Closed fmarino-ipzs closed 9 months ago
Additional requirements and implementation considerations include:
Users specify which attributes they are disclosing by name, rather than by the location of the attribute within the data structure. This approach applies to both nested claims within verified_claims and claims at the top level. This requirement could affect the structure-agnostic nature of sd-jwt payloads: the wallet instance should bring a good UX providing disclosure for attributes by names, and not by location/path/position. Eg: disclosing given_name produces the disclosure of both the top-level claim and the ones in the verified_claims.claims.
In instances where a claim from one authentic source contradicts a claim from another, it falls to the Verifiable Credential Issuer (VCI) to determine which source has hierarchical precedence. The VCI must then choose which version of the conflicting claim to use.
If claims from different authentic sources conflict, the VCI is required to select the claim from the hierarchically superior source for inclusion in verified_claims. Any conflicting claims should be omitted from the response to prevent misunderstandings regarding the payload's content. Eg: authentic source A brings given_name as giuseppe, while authentic source B brings given_name as peppe:
Over the past few weeks, my team has addressed the following:
To overcome these limitations, we've decided to:
Below I share a pull request that introduces this "feature" within the OpenID4VCI metadata (and divides AS metadata from OpenID4VCI metadata as well). A subsequent pull request will modify the PID data model.
The current Digital Credential Data Model, draws from the OpenID Identity Assurance Profile [OIDC.IDA], needs the changes described below:
As a potential solution, we could consider modifying the data model in the following way, providing in the JSON top-level the user claims (that then results duplicated within the verified_claims.claims objects):
This implies that
verified_claims
is an additional claim given as a JSON object that an RP adopting IDA is able to process and an RP is not interested in the IDA profile may ignore it without breaking changes. The cons of this proposal is that we have the User Claims duplicated in the Credential.In case we may have user claims coming from different Authentic Sources we can consider having
verified_claims
as an array of JSON Objects as in the following example