[has-PR] Anatomy of a credential request

Issue #1585 resolved

Tobias Looker created an issue 2022-08-05

Currently the structure of a credential request is as follows.

{
  "type": "https://did.example.org/healthCard"
  "format": "ldp_vc",
  "did": "did:example:ebfeb1f712ebc6f1c276e12ec21",
  "proof": {
    "proof_type": "jwt",
    "jwt": "eyJraWQiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEva2V5cy8
    xIiwiYWxnIjoiRVMyNTYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR
    0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJpYXQiOiIyMDE4LTA5LTE0VDIxOjE5OjEwWiIsIm5vbm
    NlIjoidFppZ25zbkZicCJ9.ewdkIkPV50iOeBUqMXCC_aZKPxgihac0aW9EkL1nOzM"
  }
}

Where the proof contains several key pieces of information, namely

The public key or how to get it, to validate the proof (pop)
Optionally an attestation about the key used to generate the pop
What the credential binding method is, e.g direct to a public key or via a resolvable identifier like a DID

In order to better preserve extensibility of these different elements of the request which come in multiple possible representations and have different relationships to one and other, im proposing that we flatten the request structure to something along the lines of the following

{
    "type": "drivers_license",
    "format": "iso_mdl",
    "credential_binding": {
        "binding_method": "public_key",
        "public_key": { 
            "key_format": "jwk",
            "key": { ...JWK },
            "key_attestation_format": "x509chain",
            "key_attestation": ["...."],
            "key_pop_format": "jwt",
            "key_pop": "<JWT>"
        }
    }
}

‌

Comments (15)

Tom Jones
I have had a major objection to credential requests ever since Daniel started to push for a PE. The primary goal of any request MUST (IMHO) be to communicate the purpose of the request to the holder. I was planning to create a purpose metaschema for another effort - perhaps we need to address that here as well?

BTW - why is there no @context in a request?

‌
- 2022-08-05T16:13:11+00:00
Torsten Lodderstedt
I support the proposed change.
- 2022-08-05T18:27:31+00:00
Giuseppe De Marco
+1
- 2022-08-08T23:44:43+00:00
Kristina Yasuda
In Connect call, agreed with the direction of decoupling pop from attestation, and let’s flesh out details in the issue before doing a PR ;)
- 2022-08-08T23:45:11+00:00
Kristina Yasuda
Personally, I think details matter. In particular would like clarity in below points:

in the PR, would be great if we can define basic params and say explicitly profiles are free to define their own parameters.

Also would like to discuss why “key“ has to be separate parameter while “key_pop“ JWT can include “key“ in `kid and body.

Also I think it is important to decide on which parameters are required and which ones are optional.
- 2022-08-08T23:47:30+00:00
Kristina Yasuda
- changed status to open
- 2022-08-09T19:28:53+00:00
Kristina Yasuda
clarify that protocol supports issuance of bearer credentials - `credential_binding` itself should be optional
- 2022-08-09T19:46:49+00:00
Kristina Yasuda
I still think “key“ to which credential is bound should be included in the header (kid/jwk parameters) of a pop instead of being sent separately. separating “key“ as a separate parameter does make it cleaner when the binding is to a raw key or an identifier like DID, but it increases the amount of verification and there is a risk of DID in “key“ not matching DID in “kid“ for example.
- 2022-08-10T00:39:18+00:00
Jeremie Miller
I’m not sure about the rest of it, but I definitely support renaming this to “credential binding” and not re-using or locking it into “proof” alone.
- 2022-08-22T23:51:56+00:00

Kristina Yasuda

will do a PR with a following direction based on a Aug-22 Connect call

{
  "type": "https://did.example.org/healthCard"
  "format": "ldp_vc",
  "credential_binding": {
    "credential_binding_type": "jwt",
    "jwt": "eyJraWQiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEva2V5cy8
    xIiwiYWxnIjoiRVMyNTYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR
    0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJpYXQiOiIyMDE4LTA5LTE0VDIxOjE5OjEwWiIsIm5vbm
    NlIjoidFppZ25zbkZicCJ9.ewdkIkPV50iOeBUqMXCC_aZKPxgihac0aW9EkL1nOzM"
  },
  "attestation": {
    "attestation_type": "SafetyNet",
    "jwt": "eyJraWQiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEva2V5cy8
    xIiwiYWxnIjoiRVMyNTYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJzNkJoZFJrcXQzIiwiYXVkIjoiaHR
    0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJpYXQiOiIyMDE4LTA5LTE0VDIxOjE5OjEwWiIsIm5vbm
    NlIjoidFppZ25zbkZicCJ9.ewdkIkPV50iOeBUqMXCC_aZKPxgihac0aW9EkL1nOzM"
  }
}

‌

2022-08-23T00:34:58+00:00

Kristina Yasuda
- changed title to [needs-PR] Anatomy of a credential request
- 2022-08-23T16:20:39+00:00
Kristina Yasuda
PR #293
- 2022-08-27T04:00:23+00:00
Kristina Yasuda
- changed title to [has-PR] Anatomy of a credential request
- 2022-08-27T04:26:09+00:00
Tobias Looker reporter
Closing because proposal is no longer relevant.
- 2023-03-29T05:21:47+00:00
Tobias Looker reporter
- changed status to resolved
- 2023-03-29T05:21:56+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: major

Status: resolved

Component: Credential Issuance

Milestone: –

Version: –

Votes: 0

Watchers: 1