SlideShare a Scribd company logo

OpenID for Verifiable Credentials

OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.

1 of 38
Download to read offline
#identiverse
OpenID for Verifiable
Credentials
#identiverse
Identity Standards Architect
Kristina
Yasuda
Microsoft
Dr. Torsten
Lodderstedt
CTO
yes.com
#identiverse
Verifiable Credentials: A Paradigm Shift
Issuer
(Website)
Verifier
(Website)
Holder
(Digital Wallet)
Can be hosted locally on the
user’s device, have cloud
components, or be entirely
hosted in the cloud
Issue
Credentials
Present
Credentials
● Verifiable credential is a tamper-evident credential with a cryptographically verifiable
authorship that contains claims about a subject.
● This enables
○ decoupling issuance from presentation
○ multi-use of the credentials
○ combination of multiple credentials in one presentation
#identiverse
Verifiable Credentials around you
Use Case 1: mobile Driving Licence Use Case 2: Vaccination QR Code
#identiverse
Verifiable Credentials: Benefits
- End-Users gain more control, privacy, and portability over their identity
information.
- Cheaper, faster, and more secure identity verification, when transforming
physical credentials into digital ones using verifiable credentials.
- Universal approach to handle identification, authentication, and
authorization in digital and physical space
- Issuers gain more flexibility :
- No need for public service with high availability depending on the process
- Diverse presentation channels offered by the wallet
#identiverse
③ OpenID for Credential Issuance (Issuance
of verifiable credentials)
Components of the “OpenID for Verifiable Credentials”
specification family
Issuer
(Website)
Verifier
(Website)
Holder
(Digital Wallet)
Can be hosted locally on the
user’s device, have cloud
components, or be entirely
hosted in the cloud
Issue
Credentials
Present
Credentials
① OpenID Connect for Verifiable Presentations
(Presentation of verifiable credentials)
② Self-Issued OP v2 (authentication using identifiers
not namespaced to the third-party identity providers)

Recommended

OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 

More Related Content

What's hot

OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15OpenID Foundation Japan
 
MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要Naohiro Fujie
 
Self-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitSelf-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitKaliya "Identity Woman" Young
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15OpenID Foundation Japan
 
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020OpenID Foundation Japan
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfKristina Yasuda
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...SSIMeetup
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysNordic APIs
 
OAuth2.0によるWeb APIの保護
OAuth2.0によるWeb APIの保護OAuth2.0によるWeb APIの保護
OAuth2.0によるWeb APIの保護Naohiro Fujie
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes DecentralizedTorsten Lodderstedt
 
分散型IDと検証可能なアイデンティティ技術概要
分散型IDと検証可能なアイデンティティ技術概要分散型IDと検証可能なアイデンティティ技術概要
分散型IDと検証可能なアイデンティティ技術概要Naohiro Fujie
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 

What's hot (20)

OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
 
次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15
 
MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要MicrosoftのDID/VC実装概要
MicrosoftのDID/VC実装概要
 
Self-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitSelf-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web Summit
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
 
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with Passkeys
 
Hyperledger Aries 101
Hyperledger Aries 101Hyperledger Aries 101
Hyperledger Aries 101
 
OAuth2.0によるWeb APIの保護
OAuth2.0によるWeb APIの保護OAuth2.0によるWeb APIの保護
OAuth2.0によるWeb APIの保護
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
 
分散型IDと検証可能なアイデンティティ技術概要
分散型IDと検証可能なアイデンティティ技術概要分散型IDと検証可能なアイデンティティ技術概要
分散型IDと検証可能なアイデンティティ技術概要
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 

Similar to OpenID for Verifiable Credentials

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...apidays
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
 WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATUREProfesia Srl, Lynx Group
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentitySSIMeetup
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0Krishna-Kumar
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier Potonniée
 
FIWARE IoT Proposal & Community
FIWARE IoT Proposal & CommunityFIWARE IoT Proposal & Community
FIWARE IoT Proposal & CommunityFIWARE
 
Cloud Identity Webinar
Cloud Identity WebinarCloud Identity Webinar
Cloud Identity WebinarWSO2
 
