SlideShare a Scribd company logo

How to Build Interoperable Decentralized Identity Systems with OpenID for Verifiable Credentials

T
Torsten Lodderstedt

This deck gives an overview of OpenID 4 Verifiable Credentials and shows how the specs can be tailored to the needs of a certain category of projects/ecosystems.

Internet
1 of 31
Download to read offline
How to Build Interoperable Decentralized Identity Systems with OpenID for Verifiable Credentials Kristina Yasuda, Microsoft Dr. Torsten Lodderstedt, yes
Kristina Identity Standards Architect Yasuda Microsoft Dr. Torsten Managing Director Lodderstedt yes IDP GmbH
Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Credential Issuance Credential Presentation User Interactions ● The User presenting the Identity data directly to the Verifier from the Wallet ○ <> In the federated model where Identity data is sent directly from the IdP to the Verifier ● Usually expressed with the flow below: What is Decentralized Identity?
Verifiable Credentials: Benefits ● End-Users gain more privacy, and portability over their identity information. ● Cheaper, faster, and more secure identity verification, when transforming physical credentials into digital ones. ● Universal approach to handle identification, authentication, and authorization in digital and physical space.
Issuer (Website) Issuer (Website) Issuer (Website) Why Protocol Layer Interoperability is Crucial. Credential Issuance Credential Presentation One entity needs to talk to the large the number of entities, to increase the value of “Decentralized Identity”. Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) User Interactions Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Wallet (user’s device, cloud or hybrid) Verifier (Website) Issuer (Website)
Problems we identified & how we solved them Problem Solution A lot of entirely new Protocols. (Hard to get security right, steep learning curve) ⇒ Building upon currently widely used protocols: OAuth 2.0 and OpenID Connect. (Secure, already understood) No clear winner among Credential Formats ⇒ Designing a Credential Format agnostic protocol Reluctance to use only DIDs. No clear winner among DID methods ⇒ Designing a protocol agnostic to the Key Resolution mechanism. (No need to use DIDs) Participating entities cannot typically establish trust upfront, using traditional mechanisms. ⇒ Flexibility in Trust Management. Third Party Trust.
OpenID for Verifiable Credential Issuance Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Credential Issuance Credential Presentation User Interactions OpenID for Verifiable Presentations Self-Issued OP v2 ...so here comes OpenID for Verifiable Credentials!
Adoption (selected use-cases) The European Digital Identity Wallet Architecture and Reference Framework[1] (eIDAS ARF/EUDIW) requires OID4VCI, OID4VP and SIOPv2 for online use-cases NIST National Cybersecurity Center of Excellence[2] plans to implement reference implementation for OID4VP to present mdocs/mDL DIF JWT VC Presentation Profile[3] uses OID4VP for request and presentation of W3C JWT VCs and SIOPv2 for user authentication. Implementers: Ping Identity, Microsoft, IBM, Spruce, Auth0, Gen Digital [1] https://cloudsignatureconsortium.org/new-eu-eidas-regulation-a-quantum-leap-for-electronic-identity/ [2] https://www.nccoe.nist.gov/projects/digital-identities-mdl [3] https://identity.foundation/jwt-vc-presentation-profile/#workplace-credential
Open Source libraries ● Walt.id ○ https://github.com/walt-id/waltid-ssikit (Kotlin) ● Sphereon ○ https://github.com/Sphereon-Opensource/SIOP-OpenID4VP (Typescript) ○ https://github.com/Sphereon-Opensource/OpenID4VCI-client (Typescript) ○ https://github.com/Sphereon-Opensource/ssi-sdk (Typescript) ● Microsoft ○ https://github.com/microsoft/VerifiableCredential-SDK-Android (Kotlin) ○ https://github.com/microsoft/VerifiableCredential-SDK-iOS (Swift) ● Spruce ○ https://github.com/spruceid/oidc4vci-rs (Rust) ○ https://github.com/spruceid/oidc4vci-issuer (Rust) ● EBSI ○ https://api-pilot.ebsi.eu/docs/libraries (Javascript) ● Impierce Technologies ○ https://github.com/impierce/openid4vc (Rust)
Let us tell you more about the protocol
OpenID for Verifiable Credential Issuance (Highlights) - It’s an OAuth-protected API (Credential Endpoint at the Resource Server) - Supports various Security levels (including high security with hardware bound keys) - Various business requirements supported (ex. remote and in-person provisioning) - Different user-experiences can be achieved (multiple ways to initiate the flow) - Issuer can check Wallet’s capabilities & Wallet can discover Issuer metadata
Wallet ⓪ Wallet requests & User authorizes credential issuance ③ Credential is issued ① access token(, refresh token) ② Wallet requests credential issuance Protocol Flow Alice Credential Issuer
Authorization Code Flow
Pre-Authorized Code Flow
OpenID for Verifiable Presentations (Highlights) - Designed for high degree of privacy - Supports various Security levels (e.g. mutual authentication among the parties) - Different user-experience can be achieved (same-device and cross-device) - Presentation of multiple Credentials supported - Various Wallet deployment models supported - All local to a native app - Cloud Wallet with a backend - Browser wallet
