Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
OpenID 4 Verifiable Credentials + HAIP (Update)
1. OpenID for Verifiable Credentials
The next generation of OpenID
Kristina Yasuda, Microsoft
Paul Bastian, Bundesdruckerei
Dr. Torsten Lodderstedt, Tuconic
2. What is Decentralized Identity?
Issuer
(Website)
Verifier
(Website)
Wallet
(user’s device,
cloud or hybrid)
Credential
Issuance
Credential
Presentation
User Interactions
● The User presenting the Identity data directly to the Verifier from the Wallet
○ <> In the federated model where Identity data is sent directly from the IdP to the Verifier
● Usually expressed with the flow below:
3. Verifiable Credentials: Benefits
● End-Users gain more privacy, and portability over their identity
information.
● Cheaper, faster, and more secure identity verification, when transforming
physical credentials into digital ones.
● Universal approach to handle identification, authentication, and
authorization in digital and physical space.
4. Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Why Protocol Layer Interoperability is Crucial.
Credential
Issuance
Credential
Presentation
One entity needs to talk to the large the number of entities, to increase the value of “Decentralized
Identity”.
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
User Interactions
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Issuer
(Website)
Wallet
(user’s device,
cloud or
hybrid)
Verifier
(Website)
Issuer
(Website)
5. Problems we identified and how we solved them
Problem Solution
A lot of entirely new Protocols. (Hard to get
security right, steep learning curve)
⇒
Building upon currently widely used protocols:
OAuth 2.0 and OpenID Connect. (Secure, already
understood)
No clear winner among Credential Formats ⇒ Designing a protocol agnostic to the Credential
Formats.
No one way to do key management. ⇒ Designing a protocol agnostic to the key
management mechanism.
Participating entities cannot typically
establish trust upfront, using traditional
mechanisms.
⇒ Flexibility in Trust Management. Third Party Trust.
6. OpenID for Verifiable
Credential Issuance
...so here comes OpenID for Verifiable Credentials (OID4VC)!
Issuer
(Website)
Verifier
(Website)
Wallet
(user’s device,
cloud or hybrid)
Credential
Issuance
Credential
Presentation
User Interactions
OpenID for Verifiable
Presentations
Self-Issued OP v2
7. Adoption (selected use-cases)
The European Digital Identity
Wallet[1], ARF v.1.1: “the EUDI Wallet
Solution MUST support
OpenID4VCI as an Issuance protocol.
Member States are free to include
additional issuance protocol
alternatives in their national solutions.”
NIST National Cybersecurity
Center of Excellence[2] is
running a project implementing
and testing implementations for
OID4VP to present mdocs/mDL.
DIF JWT VC Issuance /
Presentation Profile [3] [4] uses
OID4VC protocols for the
enterprise identity use-cases:
fraud prevention in B2B, B2E
scenarios.
[1] https://cloudsignatureconsortium.org/new-eu-eidas-regulation-a-quantum-leap-for-electronic-identity/ [2] https://www.nccoe.nist.gov/projects/digital-identities-mdl
[3] https://identity.foundation/jwt-vc-issuance-profile/ [4] https://identity.foundation/jwt-vc-presentation-profile/
9. ● A light-weight, low-cost, self-certification program to serve members, drive
adoption and promote high-quality implementations (since 2015~)
● 2,400+ total certifications to date!
● Benefits (there are more!)
○ Testers get direct support from the OIDF certification team
○ Internationally recognized, award winning
○ Updated as the specification evolves
● Current progress
○ Started development for OpenID for Verifiable Presentations. initial focus is on testing wallets.
○ OpenID for Verifiable Credential Issuance planned
● Things to know
○ Strictly tests protocol specification conformance and does not test what happens inside the wallet
○ Can be integrated in continuous development and deployment processes
○ Tests are open source
OpenID Foundation Certification for OID4VC specs
10. ● “Security and Trust in OpenID for Verifiable Credentials”
○ Describes the trust architecture in OpenID for Verifiable Credentials, outlines security
considerations and requirements for the components in an ecosystem.
● Results of the formal security analysis of OpenID for VC protocols were also
presented at the OAuth Security Workshop in August: “Protocols are secure
under the assumptions made”. Official publication shortly.
OID4VC Formal Security Analysis
12. OpenID for Verifiable Credential Issuance (Highlights)
- It’s an OAuth-protected API (Credential Endpoint at the Resource Server)
○ Leverages existing OAuth features and implementations
○ Easy of use for developers
- Supports various Security levels (including high security with hardware bound
keys)
- Various business requirements supported (ex. remote and in-person
provisioning)
- Different user-experiences can be achieved (multiple ways to initiate the flow)
- Issuer can check Wallet’s capabilities & Wallet can discover Issuer metadata
13. Wallet
⓪ Wallet requests & User authorizes
credential issuance
③ Credential is issued
① access token(, refresh token)
② Wallet requests credential issuance
Protocol Flow
Alice
Credential
Issuer
22. OpenID for Verifiable Presentations (Highlights)
- Designed for highest degree of privacy
- Easy of use for developers
- Supports various Security levels (e.g. mutual authentication among the parties)
- Different user-experiences can be achieved (same-device and cross-device)
- Presentation of multiple Credentials supported
- Various Wallet deployment models supported
- All local to a native app
- Native app with cloud backend
- Web wallet
30. OpenID for Verifiable Credential Issuance
New additions to the family coming!