Best practices in Certifying and Signing PDFs
Best practices in Certifying and Signing PDFsBest practices in Certifying and Signing PDFs
Best practices in Certifying and Signing PDFsiText Group nv
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 
What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0WSO2
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesCisco Canada
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Verviam Identity Management as a Service
Verviam Identity Management as a Service Verviam Identity Management as a Service
Verviam Identity Management as a Service Nya
 
ISS SA le presenta los Escenarios para IdentityGuard de Entrust
ISS SA le presenta los Escenarios para IdentityGuard de EntrustISS SA le presenta los Escenarios para IdentityGuard de Entrust
ISS SA le presenta los Escenarios para IdentityGuard de EntrustInformation Security Services SA
 

Similar to OpenID for Verifiable Credentials (20)

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
 WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
 
Bye bye Identity Server
Bye bye Identity ServerBye bye Identity Server
Bye bye Identity Server
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign Identity
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applications
 
FIWARE IoT Proposal & Community
FIWARE IoT Proposal & CommunityFIWARE IoT Proposal & Community
FIWARE IoT Proposal & Community
 
Cloud Identity Webinar
Cloud Identity WebinarCloud Identity Webinar
Cloud Identity Webinar
 
Best practices in Certifying and Signing PDFs
Best practices in Certifying and Signing PDFsBest practices in Certifying and Signing PDFs
Best practices in Certifying and Signing PDFs
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Verviam Identity Management as a Service
Verviam Identity Management as a Service Verviam Identity Management as a Service
Verviam Identity Management as a Service
 
ISS SA le presenta los Escenarios para IdentityGuard de Entrust
ISS SA le presenta los Escenarios para IdentityGuard de EntrustISS SA le presenta los Escenarios para IdentityGuard de Entrust
ISS SA le presenta los Escenarios para IdentityGuard de Entrust
 

More from Torsten Lodderstedt

Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Torsten Lodderstedt
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32Torsten Lodderstedt
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsTorsten Lodderstedt
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceTorsten Lodderstedt
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityTorsten Lodderstedt
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectTorsten Lodderstedt
 

More from Torsten Lodderstedt (15)

GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID Connect
 

Recently uploaded

Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Damar Juniarto
 
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solutionConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solutionŁukasz Chruściel
 
ConFoo 2024 - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024  - Need for Speed: Removing speed bumps in API ProjectsConFoo 2024  - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024 - Need for Speed: Removing speed bumps in API ProjectsŁukasz Chruściel
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...Prometix Pty Ltd
 
Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPTPraveenKumarThota7
 

Recently uploaded (7)

Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023
 
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solutionConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
 
ConFoo 2024 - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024  - Need for Speed: Removing speed bumps in API ProjectsConFoo 2024  - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024 - Need for Speed: Removing speed bumps in API Projects
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
 
Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPT
 

OpenID for Verifiable Credentials

  • 3. #identiverse Verifiable Credentials: A Paradigm Shift Issuer (Website) Verifier (Website) Holder (Digital Wallet) Can be hosted locally on the user’s device, have cloud components, or be entirely hosted in the cloud Issue Credentials Present Credentials ● Verifiable credential is a tamper-evident credential with a cryptographically verifiable authorship that contains claims about a subject. ● This enables ○ decoupling issuance from presentation ○ multi-use of the credentials ○ combination of multiple credentials in one presentation
  • 4. #identiverse Verifiable Credentials around you Use Case 1: mobile Driving Licence Use Case 2: Vaccination QR Code
  • 5. #identiverse Verifiable Credentials: Benefits - End-Users gain more control, privacy, and portability over their identity information. - Cheaper, faster, and more secure identity verification, when transforming physical credentials into digital ones using verifiable credentials. - Universal approach to handle identification, authentication, and authorization in digital and physical space - Issuers gain more flexibility : - No need for public service with high availability depending on the process - Diverse presentation channels offered by the wallet
  • 6. #identiverse ③ OpenID for Credential Issuance (Issuance of verifiable credentials) Components of the “OpenID for Verifiable Credentials” specification family Issuer (Website) Verifier (Website) Holder (Digital Wallet) Can be hosted locally on the user’s device, have cloud components, or be entirely hosted in the cloud Issue Credentials Present Credentials ① OpenID Connect for Verifiable Presentations (Presentation of verifiable credentials) ② Self-Issued OP v2 (authentication using identifiers not namespaced to the third-party identity providers)
  • 7. #identiverse - Self-Issued OP (SIOP) has been in OpenID Connect Core from ratification and provides a good starting point - Leverages simplicity and security of OpenID Connect and OAuth 2.0 - Existing libraries, only HTTPS communication, developer familiarity - Great for mobile applications, no firewall hassles - Security of OpenID Connect has been tested and formally analysed - Existing OpenID Connect RPs can receive verifiable credentials; Existing OpenID Connect OPs can issue verifiable credentials Why use OpenID Connect & OAuth2.0 as a basis?
  • 8. #identiverse OpenID for Verifiable Presentations (OpenID4VPs)
  • 11. #identiverse ① RP requests Credential(s)* OpenID for Verifiable Presentations Website or App (Verifier) Wallet OP Alice ⓪ User tries to access a resource Stored Verifiable Credentials ② Wallet returns Verifiable Presentation(s) in VP Token - Query language to granularly specify what kind of credential Verifier wants. (utilizes DIF Presentation Exchange 2.0) - Verifiable Presentations* are returned in a newly defined VP Token - Simple overall architecture, e.g. device local communication when same device flow is used *can be any credential/presentation format, not limited to not limited to W3C Verifiable Credentials.
  • 12. #identiverse OpenID4VPs allows choices across components in the VC Tech Stack. Component Implementer’s choices when using OpenID4VP Credential Format Any format (W3C JWT-VC or LDP-VC, ISO mDL, SD-JWT, …) Method to obtain Public Keys Any DID method, raw keys, or X.509 certs Cryptography Any cryptosuite (EdDSA, ES256K, etc.) Revocation Any mechanism (Status List 2021, Revocation List 2020, Accumulators, etc.) Trust Management Any mechanism for managing trusted Issuers, Wallets and Relying Parties (Trusted Registries, Ledgers, …)
  • 13. #identiverse It is NOT SIOPv2 that you will use to present verifiable credentials
  • 15. #identiverse Self-Issued OP v2 Website (RP) User Agent OP Alice ⓪ User tries to access a resource - ID Tokens are signed with user-controlled key material (pseudonymous authentication with pairwise subject identifiers) - Identifiers are user controlled and do not depend on a third-party identity provider - Can be used in combination with OpenID4VPs, when the use case requires end-user authentication, i.e. the features of OpenID Connect, such as issuance of ID Tokens. ② OP on the user device issues subject- signed ID Token ① RP requests ID Token
