search

openid / oid4vc-haip-sd-jwt-vc

High Assurance Profile of OID4VP and OID4VCI using SD-JWT VC and mdocs that is privacy preserving, secure, and meets regulatory requirements
29 stars 7 forks source link

Why is HAIP looser regarding Verifier vp_formats than OID4VP? #100

Closed joelposti closed 3 months ago

joelposti commented 4 months ago

OID4VP version 20 says in section 5.1. presentation_definition Parameter

Note: When a Verifier is requesting the presentation of a Verifiable Presentation containing a Verifiable Credential, the Verifier MUST indicate in the vp_formats parameter the supported formats of both Verifiable Credential and Verifiable Presentation.

and in section 9.1. Additional Verifier Metadata Parameters

vp_formats: REQUIRED.

HAIP version 00, on the other hand, says in section 7.2.7. Verifier Metadata.

The Verifier SHOULD add a vp_formats element to its metadata

Why is HAIP looser regarding vp_formats than OID4VP? What is the rationale behind this?

I also have questions regarding vp_formats.vc+sd-jwt.sd-jwt_alg_values and vp_formats.vc+sd-jwt.kb-jwt_alg_values. Why are they defined as optional in the same HAIP section 7.2.7. Verifier Metadata:

sd-jwt_alg_values: OPTIONAL. kb-jwt_alg_values: OPTIONAL.

I think the optionality of vp_formats, vp_formats.vc+sd-jwt.sd-jwt_alg_values and vp_formats.vc+sd-jwt.kb-jwt_alg_values increases complexity in the wallet's end.

paulbastian commented 4 months ago

As I read it, Authorization Request in OpenID4VP does not mandate client_metadata or client_metadata_uri, which are actually used to communicate the data. Therefore the rules are meant to be: You may chose to transfer Verifier Metadata and if you do so, you MUST send vp_formats.

However, you are right, the text in HAIP should say "MUST".

However, it doesn't matter, because the SD-JWT VC specific text will move out of HAIP, as it has been moved over to OpenID4VCI directly: https://github.com/openid/oid4vc-haip-sd-jwt-vc/pull/96

joelposti commented 4 months ago

Thank you for your response!

However, it doesn't matter, because the SD-JWT VC specific text will move out of HAIP, as it has been moved over to OpenID4VCI directly: #96

What about sections 7.2.7. Verifier Metadata and 7.2.8. Presentation Definition? Surely they have been moved somewhere else since those sections are about presentation?

Sakurann commented 3 months ago

resolved by #96, which also removed section 7.2.7 and 7.2.8 from -00 from HAIP and refers to VCI.