Same Device Presentation
Cross Device Presentation
Features of OpenID for Verifiable Credentials 1) It is NOT only about W3C Verifiable Credentials. 2) Does not require the usage of DLT (or Blockchain). 3) We are an open standardization community. Implementer’s feedback is incorporated in an agile and transparent manner. 4) It is modular and flexible to cater for the needs of different legislations and use-cases. 5) Complemented by active work on profiles to help the developers interoperate.
User Interactions New additions to the family coming! OpenID for Verifiable Credential Issuance Self-Issued OP v2 OpenID for Verifiable Presentations OpenID for Verifiable Presentations over BLE Security and Trust in OpenID for Verifiable Credentials Core specs additional specs Certification Suite High-Assurance Profile Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Issue Credentials Present Credentials
High Assurance Profile of OpenID4VC with SD-JWT-VC
Profiling OpenID4VC - OpenID4VC is a framework - Interoperability requires “profiling” - Profile defines: - mandatory to implement elements of the protocols, (e.g., grant types, etc.) - wallet invocation mechanism (i.e., custom URL scheme) - authentication requirements for Verifiers and Wallets - Credential Format(s) with ■ issuer identification and key resolution ■ holder key binding - Crypto algorithms
High Assurance Profile of OpenID4VC with SD-JWT-VC - Interoperability across parties while being privacy preserving and able to fulfill security and regulatory requirements - Intended audience - eIDAS ARF (through OIDF/EC liaison) - CA DMV wallet - Basis for OWF project(s) - Basis for Userinfo Interoperability profile - IDunion Tech Stack - GAIN PoC - Japanese government (Trusted Web project) - other jurisdictions - private companies / infrastructure companies
OID4VC High Assurance Interoperability Profile with SD-JWT VC SIOPv2 OID4VP OID4VCI custom scheme crypto suites custom scheme credential profile client id scheme custom scheme credential profile wallet attestation scheme Protocols - Custom Scheme: haip:// - issuer key resolution: web-based, x509 - Crypto Suites: P-256(ecp256r1), SHA256 Basic Choices Attestation based Client Authentication crypto suites issuer key resolution Wallet Attestation Scheme Credential profile: VC-SD-JWT VC-SD-JWT JWT/CWT Statuslist crypto suites issuer key resolution crypto suites issuer key resolution Profiles need to: ● fill the extension points ● define mandatory to implement features
OpenID for Verifiable Credential Issuance - Pre-authorization code flow and authorization code flow are both required. - Sender-constrained Tokens using DPoP required - Credential Offer - for both pre-authorization code flow and authorization code - custom scheme “haip://” for wallet invocation - Authorization at Issuer with Pushed Authorization Requests (PAR) - Wallet Authentication with sender-constrained JWTs - "scope” parameter to requesting authorization for credential issuance - Only required endpoint is Credential Endpoint - Batch Credential Endpoint is required for dual issuance of SD-JWT-VC and mdocs
OpenID for Verifiable Presentations - custom scheme “haip://” for wallet invocation. - Response type: “vp_token”. - Response mode: “direct_post” with redirect_uri. - Using “request_uri” to send Authorization Request is required. - Presentation Definition is sent using “presentation_definition” parameter - Subset of the Presentation Exchange Syntax in order to simplify implementation and prevent security issues - Verifier Authentication with - x.509 Certificates or - Sender-constrained JWTs
SIOP v2 - custom URL scheme “haip://” for wallet invocation - subject_syntax_types_supported value MUST be urn:ietf:params:oauth:jwk-thumbprint - Verifier Authentication with - x.509 Certificates or - Sender-constrained JWTs
Credential Format - SD-JWT VC with JSON payload (“typ”: “vc+sd-jwt”) - both compact and JSON serialization - Definition of mapping to VCDM base media type - Issuer identification and key resolution 1. Web PKI based: iss=issuer URL used to obtain jwks_uri + key id in the `kid` JWS header 2. x.509: iss=SAN in x.509 cert + x.509 cert chain in the `x5c` JWS header - Holder binding: - `cnf` JWT claim with jwk - Credential Revocation: Bitmap type style Status list using JWTs
SD-JWT VC with web PKI based Issuer key resolution { "alg": "ES256", "typ": "vc+sd-jwt", "kid":"4" } { "iss": "https://credential-issuer.example.com", "iat": 1516239022, "exp": 1516247022, "type": "Identity", "_sd": [ "UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM", "tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ", "vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk" ], "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } } }
Crypto - For signing and signature validation: - ES256 algorithm and ECDSA keys using the P-256 (secp256k1) - As hash algorithm to generate and validate the digests in the SD-JWT VC: - SHA256
Call to Action: Implement, Implement, Implement The information can be found at https://openid.net/openid4vc/
THANK YOU!