  • 16. #identiverse Why use OpenID4VPs & SIOP v2 - Credential format/crypto suite agnostic - Same device and cross device scenarios - Mutual authentication of RP and wallet - Pseudonymous authentication to RPs through SIOP v2 - Works well with OAuth for authorization of API-based payments and remote signature creation - Offline - work in progress (MOSIP) - Selective disclosure (if supported by credential format) - Note: referenced by ISO/IEC 18013-7 and 23220-4 Mobile Driving Licences related draft standards as a data release method
  • 17. #identiverse - First Implementer’s Drafts approved (both SIOP v2 and OpenID4VPs) - Can be implemented with IPR protection - Targeting Second Implementer’s Draft by the end of 2022 - Existing & ongoing Implementations: - The European Blockchain Services Infrastructure (EBSI) - Microsoft - Workday - Ping Identity - Convergence.Tech - IDunion - walt.id (eSSIF-Lab)* - Sphereon - Gimly Status: Credential Presentation
  • 18. #identiverse OpenID for Verifiable Credential Issuance (OpenID4VCI)
  • 21. #identiverse Wallet Initiates Process (e.g. issuance during presentation)
  • 22. #identiverse OpenID 4 Verifiable Credentials Issuance Credentia l Issuer Website or App (RP) Wallet OP Alice ⓪ User tries to log in RP Stored Verifiable Credentials ② Wallet issues Verifiable Presentation(s) ① RP requests Credential(s) ⓪ Wallet requests & User authorizes credential issuance ③ Credential is issued ① access token(, refresh token) ② Wallet requests credential issuance Credential issuance via simple OAuth-authorized API
  • 23. #identiverse - Defined a new OAuth-protected Credential Endpoint - in addition to Authorization/Token Endpoints - Two authorization flows: - Code flow (others OAuth 2.0 grant types possible): authorization for one or more credentials at the Authorization Endpoint once the wallet is invoked - Pre-authorized code flow (new grant type): authorization for one or more credentials prior to the Wallet being invoked. - Supports different methods for the Wallet to prove possession of key material used to bind credential Design Principles
  • 24. #identiverse Why use OpenID4VCI? - Credential format/crypto suite agnostic - Hardware-backed key material for cryptographic binding of attribute attestations (leveraging HSMs, SEs, TEEs) - Same device and cross device scenarios - Mutual authentication of wallet and issuer - Can extend existing OAuth/OpenID deployments, simple way for existing AS/IDPs to become PID/(Q)EAA issuers - Note: will be added to ISO 23220-3 electronic ID standards
  • 25. #identiverse - Targeting First Implementer’s draft by the end of 2022. - https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1_0.html - Planned and ongoing implementations: - The European Blockchain Services Infrastructure (EBSI) - Microsoft - Mattr - IDunion - walt.id & yes.com & BCDiploma (eSSIF-Lab) - Sphereon - Talao.io - Convergence.Tech Status of the Issuance specification
  • 26. #identiverse Whitepaper “OpenID for Verifiable Credentials” - Aims to assist decision-makers, architects and implementers in the decision-making process when building verifiable credentials ecosystem. - Some popular sections… - Demystifying myths about verifiable credentials - Various scopes of “decentralization” - Shift in the trust model brought by verifiable credentials - Business drivers - Use-Cases
  • 27. #identiverse - Security and simplicity guaranteed – OAuth/OpenID Connect deployment experience (3B+ users, millions applications), and OpenID Foundation Certification program - Fast, scalable adoption - easy integration/deployment on existing infrastructure given the familiarity of the developers and administrators with OAuth/OpenID - Adoption underway - Projects in the EU (EBSI/ESSIF, Secure Digital Identities Showcase) - Incorporated into major participant’s products (e.g. Microsoft, Ping Identity, walt.id) - Global Assured Identity Network PoC - Could meet high security requirements with FAPI Security Profile - Interoperability on the protocol layer that is both credential format agnostic, and allows for interoperability between markets Why use OpenID for Verifiable Credentials?
  • 28. #identiverse Call to Action 1. Implement the specifications to unlock your use cases and provide us feedback 2. Read the whitepaper and stay up to date with the recent developments
  • 30. Example: Authorization Request HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code //any other grant type &client_id=s6BhdRkqt3 &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM &code_challenge_method=S256 &scope=openid_credential:https://example.org/idcard &redirect_uri=https://client.example.org/cb
  • 31. Example: Credential Issuance HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "format": "ldp_vc", "credential" : "eyJjcmVkZW50a...d0MifQ==" } POST /credential HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW type=https://example.org/idcard format=ldp_vc did=did:key:z6MkqUDiu3MHxAmuMQ8jjkLiUu1mscLT8E9R5CKdbtr7gwR8 proof=%7B%22type%22:%22jwt%22…0aW9EkL1nOzM%22%7D Request Response
  • 32. Example: Issued Credential { ... "issuer": "did:key:z6MkgF2pvVNEFXCksupWKrdPhL6ubecis3AWbWVsr9bNAbwC", "type": [ "VerifiableCredential" ], "credentialSchema": { "id": "https://example.org/idcard", }, "credentialSubject": { "placeOfBirth": { "country": "DE", "locality": "Berlin" }, "familyName": "Family001",
  • 33. #identiverse Request Example (W3C VCs) { "response_type":"id_token", "client_id":"https://example.com/callback", "scope":"openid", "redirect_uri":"https://example.com/callback", "nonce":"67473895393019470130", ... "claims":{ "vp_token":{ "presentation_definition":{ "id":"1", "constraints": { "fields": [ { "path": [ "$.credentialSchema.id" ], "filter": { "type": "string", "pattern": "https://example.org/idcard" } } ] } } } } }
  • 34. #identiverse Response Example (W3C VCs) { "iss": "https://self-issued.me/v2", "aud": "https://example.com/callback", "sub": "did:key:z6MkqUDiu3MHxAm...mscLT8E9R5CKdbtr7gwR8", "exp": 1645469476, "iat": 1645465876, "nonce": "cdb97870-a3be-49b4-aa55-8c7c7122178a", "_vp_token": { "presentation_submission": { "descriptor_map": [ { "path": "$", "format": "ldp_vp", "path_nested": { "path": "$.verifiableCredential[0]", "format": "ldp_vc" } ], "definition_id": "1", "id": "1" } } } { "@context":[ "https://www.w3.org/2018/credentials/v1" ], "holder":"did:key:z6MkqUDiu3MHxAmuMQ8jjkLiUu1mscLT8E9R5CKdbtr7gwR8", "id":"urn:uuid:04816f2a-85f1-45d7-a66d-51764d39a569", "proof":{ "domain":"https://example.com/callback", "jws":"...", "nonce":"cdb97870-a3be-49b4-aa55-8c7c7122178a", "proofPurpose":"authentication", "type":"Ed25519Signature2018", "verificationMethod":"did:key:z6MkqUDiu3..." }, "type":[ "VerifiablePresentation" ], "verifiableCredential":[ { … "type":[ "VerifiableCredential" ], "credentialSubject":{ "id":"did:key:z6MkqUDiu3MHxAmuMQ8jjkLiUu1mscLT8E9R5CKdbtr7gwR8", "familyName":"Family001", "givenName":"Given001", "birthDate":"1950-01-01", "placeOfBirth":{ "country":"DE", "locality":"Berlin" } }, ID Token VP Token
  • 35. #identiverse Request Example (ISO mDL) { "response_type":"id_token", "client_id":"https://example.com/callback", "scope":"openid", "redirect_uri":"https://example.com/callback", "nonce":"67473895393019470130", ... "claims": { "vp_token": { "presentation_definition": { "id": "mDL-sample-req", "input_descriptors": [ { "id": "mDL", "format": { "mdl_iso_cbor": { "alg": ["EdDSA", "ES256"] }, "constraints": { "limit_disclosure": "required", "fields": [ { "path": ["$.mdoc.doctype"], "filter": { "type": "string", "const": "org.iso.18013.5.1.mDL" } }, { "path": ["$.mdoc.namespace"], "filter": { "type": "string",
