-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Embedded Issuer Policies #212
Comments
interesting feature, it brings some requirements:
I would not call it issuer_policy otherwise it seems that the subject of the policy is the issuer, while the issuer is the issuer and the subject is the credential, then credential_policy seems more appropriate if you agree. At the same time the issuer does not represent an authority in the trust ecosystem. The policy should be defined in a trust framework by trust authorities in a large ecosystem where multiple issuers operates. Ideally, the trust authority publishes the catalogue of the issuers granted for some credential issuances (eg: using OpenID Federation we have trust_mark_issuers that maps trust mark ids with entities id). In your proposal once the wallet has obtained the credential, evaluates the credential_policy to kow to which entity categories it can present it. The RP should send a presentation request providing the trust mark/verifiable attestation that give the proof of its compliance to some profile/entity categories enabled in the credential_policy. Then the wallet evaluates the trust with the RP, then evaluates the Trust Marks and present the credential. the model you propose is interesting but can be simplified and make more flexible by saying that:
the requirement of the trust-markls/verifiable attestation remains for the RP. a question is: is these policy enables with a sort of policy language (as the openid federation metadata policy) or are static and audience focused? |
I don't know, to be honest, but my intuition is that SD-JWT VC isn't the right place. I'm not sure putting that kind of policy in credential itself is the right place either. |
we did have a use-case where the issuers wanted to ensure that credentials are not being used by unauthorized verifiers, and wanted to ensure that by including legal policy reference inside the credential. |
For high-security usecases or use cases with sensitive data, some Issuers may want to require that VCs are only released to authorized Verifiers. One of the options to establish such a mechanism is to embed such a policy in the credential itself.
Do you believe this is something that should be solved by SD-JWT VC or does this belong into a profile / trust framework?
For example, an SD-JWT VC may contain a
issuer_policy
claim, that references a X509 PKI CA indicating to wallets that only Relying Parties authenticated with a certificate form this CA are allowed to receive a presentation of this VC.The text was updated successfully, but these errors were encountered: