Incorporating Errata Corrections solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts, Final Specifications, and Final Specification Incorporating Errata Corrections based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.¶
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy (found at openid.net) requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. OpenID invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.¶
[[ To be removed from the final specification ]]¶
-04¶
-03¶
-02¶
-01¶
client_id_scheme parameter that no longer exists in OpenID4VP¶
-00¶