SlideShare une entreprise Scribd logo

OpenID 4 Verifiable Credentials + HAIP (Update)

T
Torsten Lodderstedt

Overview of OpenID 4 Verifiable Credentials and the High Assurance Interoperability Profile for SD-JWT VC

Internet
1  sur  49
Télécharger pour lire hors ligne
OpenID for Verifiable Credentials The next generation of OpenID Kristina Yasuda, Microsoft Paul Bastian, Bundesdruckerei Dr. Torsten Lodderstedt, Tuconic
What is Decentralized Identity? Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Credential Issuance Credential Presentation User Interactions ● The User presenting the Identity data directly to the Verifier from the Wallet ○ <> In the federated model where Identity data is sent directly from the IdP to the Verifier ● Usually expressed with the flow below:
Verifiable Credentials: Benefits ● End-Users gain more privacy, and portability over their identity information. ● Cheaper, faster, and more secure identity verification, when transforming physical credentials into digital ones. ● Universal approach to handle identification, authentication, and authorization in digital and physical space.
Issuer (Website) Issuer (Website) Issuer (Website) Why Protocol Layer Interoperability is Crucial. Credential Issuance Credential Presentation One entity needs to talk to the large the number of entities, to increase the value of “Decentralized Identity”. Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) User Interactions Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Wallet (user’s device, cloud or hybrid) Verifier (Website) Issuer (Website)
Problems we identified and how we solved them Problem Solution A lot of entirely new Protocols. (Hard to get security right, steep learning curve) ⇒ Building upon currently widely used protocols: OAuth 2.0 and OpenID Connect. (Secure, already understood) No clear winner among Credential Formats ⇒ Designing a protocol agnostic to the Credential Formats. No one way to do key management. ⇒ Designing a protocol agnostic to the key management mechanism. Participating entities cannot typically establish trust upfront, using traditional mechanisms. ⇒ Flexibility in Trust Management. Third Party Trust.
OpenID for Verifiable Credential Issuance ...so here comes OpenID for Verifiable Credentials (OID4VC)! Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Credential Issuance Credential Presentation User Interactions OpenID for Verifiable Presentations Self-Issued OP v2
Adoption (selected use-cases) The European Digital Identity Wallet[1], ARF v.1.1: “the EUDI Wallet Solution MUST support OpenID4VCI as an Issuance protocol. Member States are free to include additional issuance protocol alternatives in their national solutions.” NIST National Cybersecurity Center of Excellence[2] is running a project implementing and testing implementations for OID4VP to present mdocs/mDL. DIF JWT VC Issuance / Presentation Profile [3] [4] uses OID4VC protocols for the enterprise identity use-cases: fraud prevention in B2B, B2E scenarios. [1] https://cloudsignatureconsortium.org/new-eu-eidas-regulation-a-quantum-leap-for-electronic-identity/ [2] https://www.nccoe.nist.gov/projects/digital-identities-mdl [3] https://identity.foundation/jwt-vc-issuance-profile/ [4] https://identity.foundation/jwt-vc-presentation-profile/
1. Walt.id ○ https://github.com/walt-id/waltid-ssikit (Kotlin) 2. Sphereon ○ https://github.com/Sphereon-Opensource/SIOP-OpenID4VP (Typescript) ○ https://github.com/Sphereon-Opensource/OpenID4VCI-client (Typescript) ○ https://github.com/Sphereon-Opensource/ssi-sdk (Typescript) 3. Microsoft ○ https://github.com/microsoft/VerifiableCredential-SDK-Android (Kotlin) ○ https://github.com/microsoft/VerifiableCredential-SDK-iOS (Swift) 4. Spruce ○ https://github.com/spruceid/oidc4vci-rs (Rust) ○ https://github.com/spruceid/oidc4vci-issuer (Rust) 5. EBSI ○ https://api-pilot.ebsi.eu/docs/libraries (Javascript) Open Source libraries 6. Impierce Technologies ○ https://github.com/impierce/openid4vc (Rust) 7. Animo ○ https://github.com/animo/paradym-wallet (Typescript) 8. Trustbloc ○ https://github.com/trustbloc/vcs (Go) ○ https://github.com/trustbloc/wallet-sdk (Go) 9. Italian Government ○ https://github.com/italia/eudi-wallet-it-python (Python) ○ https://github.com/italia/eudi-wallet-it-pid-provi der/tree/v.1.1.1 (Python)
● A light-weight, low-cost, self-certification program to serve members, drive adoption and promote high-quality implementations (since 2015~) ● 2,400+ total certifications to date! ● Benefits (there are more!) ○ Testers get direct support from the OIDF certification team ○ Internationally recognized, award winning ○ Updated as the specification evolves ● Current progress ○ Started development for OpenID for Verifiable Presentations. initial focus is on testing wallets. ○ OpenID for Verifiable Credential Issuance planned ● Things to know ○ Strictly tests protocol specification conformance and does not test what happens inside the wallet ○ Can be integrated in continuous development and deployment processes ○ Tests are open source OpenID Foundation Certification for OID4VC specs
● “Security and Trust in OpenID for Verifiable Credentials” ○ Describes the trust architecture in OpenID for Verifiable Credentials, outlines security considerations and requirements for the components in an ecosystem. ● Results of the formal security analysis of OpenID for VC protocols were also presented at the OAuth Security Workshop in August: “Protocols are secure under the assumptions made”. Official publication shortly. OID4VC Formal Security Analysis
Let us tell you more about the protocol
OpenID for Verifiable Credential Issuance (Highlights) - It’s an OAuth-protected API (Credential Endpoint at the Resource Server) ○ Leverages existing OAuth features and implementations ○ Easy of use for developers - Supports various Security levels (including high security with hardware bound keys) - Various business requirements supported (ex. remote and in-person provisioning) - Different user-experiences can be achieved (multiple ways to initiate the flow) - Issuer can check Wallet’s capabilities & Wallet can discover Issuer metadata
Wallet ⓪ Wallet requests & User authorizes credential issuance ③ Credential is issued ① access token(, refresh token) ② Wallet requests credential issuance Protocol Flow Alice Credential Issuer
Authorization Code Flow
Pre-Authorized Code Flow
Authorization Code Flow (Overview)
Pre-Authorized Code Flow (Overview)
Credential Offer { "credential_issuer": "https://credential-issuer.example.com", "credentials": [ { "format": "vc+sd-jwt", "type": "Identity" }], "grants": { "urn:ietf:params:oauth:grant-type:pre-authorized_code": { "pre-authorized_code": "9JSsozW2G2cluWcyCqHK", "user_pin_required": true } } }
Example: Token Request POST /token HTTP/1.1 Host: credential-issuer.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code &pre-authorized_code=SplxlOBeZQQYbYS6WxSbIA &user_pin=493536
Example: Credential Issuance HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "format": "vc+sd-jwt", "credential" : "eyJhbGciOiAiRVMyNTYifQ.eyJfc2QiOiBbIl ... gImVtYWlsIiwgInRlc3RAZXhhbXBsZS5jb20iXQ" } POST /credential HTTP/1.1 Host: credential-issuer.example.com Content-Type: application/json Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW { "format":"vc+sd-jwt", "type":"Identity", "proof":{ "proof_type":"jwt", "jwt":"eyJhbGciOiJFUzI1NiIsInR5cCI6Im9wZW5pZDR2Y2ktcHJvb2Yrand0Iiw ... jhe0xQmfIBCQz20xVjaM91ODdIt5JX_ztrcq4nkglH907Ofbugg" } } Request Response
Example: Issued Credential { "iss": "https://credential-issuer.example.com", "iat": 1516239022, "exp": 1516247022, "type": "Identity", "_sd": [ "UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM", "tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ", "vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk" ], "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } } }
OpenID for Verifiable Presentations (Highlights) - Designed for highest degree of privacy - Easy of use for developers - Supports various Security levels (e.g. mutual authentication among the parties) - Different user-experiences can be achieved (same-device and cross-device) - Presentation of multiple Credentials supported - Various Wallet deployment models supported - All local to a native app - Native app with cloud backend - Web wallet
Same Device Presentation
Cross Device Presentation
Same Device (Overview)
Cross-Device Flow (VP Token sent via HTTP POST)
Same Device (VP Token sent via HTTP POST + redirect)
Presentation Request { "id":"mDL-sample-req", "input_descriptors":[ { "id":"org.iso.18013.5.1.mDL", "format":{ "mso_mdoc":{ "alg":[ "EdDSA", "ES256" ] }, }, "constraints":{ "limit_disclosure":"required", "fields":[ { "path":[ "$['org.iso.18013.5.1']['family_name']" ], "intent_to_retain":false } { "path":[ "$['org.iso.18013.5.1']['driving_privileges']" ], "intent_to_retain":false } ] } } ] GET /authorize? response_type=vp_token &client_id=https%3A%2F%2Fclient.example.org%2Fcb &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &presentation_definition=... &nonce=n-0S6_WzA2Mj HTTP/1.1 Host: wallet.example.com presentation_definition
Presentation Response { "definition_id": "mDL-sample-req", "id": "org.iso.18013.5.1.mDL", "descriptor_map": [ { "id": "mDL", "format": "mso_mdoc", "path": "$" } ] } presentation_submission vp_token HTTP/1.1 302 Found Location: https://client.example.org/cb# presentation_submission=... &vp_token=... { "status": 0, "version": "1.0", "documents": [ { "docType": "org.iso.18013.5.1.mDL", "deviceSigned": { "deviceAuth": { "deviceMac": [ << {1: 5} >>, {}, null, h'A574C64F18902BFE18B742F17C581218F88EA279AA ] }, "nameSpaces": 24(h'A0') }, "issuerSigned": { "issuerAuth": [ << {1: -7} >>, { 33: h'30820215308201BCA003020102021404AD06A30C1A6DC6E93BE0E2E8F78DCAFA7907C230 040613025A453059301306072A8648CE3D020106082A8648CE3D030107034200047C5545E9 000E9C46618C02202C1F778AD252285ED05D9B55469F1CB78D773671F30FE7AB8153719423 }, << 24(<< { "docType": "org.iso.18013.5.1.mDL", "version": "1.0",