  • 36. Response Example (ISO mDL) { "aud": "https://client.example.org/callback", "sub": "9wgU5CR6PdgGmvBfgz_CqAtBxJ33ckMEwvij-gC6Bcw", "iss": "9wgU5CR6PdgGmvBfgz_CqAtBxJ33ckMEwvij-gC6Bcw", "sub_jwk": { "x": "cQ5fu5VmG...dA_5lTMGcoyQE78RrqQ6", "kty": "EC", "y": "XHpi27YMA...rnF_-f_ASULPTmUmTS", "crv": "P-384" }, "exp": 1638483944, "iat": 1638483344, "nonce": "67473895393019470130", "_vp_token": { "presentation_submission": { "descriptor_map": [ { "id": "mDL", "path": "$", "format": "mdl_iso" } ], "definition_id": "mDL-sample-req", "id": "mDL-sample-res" } } } { "status": 0, "version": "1.0", "documents": [ { "docType": "org.iso.18013.5.1.mDL", "deviceSigned": { "deviceAuth": { "deviceMac": [ << {1: 5} >>, {}, null, h'A574C64F18902BFE18B742F17C581218F88EA279AA96D0F5888123843461A3B6' ] }, "nameSpaces": 24(h'A0') }, "issuerSigned": { "issuerAuth": [ << {1: -7} >>, { 33: h'30820215308201BCA003020102021404AD06A30C1A6DC6E93BE0E2E8F78DCAFA7907C2300A06082A8648CE3D040302305B310B 3009060355040613025A45312E302C060355040A0C25465053204D6F62696C69747920616E64205472616E73706F7274206F66205A6 5746F706961311C301A06035504030C1349414341205A65746573436F6E666964656E73301E170D3231303932393033333034355A170 D3232313130333033333034345A3050311A301806035504030C114453205A65746573436F6E666964656E7331253023060355040A0C1 C5A65746F70696120436974792044657074206F662054726166666963310B3009060355040613025A453059301306072A8648CE3D020 106082A8648CE3D030107034200047C5545E9A0B15F4FF3CE5015121E8AD3257C28D541C1CD0D604FC9D1E352CCC38ADEF5F790 2D44B7A6FC1F99F06EEDF7B0018FD9DA716AEC2F1FFAC173356C7DA3693067301F0603551D23041830168014BBA2A53201700D3 C97542EF42889556D15B7AC4630150603551D250101FF040B3009060728818C5D050102301D0603551D0E04160414CE5FD758A8E8 8563E625CF056BFE9F692F4296FD300E0603551D0F0101FF040403020780300A06082A8648CE3D0403020347003044022012B06A38 13FFEC5679F3B8CDDB51EAA4B95B0CBB1786B09405E2000E9C46618C02202C1F778AD252285ED05D9B55469F1CB78D773671F3 0FE7AB815371942328317C' }, << 24(<< { "docType": "org.iso.18013.5.1.mDL", "version": "1.0", "validityInfo": { "signed": 0("2022-04-15T06:23:56Z"), "validFrom": 0("2022-04-15T06:23:56Z"), "validUntil": 0("2027-01-02T00:00:00Z") }, "valueDigests": { ID Token VP Token
  • 37. #identiverse Request Example (AnonCreds) { "response_type":"id_token", "client_id":"https://example.com/callback", "scope":"openid", "redirect_uri":"https://example.com/callback", "nonce":"67473895393019470130", ... "claims":{ "vp_token":{ "presentation_definition":{ "id":"NextcloudLogin", "input_descriptors":[ { "id":"ref2", "name":"NextcloudCredential", "format": { "ac_vc": { "proof_type": ["CLSignature2019"] } }, "constraints":{ "limit_disclosure":"required", "fields":[{ "path": [ "$.schema_id" ], "filter": { "type": "string", "pattern": "did:indy:idu:test:3QowxFtwciWceMFr7WbwnM:2:BasicScheme:0.1" } }, {"path":["$.values.email"]}, {"path":["$.values.first_name"]}, {"path":["$.values.last_name"]}]
  • 38. #identiverse Response Example (AnonCreds) { "aud": "https://example.com/callback", "sub": "9wgU5CR6PdgGmvBfgz_CqAtBxJ33ckMEwvij-gC6Bcw", "auth_time": 1638483344, "iss": "https://self-issued.me/v2", "sub_jwk": { "x": "cQ5fu5VmG…dA_5lTMGcoyQE78RrqQ6", "kty": "EC", "y": "XHpi27YMA…rnF_-f_ASULPTmUmTS", "crv": "P-384" }, "exp": 1638483944, "iat": 1638483344, "nonce": "67473895393019470130", "_vp_token": { "presentation_submission": { "descriptor_map": [ { "id": "ref2", "path": "$", "format": "ac_vp", "path_nested": { "path": "$.requested_proof.revealed_attr_groups.ref2", "format": "ac_vc" } } ], "definition_id": "NextcloudLogin", "id": "NexcloudCredentialPresentationSubmission" } } } { "proof": {...}, "requested_proof": { "revealed_attrs": {}, "revealed_attr_groups": { "ref2": { "sub_proof_index": 0, "values": { "email": { "raw": "alice@example.com", "encoded": "115589951…83915671017846" }, "last_name": { "raw": "Wonderland", "encoded": "167908493…94017654562035" }, "first_name": { "raw": "Alice", "encoded": "270346400…99344178781507" } } } }, … }, "identifiers": [ { "schema_id": "3QowxFtwciWceMFr7WbwnM:2:BasicScheme:0.1", "cred_def_id": "CsiDLAiFkQb9N4NDJKUagd:3:CL:4687:awesome_cred", "rev_reg_id": null, "timestamp": null } ] ID Token VP Token