Added support for credentials without cryptographic holder binding #210
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tlodderstedt
changed the title
jogu
reviewed
Jul 22, 2025
| ### Cryptographic Holder Binding between VC and VP | ||
|
|
||
| * For Cryptographic Holder Binding, a KB-JWT, as defined in [@!I-D.ietf-oauth-sd-jwt-vc], MUST always be present when presenting an SD-JWT VC. | ||
| * If the credential has cryptographic holder binding, a KB-JWT, as defined in [@!I-D.ietf-oauth-sd-jwt-vc], MUST always be present when presenting an SD-JWT VC. |
Contributor
There was a problem hiding this comment.
Suggested change
| * If the credential has cryptographic holder binding, a KB-JWT, as defined in [@!I-D.ietf-oauth-sd-jwt-vc], MUST always be present when presenting an SD-JWT VC. | |
| * If the credential has cryptographic key binding, a KB-JWT, as defined in [@!I-D.ietf-oauth-sd-jwt-vc], MUST always be present when presenting an SD-JWT VC. |
Contributor
There was a problem hiding this comment.
this needs to be cryptographic key binding
Contributor
Author
There was a problem hiding this comment.
HAIP uses VCI terminology, which is "holder binding" - applied this terminology consistently for this PR
Collaborator
There was a problem hiding this comment.
to be be compliant to the rest of the text and assuming this VCI PR gets merged, holder binding is correct (to my personal disagreement)
This was referenced Jul 24, 2025
awoie
reviewed
Jul 29, 2025
awoie
reviewed
Jul 29, 2025
Co-authored-by: Joseph Heenan <joseph@authlete.com>
Co-authored-by: Joseph Heenan <joseph@authlete.com>
Co-authored-by: Joseph Heenan <joseph@authlete.com>
jogu
approved these changes
Aug 3, 2025
Contributor
Torsten & I discussed this - VCI & VP are unfortunately inconsistent in the terms they use, and 'Crytographic holder binding' is currently the most used term in HAIP, so I withdrew my suggestions. |
Sakurann
reviewed
Aug 7, 2025
Sakurann
reviewed
Aug 7, 2025
| ### Key Attestation {#key-attestation} | ||
|
|
||
| Wallets MUST support key attestations as defined in Annex D of [@!OIDF.OID4VCI]. If batch issuance is used, all public keys used in Credential Request SHOULD be attested within a single key attestation. | ||
| Wallets MUST support key attestations as defined in Annex D of [@!OIDF.OID4VCI]. If batch issuance is used and the Credential Issuer has indicated (via `cryptographic_binding_methods_supported ` in it's metadata) that cryptographic binding is required, all public keys used in Credential Request SHOULD be attested within a single key attestation. |
Contributor
There was a problem hiding this comment.
Suggested change
| Wallets MUST support key attestations as defined in Annex D of [@!OIDF.OID4VCI]. If batch issuance is used and the Credential Issuer has indicated (via `cryptographic_binding_methods_supported ` in it's metadata) that cryptographic binding is required, all public keys used in Credential Request SHOULD be attested within a single key attestation. | |
| Wallets MUST support key attestations as defined in Annex D of [@!OIDF.OID4VCI]. If batch issuance is used and the Credential Issuer has indicated (via `cryptographic_binding_methods_supported ` metadata parameter) that cryptographic key binding is required, all public keys used in Credential Request SHOULD be attested within a single key attestation. |
Contributor
Author
There was a problem hiding this comment.
partially adopted the proposal (holder instead of key)
Sakurann
requested changes
Aug 7, 2025
| ### Cryptographic Holder Binding between VC and VP | ||
|
|
||
| * For Cryptographic Holder Binding, a KB-JWT, as defined in [@!I-D.ietf-oauth-sd-jwt-vc], MUST always be present when presenting an SD-JWT VC. | ||
| * If the credential has cryptographic holder binding, a KB-JWT, as defined in [@!I-D.ietf-oauth-sd-jwt-vc], MUST always be present when presenting an SD-JWT VC. |
Contributor
There was a problem hiding this comment.
this needs to be cryptographic key binding
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
Sakurann
approved these changes
Aug 19, 2025
paulbastian
approved these changes
Aug 26, 2025
Collaborator
paulbastian
left a comment
paulbastian
left a comment
There was a problem hiding this comment.
Under the condition that HAIP#165 and VCI#621 gets merged, this looks good to me.
| | iat | MUST |[@!RFC7519], Section 4.1.6 | | ||
| | exp | SHOULD (at the discretion of the Issuer) | [@!RFC7519], Section 4.1.4 | | ||
| | cnf | MUST | [@!RFC7800]| | ||
| | cnf | MUST if the corresponding Credential Configuration requires cryptographic holder binding | [@!RFC7800]| |
Collaborator
There was a problem hiding this comment.
I believe we remove the table with #165 , so this change becomes obsolete
| ### Cryptographic Holder Binding between VC and VP | ||
|
|
||
| * For Cryptographic Holder Binding, a KB-JWT, as defined in [@!I-D.ietf-oauth-sd-jwt-vc], MUST always be present when presenting an SD-JWT VC. | ||
| * If the credential has cryptographic holder binding, a KB-JWT, as defined in [@!I-D.ietf-oauth-sd-jwt-vc], MUST always be present when presenting an SD-JWT VC. |
Collaborator
There was a problem hiding this comment.
to be be compliant to the rest of the text and assuming this VCI PR gets merged, holder binding is correct (to my personal disagreement)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
resolves #105