OpenID for Verifiable Credential Issuance New additions to the family coming! Self-Issued OP v2 OpenID for Verifiable Presentations OpenID for Verifiable Presentations over BLE Security and Trust in OpenID for Verifiable Credentials Core specs additions Certification Suite OID4VC High Assurance Interoperability Profile with SD-JWT VC Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Issue Credentials Present Credentials User Interactions
Latest Updates - Formal Security Analysis of Issuance and Presentation is about to be published. - Automated Conformance Tests for Wallets (Presentation) are available (1st revision). - Growing number of Open Source Implementations. - OpenID4VC driving convergence at the protocol layer. Getting traction in the - Aries community (.NET and JS Framework are being extended to support OID4VC) - mdoc community (18013-7, 23220-4, 23220-3) - etc.
OID4VC High Assurance Interoperability Profile with SD-JWT VC
OpenID4VC as Framework vs Profiles - Interoperability requires instantiation of OpenID 4 VC with concrete - Definition of “Mandatory to Implement” elements of the protocols, e.g. grant types & response types - Custom scheme for wallet invocation - Definition of authentication mechanisms for Verifiers and Wallets - Credential Format(s) with ■ issuer identification and key resolution ■ holder key binding - Crypto algorithms - Instantiation designated as “Profile”
OID4VC High Assurance Interoperability Profile with SD-JWT VC - Interoperability across parties while being - Privacy preserving and - able to fulfill security and regulatory requirements - Intended audience - Proposal for eIDAS ARF (through OIDF/EC liaison) - CA DMV wallet - Basis for OWF project(s) - IDunion Tech Stack - GAIN PoC - Japanese government (Trusted Web project) - Basis for Userinfo - other jurisdictions - private companies / infrastructure companies
OID4VC High Assurance Interoperability Profile with SD-JWT VC SIOPv2 OID4VP OID4VCI custom scheme crypto suites custom scheme credential profile client id scheme custom scheme credential profile wallet attestation scheme Protocols Attestation based Client Authentication crypto suites issuer key resolution Wallet Attestation Scheme Credential profile: SD-JWT VC SD-JWT VC JWT/CWT Statuslist crypto suites issuer key resolution crypto suites issuer key resolution - Custom Scheme: haip:// - issuer key resolution: web-based, x509 - Crypto Suites: P-256(secp256r1), SHA256 Basic Choices ● Authenticated issuer identifiers as basis for trust management ● Trust Management Mechanism can be defined on top Note: Similar profile for ISO mdoc is being worked on for 18013-7, 23220-4 and -3 IETF OAuth WG adopted draft IETF OAuth WG adopted draft
Credential Format - SD-JWT VC with JSON payload (“typ”: “vc+sd-jwt”) - both compact and JSON serialization - Issuer identification and key resolution 1. Web PKI based: ■ issuer URL (“iss” claim) used to obtain jwks_uri ■ key id in the “kid” JWS header 2. x.509: ■ x.509 cert chain in the “x5c” JWS header ■ issuer URL (“iss” claim) MUST be Subject Alternative Name (dnsName) in x.509 cert - Key binding: - raw public key (jwk) in “cnf” JWT claim - Credential Revocation: Bitmap type style Status list using JWTs
SD-JWT VC with web PKI based Issuer key resolution { "alg": "ES256", "typ": "vc+sd-jwt", "kid":"4" } { "iss": "https://credential-issuer.example.com", "iat": 1516239022, "exp": 1516247022, "type": "Identity", "_sd": [ "UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM", "tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ", "vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk" ], "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } }, "status": { "idx": "0,", "uri": "https://example.com/statuslists/1" } }
SD-JWT VC with x.509 Issuer key resolution { "alg": "ES256", "typ": "vc+sd-jwt", "x5c": [ "MIICOjCCAeG...djzH7lA==", "MIICLTCCAdS...koAmhWVKe" ] } { "iss": "https://credential-issuer.example.com", "iat": 1516239022, "exp": 1516247022, "type": "Identity", "_sd": [ "UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM", "tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ", "vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk" ], "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } }, "status": { "idx": "0,", "uri": "https://example.com/statuslists/1" } }
SD-JWT VC with OpenID Connect Federation Trust Chain { "alg": "ES256", "typ": "vc+sd-jwt", "trust_chain" = [ $EntityConfiguration-as-SignedJWT-selfissued-byLeaf, $EntityStatement-as-SignedJWT-issued-byTrustAnchor ] } { "iss": "https://credential-issuer.example.com", "iat": 1516239022, "exp": 1516247022, "type": "Identity", "_sd": [ "UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM", "tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ", "vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk" ], "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } }, "status": { "idx": "0,", "uri": "https://example.com/statuslists/1" } }