Recommended

OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 

Recommended

OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
Lal Chandran
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
Torsten Lodderstedt
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
OpenID Foundation Japan
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Kristina Yasuda
 
20231109_OpenID_TechNight_OpenID_Federation.pdf
20231109_OpenID_TechNight_OpenID_Federation.pdf20231109_OpenID_TechNight_OpenID_Federation.pdf
20231109_OpenID_TechNight_OpenID_Federation.pdf
OpenID Foundation Japan
 
Web5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBDWeb5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBD
SSIMeetup
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
SSIMeetup
 
Verifiable Credentials for Global Supply Chains
Verifiable Credentials for Global Supply ChainsVerifiable Credentials for Global Supply Chains
Verifiable Credentials for Global Supply Chains
Karyl Fowler
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
SSIMeetup
 
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
OpenID Foundation Japan
 
Verifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & HospitalityVerifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & Hospitality
Evernym
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
Torsten Lodderstedt
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
Novell
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 

More Related Content

What's hot

Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
Lal Chandran
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
SSIMeetup
 

What's hot (20)

OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
IDA,VC,DID関連仕様 最新情報 - OpenID BizDay #15
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
 
20231109_OpenID_TechNight_OpenID_Federation.pdf
20231109_OpenID_TechNight_OpenID_Federation.pdf20231109_OpenID_TechNight_OpenID_Federation.pdf
20231109_OpenID_TechNight_OpenID_Federation.pdf
 
Web5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBDWeb5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBD
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
 
Verifiable Credentials for Global Supply Chains
Verifiable Credentials for Global Supply ChainsVerifiable Credentials for Global Supply Chains
Verifiable Credentials for Global Supply Chains
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
 
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
OpenIDファウンデーション・ジャパンKYC WGの活動報告 - OpenID Summit 2020
 
Verifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & HospitalityVerifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & Hospitality
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 

Similar to How to Build Interoperable Decentralized Identity Systems with OpenID for Verifiable Credentials

Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign Identity
SSIMeetup
 
Cloud Identity Webinar
Cloud Identity WebinarCloud Identity Webinar
Cloud Identity Webinar
WSO2
 
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
apidays
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
Raj Chanchal
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
OSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyOSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger Indy
Tracy Kuhrt
 
Using Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep diveUsing Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep dive
Cisco DevNet
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 

Similar to How to Build Interoperable Decentralized Identity Systems with OpenID for Verifiable Credentials (20)

Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign Identity
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
 
Cloud Identity Webinar
Cloud Identity WebinarCloud Identity Webinar
Cloud Identity Webinar
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform IntegrationDEVNET-1010 Using Cisco pxGrid for Security Platform Integration
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
 
