leecam
commented
4 days ago Very supportive of issuer matching for both mdoc and SD-JWTs. This was discussed at IIW and I think the consensus was this is a feature we need to add to DCQL
Open martijnharing opened 4 days ago
leecam
commented
4 days ago Very supportive of issuer matching for both mdoc and SD-JWTs. This was discussed at IIW and I think the consensus was this is a feature we need to add to DCQL
c2bo
commented
4 days ago This would basically be value matching for an array of expected issuers (identifiers), right? Wouldn't it then be already possible by value matching the corresponding claim to an array of expected values? I guess for mdoc, we would need to define the (virtual?) claim of an issuer identifier, if I understand correctly? That way we would not need to change anything, but define a virtual claim for mdoc that allows for matching using the normal DCQL syntax.
An example in SD-jWT would look like this:
{
"credentials": [
{
"id": "my_credential",
"format": "vc+sd-jwt",
"meta": {
"vct_values": [ "https://credentials.example.com/identity_credential" ]
},
"claims": [
{
"path": [ "iss" ],
"values": [
"https://example.gov",
"https:/another-example.gov"
]
},
{
"path": [ "last_name" ]
},
{
"path": [ "first_name" ]
}
]
}
]
}and mdoc could look like this
{
"credentials": [
{
"id": "my_credential",
"format": "mso_mdoc",
"meta": {
"doctype_value": "org.iso.7367.1.mVRC"
},
"claims": [
{
"namespace": "virtual",
"claim_name": "issuer_identifier",
"values": [
"eyJh..",
"eyAb.."
]
},
{
"namespace": "org.iso.7367.1",
"claim_name": "vehicle_holder"
},
{
"namespace": "org.iso.18013.5.1",
"claim_name": "first_name"
}
]
}
]
}Not sure if this is a good syntax to signal the virtual claim, but this way no further parsing logic is necessary.
The ISO specification is considering adding a parameter to identify the supported issuers for the requested document. We should add this as an option to DCQL as well.
The definition for the parameter is mdoc specific so we should probably add it as an mdoc specific parameter to the claims query. It could have the following definition:
issuer_identifiers: this is an array of issuer_identifier. If present, the issuer of the returned mdoc has to be one of issuer_identifier to satisfy the request from the RP. The format used to identify an issuing authority is the base64url encoded keyIdentifier of the AuthorityKeyIdentifier that’s referenced in one of the certificates in the x509 chain element in the IssuerAuth header of the mdoc.