Self-Issued OP v2
OpenID for Verifiable Presentations
OpenID for Verifiable Presentations over BLE
Security and Trust in OpenID for Verifiable Credentials
Core specs
additions
Certification Suite
OID4VC High Assurance Interoperability Profile with SD-JWT VC
Issuer
(Website)
Verifier
(Website)
Wallet
(user’s device,
cloud or hybrid)
Issue Credentials Present Credentials
User Interactions
31. Latest Updates
- Formal Security Analysis of Issuance and Presentation is about to be published.
- Automated Conformance Tests for Wallets (Presentation) are available (1st revision).
- Growing number of Open Source Implementations.
- OpenID4VC driving convergence at the protocol layer. Getting traction in the
- Aries community (.NET and JS Framework are being extended to support OID4VC)
- mdoc community (18013-7, 23220-4, 23220-3)
- etc.
33. OpenID4VC as Framework vs Profiles
- Interoperability requires instantiation of OpenID 4 VC with concrete
- Definition of “Mandatory to Implement” elements of the protocols, e.g. grant
types & response types
- Custom scheme for wallet invocation
- Definition of authentication mechanisms for Verifiers and Wallets
- Credential Format(s) with
■ issuer identification and key resolution
■ holder key binding
- Crypto algorithms
- Instantiation designated as “Profile”
34. OID4VC High Assurance Interoperability Profile with SD-JWT VC
- Interoperability across parties while being
- Privacy preserving and
- able to fulfill security and regulatory requirements
- Intended audience
- Proposal for eIDAS ARF (through OIDF/EC liaison)
- CA DMV wallet
- Basis for OWF project(s)
- IDunion Tech Stack
- GAIN PoC
- Japanese government (Trusted Web project)
- Basis for Userinfo
- other jurisdictions
- private companies / infrastructure companies
35. OID4VC High Assurance Interoperability Profile with SD-JWT VC
SIOPv2 OID4VP OID4VCI
custom scheme
crypto suites
custom scheme
credential profile
client id scheme
custom scheme
credential profile
wallet attestation
scheme
Protocols
Attestation based Client
Authentication
crypto suites
issuer key resolution
Wallet Attestation Scheme
Credential profile: SD-JWT VC
SD-JWT VC
JWT/CWT
Statuslist
crypto suites
issuer key resolution
crypto suites
issuer key resolution
- Custom Scheme: haip://
- issuer key resolution:
web-based, x509
- Crypto Suites:
P-256(secp256r1), SHA256
Basic Choices
● Authenticated issuer identifiers as
basis for trust management
● Trust Management Mechanism
can be defined on top
Note: Similar profile for ISO mdoc is being worked on for 18013-7, 23220-4 and -3
IETF OAuth WG adopted draft IETF OAuth WG adopted draft
36. Credential Format
- SD-JWT VC with JSON payload (“typ”: “vc+sd-jwt”)
- both compact and JSON serialization
- Issuer identification and key resolution
1. Web PKI based:
■ issuer URL (“iss” claim) used to obtain jwks_uri
■ key id in the “kid” JWS header
2. x.509:
■ x.509 cert chain in the “x5c” JWS header
■ issuer URL (“iss” claim) MUST be Subject Alternative Name (dnsName)
in x.509 cert
- Key binding:
- raw public key (jwk) in “cnf” JWT claim
- Credential Revocation: Bitmap type style Status list using JWTs
43. ● Extends the established framework of
RFC7521 for a new form of client
authentication
● Client instance obtains an attestation from
client backend
● Client backend may perform any number of
security checks before issuing a key-bound
attestation JWT to the client instance
● Client instance authenticates towards
Authorization server during a Token or PAR
Request
● Note - how the client communicates with the
client backend in steps 2&4 are out of scope
● Draft adopted by IETF OAuth WG
OAuth2 Attestation-Based Client Authentication
45. OpenID for Verifiable Presentations
- custom scheme “haip://” for wallet invocation.
- Universal presentation flow based on “direct_post” response mode for same and
cross device flows.
- Subset of the Presentation Exchange Syntax in order to simplify implementation
and prevent security issues
- Verifier Authentication with
- x.509 Certificates or
- Sender-constrained JWTs
47. Links
OpenID 4 Verifiable Credential Issuance
OpenID 4 Verifiable Presentation
SIOP v2
OpenID4VC High Assurance Interoperability Profile with SD-JWT VC
Security and Trust in OpenID for Verifiable Credentials Ecosystems
https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/
Please engage with us: Digital Credentials Protocols (DCP) Working Group