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
apidays LIVE India 2022_Standardizing Biometric Device Integration for Identi...
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
OSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyOSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger Indy
 
Using Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep diveUsing Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep dive
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign On
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net core
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
 

More from Torsten Lodderstedt

Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
Torsten Lodderstedt
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 

More from Torsten Lodderstedt (13)

GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID Connect
 

Recently uploaded

一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
A
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
lolsDocherty
 
一比一原版(Exon毕业证书)英国埃克塞特大学毕业证如何办理
一比一原版(Exon毕业证书)英国埃克塞特大学毕业证如何办理一比一原版(Exon毕业证书)英国埃克塞特大学毕业证如何办理
一比一原版(Exon毕业证书)英国埃克塞特大学毕业证如何办理
gfhdsfr
 
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
B
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
Fi
 
一比一原版英国萨赛克斯大学毕业证如何办理
一比一原版英国萨赛克斯大学毕业证如何办理一比一原版英国萨赛克斯大学毕业证如何办理
一比一原版英国萨赛克斯大学毕业证如何办理
SDSA
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
B
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
Fir
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
A
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
ChloeMeadows1
 
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
gfhdsfr
 

Recently uploaded (20)

Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
一比一原版(Exon毕业证书)英国埃克塞特大学毕业证如何办理
一比一原版(Exon毕业证书)英国埃克塞特大学毕业证如何办理一比一原版(Exon毕业证书)英国埃克塞特大学毕业证如何办理
一比一原版(Exon毕业证书)英国埃克塞特大学毕业证如何办理
 
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdf
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
一比一原版英国萨赛克斯大学毕业证如何办理
一比一原版英国萨赛克斯大学毕业证如何办理一比一原版英国萨赛克斯大学毕业证如何办理
一比一原版英国萨赛克斯大学毕业证如何办理
 
🍑👄Dehradun Esℂorts Serviℂe☎️9315791090🍑👄 ℂall Girl serviℂe in ☎️Dehradun ℂall...
🍑👄Dehradun Esℂorts Serviℂe☎️9315791090🍑👄 ℂall Girl serviℂe in ☎️Dehradun ℂall...🍑👄Dehradun Esℂorts Serviℂe☎️9315791090🍑👄 ℂall Girl serviℂe in ☎️Dehradun ℂall...
🍑👄Dehradun Esℂorts Serviℂe☎️9315791090🍑👄 ℂall Girl serviℂe in ☎️Dehradun ℂall...
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirts
 
Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdf
 
AI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model GeneratorAI Generated 3D Models | AI 3D Model Generator
AI Generated 3D Models | AI 3D Model Generator
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
 
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
原版定制(爱大毕业证书)英国爱丁堡大学毕业证原件一模一样
 

How to Build Interoperable Decentralized Identity Systems with OpenID for Verifiable Credentials

