Attempt to converge format/selection in verifiable_presentations with presentation_submission

Comments (10)

1. 

   Daniel Buchner reporter

   This Issue is in reference to the examples found in PR 44: openid / connect / Pull Request #44: Add presentation submission support — Bitbucket

   • 2021-09-01T21:30:47+00:00
2. 

   Jeremie Miller Account Deactivated

   This looks much cleaner and at least for me logically parses well.

   • 2021-09-01T23:12:26+00:00
3. 

   Kristina Yasuda

   I really do not understand how RP is supposed to know the format of a VP if it is inside the VP itself. especially if it is a Base64url encoded vp-JWT

   • 2021-09-02T20:13:56+00:00
4. 

   Kristina Yasuda

   I think I misunderstood and the proposal is to externalize presentation_submisson and include it in the ID token - so it can help identify format of both vp and vc. If are to use presentation_submission, this does look like a cleaner way.

   • 2021-09-04T06:52:15+00:00
5. 

   Torsten Lodderstedt

   The current proposal in the PR follows the way WACI uses presentation submissions and was also the result of a discussion in the DIF credential WG Slack channel.

   What is the benefit of your proposal?

   Also note: your proposal is the first example of a presentation submission referring to a VP instead of a VC. I‘m surprised this is possible.

   • 2021-09-04T10:49:26+00:00
6. 

   Daniel Buchner reporter

   “your proposal is the first example of a presentation submission referring to a VP instead of a VC. I‘m surprised this is possible.” - this is something the spec already provided for, because some exchanges we saw had multiple levels of wrapping (VPs wrapping at depth, and even tokens with VPs in them with VC children). The relevant section is here: DIF Presentation Exchange (identity.foundation). This was done to provide a singular, deterministic way to drill down through any number of layers and process layers by format (e.g. when you need to know the format at a layer to decode it, in the case of Base64Url encoded blobs).

   The advantage here is that we would be able to use the exact same format indicator and mapping utility that handles all the format indicators in one place, simplifying the spec and implementations (imo). Doing this would allow a PE library to just handle this without any difference in processing across envelope transport protocols.

   • 2021-09-04T15:01:20+00:00
7. 

   Torsten Lodderstedt

   ok. thanks for the explanation.

   A further advantage of your proposal is that the verifier can determine metadata about JWT based VCs before base64url decoding them.

   Moreover, this keeps PE syntax outside of the presentation object. When implementing the current approach, we run into problems with existing formats and frameworks. So the proposal would solve this as well.

   However, we would loss the cryptographic protection of the presentation submission in some situations, e.g. when using vp tokens and in unsigned userinfo responses. I’m not sure how important this is, but Orie pointed it out as an advantage of embedding the presentation submission into the presentation (as WACI does).

   Any thoughts?

   • 2021-09-05T14:28:35+00:00
8. 

   Kristina Yasuda

   • changed status to open

   this is addressed by PR #44 and will be closed when it is merged

   • 2021-09-24T15:59:05+00:00
9. 

   Kristina Yasuda

   We can close this issue in the next SIOP call since following the discussions in DIF-OIDF calls, the agreement has been reached to include presentation_submission in the ID Token to be able to refer to both VP and VC sent in the response as defined in section 6.2 of OIDC4VP

   Also example below:

   {
      "iss":"https://self-issued.me/v2",
      "aud":"https://client.example.org/cb",
      "iat":1615910538,
      "exp":1615911138,
      "sub":"NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs",
      "auth_time":1615910535,
      "nonce":"n-0S6_WzA2Mj",
      "sub_jwk": {
        "kty":"RSA",
        "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
        4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
        tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
        QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
        SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
        w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
        "e":"AQAB"
       }
       "_vp_token_": {
           "presentation_submission": {
               "id": "Selective disclosure example presentation",
               "definition_id": "Selective disclosure example",
               "descriptor_map": [
                   {
                       "id": "ID Card with constraints",
                       "format": "ldp_vp",
                       "path": "$",
                       "path_nested": {
                           "format": "ldp_vc",
                           "path": "$.verifiableCredential[0]"
                       }
                   }
               ]
           }
       }
   }
   

   ‌

   ‌

   • 2021-11-18T19:30:34+00:00
10. 

    Kristina Yasuda

    • changed status to resolved

    Resolving since this issue has been addressed by deciding to put presentation_submission in the ID Token.

    However new issue has been raised whether presentation_submission itself should be optional - Issue #1364

    • 2021-12-02T17:13:05+00:00
11. Log in to comment