Embedded Issuer Policies

[paulbastian]

For high-security usecases or use cases with sensitive data, some Issuers may want to require that VCs are only released to authorized Verifiers. One of the options to establish such a mechanism is to embed such a policy in the credential itself.

Do you believe this is something that should be solved by SD-JWT VC or does this belong into a profile / trust framework?

For example, an SD-JWT VC may contain a issuer_policy claim, that references a X509 PKI CA indicating to wallets that only Relying Parties authenticated with a certificate form this CA are allowed to receive a presentation of this VC.

[peppelinux]

interesting feature, it brings some requirements:

• definition of entity categories, a grouping of entities for specific purpose or compliance profile
• verifiable attestations/trust marks to proof the compliance of an entity to a specific purpose

I would not call it issuer_policy otherwise it seems that the subject of the policy is the issuer, while the issuer is the issuer and the subject is the credential, then credential_policy seems more appropriate if you agree. At the same time the issuer does not represent an authority in the trust ecosystem. The policy should be defined in a trust framework by trust authorities in a large ecosystem where multiple issuers operates. Ideally, the trust authority publishes the catalogue of the issuers granted for some credential issuances (eg: using OpenID Federation we have trust_mark_issuers that maps trust mark ids with entities id).

In your proposal once the wallet has obtained the credential, evaluates the credential_policy to kow to which entity categories it can present it.

The RP should send a presentation request providing the trust mark/verifiable attestation that give the proof of its compliance to some profile/entity categories enabled in the credential_policy. Then the wallet evaluates the trust with the RP, then evaluates the Trust Marks and present the credential.

the model you propose is interesting but can be simplified and make more flexible by saying that:

• the credential_policy should be provided in the credential definition published in the issuer metadata, preventing the revocation of the credential when the policy might change in the future (or be extended with additional audiences)

the requirement of the trust-markls/verifiable attestation remains for the RP.

a question is: is these policy enables with a sort of policy language (as the openid federation metadata policy) or are static and audience focused?

[bc-pi]

Do you believe this is something that should be solved by SD-JWT VC or does this belong into a profile / trust framework?

I don't know, to be honest, but my intuition is that SD-JWT VC isn't the right place. I'm not sure putting that kind of policy in credential itself is the right place either.

[Sakurann]

we did have a use-case where the issuers wanted to ensure that credentials are not being used by unauthorized verifiers, and wanted to ensure that by including legal policy reference inside the credential.