  • 1. How to Build Interoperable Decentralized Identity Systems with OpenID for Verifiable Credentials Kristina Yasuda, Microsoft Dr. Torsten Lodderstedt, yes
  • 2. Kristina Identity Standards Architect Yasuda Microsoft Dr. Torsten Managing Director Lodderstedt yes IDP GmbH
  • 3. Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Credential Issuance Credential Presentation User Interactions ● The User presenting the Identity data directly to the Verifier from the Wallet ○ <> In the federated model where Identity data is sent directly from the IdP to the Verifier ● Usually expressed with the flow below: What is Decentralized Identity?
  • 4. Verifiable Credentials: Benefits ● End-Users gain more privacy, and portability over their identity information. ● Cheaper, faster, and more secure identity verification, when transforming physical credentials into digital ones. ● Universal approach to handle identification, authentication, and authorization in digital and physical space.
  • 5. Issuer (Website) Issuer (Website) Issuer (Website) Why Protocol Layer Interoperability is Crucial. Credential Issuance Credential Presentation One entity needs to talk to the large the number of entities, to increase the value of “Decentralized Identity”. Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) User Interactions Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Wallet (user’s device, cloud or hybrid) Verifier (Website) Issuer (Website)
  • 6. Problems we identified & how we solved them Problem Solution A lot of entirely new Protocols. (Hard to get security right, steep learning curve) ⇒ Building upon currently widely used protocols: OAuth 2.0 and OpenID Connect. (Secure, already understood) No clear winner among Credential Formats ⇒ Designing a Credential Format agnostic protocol Reluctance to use only DIDs. No clear winner among DID methods ⇒ Designing a protocol agnostic to the Key Resolution mechanism. (No need to use DIDs) Participating entities cannot typically establish trust upfront, using traditional mechanisms. ⇒ Flexibility in Trust Management. Third Party Trust.
  • 7. OpenID for Verifiable Credential Issuance Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Credential Issuance Credential Presentation User Interactions OpenID for Verifiable Presentations Self-Issued OP v2 ...so here comes OpenID for Verifiable Credentials!
  • 8. Adoption (selected use-cases) The European Digital Identity Wallet Architecture and Reference Framework[1] (eIDAS ARF/EUDIW) requires OID4VCI, OID4VP and SIOPv2 for online use-cases NIST National Cybersecurity Center of Excellence[2] plans to implement reference implementation for OID4VP to present mdocs/mDL DIF JWT VC Presentation Profile[3] uses OID4VP for request and presentation of W3C JWT VCs and SIOPv2 for user authentication. Implementers: Ping Identity, Microsoft, IBM, Spruce, Auth0, Gen Digital [1] https://cloudsignatureconsortium.org/new-eu-eidas-regulation-a-quantum-leap-for-electronic-identity/ [2] https://www.nccoe.nist.gov/projects/digital-identities-mdl [3] https://identity.foundation/jwt-vc-presentation-profile/#workplace-credential
  • 9. Open Source libraries ● Walt.id ○ https://github.com/walt-id/waltid-ssikit (Kotlin) ● Sphereon ○ https://github.com/Sphereon-Opensource/SIOP-OpenID4VP (Typescript) ○ https://github.com/Sphereon-Opensource/OpenID4VCI-client (Typescript) ○ https://github.com/Sphereon-Opensource/ssi-sdk (Typescript) ● Microsoft ○ https://github.com/microsoft/VerifiableCredential-SDK-Android (Kotlin) ○ https://github.com/microsoft/VerifiableCredential-SDK-iOS (Swift) ● Spruce ○ https://github.com/spruceid/oidc4vci-rs (Rust) ○ https://github.com/spruceid/oidc4vci-issuer (Rust) ● EBSI ○ https://api-pilot.ebsi.eu/docs/libraries (Javascript) ● Impierce Technologies ○ https://github.com/impierce/openid4vc (Rust)
  • 10. Let us tell you more about the protocol
  • 11. OpenID for Verifiable Credential Issuance (Highlights) - It’s an OAuth-protected API (Credential Endpoint at the Resource Server) - Supports various Security levels (including high security with hardware bound keys) - Various business requirements supported (ex. remote and in-person provisioning) - Different user-experiences can be achieved (multiple ways to initiate the flow) - Issuer can check Wallet’s capabilities & Wallet can discover Issuer metadata
  • 12. Wallet ⓪ Wallet requests & User authorizes credential issuance ③ Credential is issued ① access token(, refresh token) ② Wallet requests credential issuance Protocol Flow Alice Credential Issuer
  • 15. OpenID for Verifiable Presentations (Highlights) - Designed for high degree of privacy - Supports various Security levels (e.g. mutual authentication among the parties) - Different user-experience can be achieved (same-device and cross-device) - Presentation of multiple Credentials supported - Various Wallet deployment models supported - All local to a native app - Cloud Wallet with a backend - Browser wallet
