Authorized Credental within OpenID4VP metadata using Duckle

[peppelinux]

RP Entity Configuration + Subordinate Statements adding authorized data in the request

{
  "typ": "entity-statement+jwt",
  "alg": "ES256",
  "kid": "2HnoFS3YnC9tjiCaivhWnXAdNuA",
}
.
{
    "iat": 1718207217,
    "exp": 1749743216,
    "iss": "https://verifier.example.org",
    "sub": "https://verifier.example.org",
    "authority_hints": [
        "https://trust-anchor.example.org"
    ],
    "jwks": {
        "keys": [
            {
                "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
                "kty": "EC",
                "crv": "P-256",
                "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
            }
        ]
    },
    "trust_marks": [
      {id: ... , trust_mark: $JWT}
    ],
    "metadata": {
        "federation_entity": {
            "homepage_uri": "https://verifier.example.org",
            "organization_name": "Organization Name",
            "contacts": [
                "informazioni@example.it",
                "protocollo@pec.example.it"
            ],
            "tos_uri": "https://verifier.example.org/public/info_policy.html",
            "policy_uri": "https://verifier.example.org/public/privacy_policy.html",
            "logo_uri": "https://verifier.example.org/public/logo.svg"
        },
        "openid_credential_verifier": {
            "application_type": "web",
            "client_name": "Organization Name",
            "contacts": [
                "informazioni@example.it"
            ],
            "authorization_signed_response_alg": "ES256",
            "vp_formats": {
                "vc+sd-jwt": {
                    "sd-jwt_alg_values": [
                        "ES256",
                        "ES384",
                        "ES512"
                    ]
                }
            },
            "jwks": {
                "keys": [
                    {
                        "kid": "f10aca0992694b3581f6f699bfc8a2c6cc687725",
                        "kty": "EC",
                        "crv": "P-256",
                        "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                        "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
                    }
                ]
            }
        }
    }
}

Superior's Subordinate Statement

{
  "typ": "entity-statement+jwt",
  "alg": "ES256",
  "kid": "XFW2HnoF",
}
.
{
    "iat": 1718207217,
    "exp": 1749743216,
    "iss": "https://trust-anchor.example.org",
    "sub": "https://verifier.example.org",
    "jwks": {
        "keys": [
            {
                "kid": "FANFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs",
                "kty": "EC",
                "crv": "P-256",
                "x": "jE2RpcQbFQxKpMqehahgZv6smmXD0i/LTP2QRzMADk4",
                "y": "qkMx5iqt5PhPu5tfctS6HsP+FmLgrxfrzUV2GwMQuh8"
            }
        ]
    },
    "metadata": {
        "openid_credential_verifier": {
           
            "client_name": "RP 1",

  // Intended Usage
  "intended_usage": [{
    "loan":    {
      // Using Duckle (DCQL) in the Credential Verifier metadata
      "id": "that_credential_id",
      "format": "vc+sd-jwt",
      "meta": {
        "vct_values": [ "https://credentials.example.com/identity_credential" ]
      },
      "claims": [
          {"path": ["last_name"]},
          {"path": ["first_name"]},
          {"path": ["address", "street_address"]}
      ]
    },
// end duckle ,
    "kyc": { ... Duckle statement}
  }],
    }
}
  ]
}

[selfissued]

We briefly discussed this on today's OpenID Connect WG call. These examples seem reasonable. What additional explanatory text do think should accompany them so that readers understand what's being illustrated by these examples?

[jogu]

We need to resolve how this works when the browser API is in use without requiring comparison of JSON (which has many of the same problems as canonicalisation of json). I don't think we should be adding things to the spec that only work when the browser API is not in use.

A solution would be to require that the necessary statements are passed in the OID4VP request by defining new parameters. I'm not sure this is the best way.

Leaving that aside, I'm also not sure how this works without the browser API - i.e. what you pass in oid4vp request.

[peppelinux]

@jogu according to the perspectives also shared by other implementers, I agreed that for RP we should not use metadata parameters but attestations bringing policies.

these could be issued using openid4vci or directly using openid federation and the trust mark endpoint.

for this reason, we are working on an approach using trust marks bringing RP attributes and therefore policies