A section should be added to consider the case of a presentation of claims to Verifier that have been issued by different Issuers #514
9.12. Presentation of claims issued by different Issuers
9.12.1 Using conventional cryptography
There exist use cases where claims issued by different Issuers need
to be presented to one Verifier. For example, an End-User would like
to demonstrate to a Verifier that that he lives in California using
a SD-JWT issued by a governmental organization and that he got a
specific diploma using a SD-JWT issued by a University.
When there is a need to demonstrate to a Verifier that two SD-JWTs
have been issued to the same End-User, the Holder can generate a one-time
key pair and use the same private key to request a SD-JWT from each
Issuer.
The two issued SD-JWTs will contain the same public key and, using
the corresponding private key, the Holder will be able to demonstrate
to one Verifier that the two presentations of the two SD-JWTs originate
from the same Holder.
Verifiers MUST be able to obtain the characteristics of the Holder
to be confident that Holder indeed supports this scheme in a secure way.
Since that key pair will only be used once towards a single Verifier,
a linkage between different collaborative Verifiers using the framing
of the SD-JWT will not be possible.
This scheme mandates to the generation of batches of one-time use SD-JWTs.
9.12.1 Using Post-Quantum resistant cryptography
The technique previously described uses conventional cryptography which is not
Post-Quantum resistant. Hash-Based signature schemes are believed to be
Post-Quantum resistant.
Their security depends on the infeasibility of finding a preimage or a second preimage.
In 1979, Leslie Lamport invented the first One-Time Signatures (OTS) scheme
that was named the "Lamport Signature". Since then, many variations appeared.
Among them, the Winternitz OTS (W-OTS) scheme that allows small verification key sizes
and a trade-of between the signature size and the signature generation time.
OTS schemes have a major constrain ... which is not a constrain in the context of a Holder:
the private key of a key pair shall only be used once. If used twice, 50 % of the private key
would be revealed. When an OTS scheme is used, this means that, the private key
corresponding to the public key placed into a SD-JWT shall only be used once.
When presenting a single SD-JWT to a Verifier, the following structure is used.
SD-JWT + Selected Disclosures + KB-JWT
When presenting a two SD-JWTs to a Verifier, the following structure SHALL not be used.
When using ordinary hash-functions, it can be observed that it is already possible to implement,
in a Holder, a key binding technique that can be Post-Quantum resistant and which supports
the "Verifier-Verifier unlinkability" property.
A section should be added to consider the case of a presentation of claims to Verifier that have been issued by different Issuers #514
SD-JWT + Selected Disclosures + KB-JWT
SD-JWT1 + Selected Disclosures1 + KB-JWT1 SD-JWT2 + Selected Disclosures2 + KB-JWT2
SD-JWT1 + Selected Disclosures1 + SD-JWT2 + Selected Disclosures2 + KB-JWT