  • 18. Features of OpenID for Verifiable Credentials 1) It is NOT only about W3C Verifiable Credentials. 2) Does not require the usage of DLT (or Blockchain). 3) We are an open standardization community. Implementer’s feedback is incorporated in an agile and transparent manner. 4) It is modular and flexible to cater for the needs of different legislations and use-cases. 5) Complemented by active work on profiles to help the developers interoperate.
  • 19. User Interactions New additions to the family coming! OpenID for Verifiable Credential Issuance Self-Issued OP v2 OpenID for Verifiable Presentations OpenID for Verifiable Presentations over BLE Security and Trust in OpenID for Verifiable Credentials Core specs additional specs Certification Suite High-Assurance Profile Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Issue Credentials Present Credentials
  • 20. High Assurance Profile of OpenID4VC with SD-JWT-VC
  • 21. Profiling OpenID4VC - OpenID4VC is a framework - Interoperability requires “profiling” - Profile defines: - mandatory to implement elements of the protocols, (e.g., grant types, etc.) - wallet invocation mechanism (i.e., custom URL scheme) - authentication requirements for Verifiers and Wallets - Credential Format(s) with ■ issuer identification and key resolution ■ holder key binding - Crypto algorithms
  • 22. High Assurance Profile of OpenID4VC with SD-JWT-VC - Interoperability across parties while being privacy preserving and able to fulfill security and regulatory requirements - Intended audience - eIDAS ARF (through OIDF/EC liaison) - CA DMV wallet - Basis for OWF project(s) - Basis for Userinfo Interoperability profile - IDunion Tech Stack - GAIN PoC - Japanese government (Trusted Web project) - other jurisdictions - private companies / infrastructure companies
  • 23. OID4VC High Assurance Interoperability Profile with SD-JWT VC SIOPv2 OID4VP OID4VCI custom scheme crypto suites custom scheme credential profile client id scheme custom scheme credential profile wallet attestation scheme Protocols - Custom Scheme: haip:// - issuer key resolution: web-based, x509 - Crypto Suites: P-256(ecp256r1), SHA256 Basic Choices Attestation based Client Authentication crypto suites issuer key resolution Wallet Attestation Scheme Credential profile: VC-SD-JWT VC-SD-JWT JWT/CWT Statuslist crypto suites issuer key resolution crypto suites issuer key resolution Profiles need to: ● fill the extension points ● define mandatory to implement features
  • 24. OpenID for Verifiable Credential Issuance - Pre-authorization code flow and authorization code flow are both required. - Sender-constrained Tokens using DPoP required - Credential Offer - for both pre-authorization code flow and authorization code - custom scheme “haip://” for wallet invocation - Authorization at Issuer with Pushed Authorization Requests (PAR) - Wallet Authentication with sender-constrained JWTs - "scope” parameter to requesting authorization for credential issuance - Only required endpoint is Credential Endpoint - Batch Credential Endpoint is required for dual issuance of SD-JWT-VC and mdocs
  • 25. OpenID for Verifiable Presentations - custom scheme “haip://” for wallet invocation. - Response type: “vp_token”. - Response mode: “direct_post” with redirect_uri. - Using “request_uri” to send Authorization Request is required. - Presentation Definition is sent using “presentation_definition” parameter - Subset of the Presentation Exchange Syntax in order to simplify implementation and prevent security issues - Verifier Authentication with - x.509 Certificates or - Sender-constrained JWTs
  • 26. SIOP v2 - custom URL scheme “haip://” for wallet invocation - subject_syntax_types_supported value MUST be urn:ietf:params:oauth:jwk-thumbprint - Verifier Authentication with - x.509 Certificates or - Sender-constrained JWTs
  • 27. Credential Format - SD-JWT VC with JSON payload (“typ”: “vc+sd-jwt”) - both compact and JSON serialization - Definition of mapping to VCDM base media type - Issuer identification and key resolution 1. Web PKI based: iss=issuer URL used to obtain jwks_uri + key id in the `kid` JWS header 2. x.509: iss=SAN in x.509 cert + x.509 cert chain in the `x5c` JWS header - Holder binding: - `cnf` JWT claim with jwk - Credential Revocation: Bitmap type style Status list using JWTs
  • 28. SD-JWT VC with web PKI based Issuer key resolution { "alg": "ES256", "typ": "vc+sd-jwt", "kid":"4" } { "iss": "https://credential-issuer.example.com", "iat": 1516239022, "exp": 1516247022, "type": "Identity", "_sd": [ "UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM", "tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ", "vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk" ], "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } } }
  • 29. Crypto - For signing and signature validation: - ES256 algorithm and ECDSA keys using the P-256 (secp256k1) - As hash algorithm to generate and validate the digests in the SD-JWT VC: - SHA256
  • 30. Call to Action: Implement, Implement, Implement The information can be found at https://openid.net/openid4vc/