SD-JWT VC (decoded) { "iss": "https://credential-issuer.example.com" , "iat": 1541493724, "exp": 1541494724, "type": "Identity", "given_name": "Erika", "family_name": "Mustermann", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc" , "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } } "status": { "idx": "0,", "uri": "https://example.com/statuslists/1" } }
OpenID for Verifiable Credential Issuance - custom scheme “haip://” for wallet invocation - Pre-authorized and authorization code flow are both required. - Wallet Attestation & Authentication with sender-constrained JWTs - Sender-constrained Tokens using DPoP required
Issuance with Authorization Code and Wallet Attestation
● Extends the established framework of RFC7521 for a new form of client authentication ● Client instance obtains an attestation from client backend ● Client backend may perform any number of security checks before issuing a key-bound attestation JWT to the client instance ● Client instance authenticates towards Authorization server during a Token or PAR Request ● Note - how the client communicates with the client backend in steps 2&4 are out of scope ● Draft adopted by IETF OAuth WG OAuth2 Attestation-Based Client Authentication
Wallet Attestation JWT { "iss": "https://attester.example.com" , "sub": "https://client.example.com" , "iat": 1516247022, "exp": 1541493724, "aal" : "https://trust-list.eu/aal/high ", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc" , "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" }, "key_type": "STRONGBOX", //optional "user_authentication" : "SYSTEM_PIN", //optional } } { "typ": "wallet-attestation+jwt" , "alg": "ES256", "kid": "1" }
OpenID for Verifiable Presentations - custom scheme “haip://” for wallet invocation. - Universal presentation flow based on “direct_post” response mode for same and cross device flows. - Subset of the Presentation Exchange Syntax in order to simplify implementation and prevent security issues - Verifier Authentication with - x.509 Certificates or - Sender-constrained JWTs
Same Device (VP Token sent via HTTP POST + redirect)
Links OpenID 4 Verifiable Credential Issuance OpenID 4 Verifiable Presentation SIOP v2 OpenID4VC High Assurance Interoperability Profile with SD-JWT VC Security and Trust in OpenID for Verifiable Credentials Ecosystems https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ Please engage with us: Digital Credentials Protocols (DCP) Working Group
Q & A
OID4VC High Assurance Interoperability Profile with mdocs (18013-7, 23220-4 and -3) SIOPv2 OID4VP OID4VCI custom scheme crypto suites custom scheme credential profile client id scheme custom scheme credential profile wallet attestation scheme Protocols Attestation based Client Authentication crypto suites issuer key resolution Wallet Attestation Scheme Credential profile: mdoc mdoc JWT/CWT Statuslist crypto suites issuer key resolution crypto suites issuer key resolution - Custom Scheme: haip:// - issuer key resolution: x509 - Crypto Suites: P-256(secp256r1), brainpool curves, etc. Basic Choices IETF OAuth WG adopted draft

Recommandé

OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
Torsten Lodderstedt
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
Lal Chandran
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 

Recommandé

OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
Torsten Lodderstedt
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
Lal Chandran
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
FIDO Alliance
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
Torsten Lodderstedt
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
SSIMeetup
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign Identity
Heather Vescent
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
Torsten Lodderstedt
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
SSIMeetup
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
Verifiable Credentials for Global Supply Chains
Verifiable Credentials for Global Supply ChainsVerifiable Credentials for Global Supply Chains
Verifiable Credentials for Global Supply Chains
Karyl Fowler
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Web5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBDWeb5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBD
SSIMeetup
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
FIWARE
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 

Contenu connexe

Tendances

Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
SSIMeetup
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
FIWARE
 

Tendances (20)

OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
 
OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)OpenID for Verifiable Credentials (IIW 35)
OpenID for Verifiable Credentials (IIW 35)
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign Identity
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
 
Verifiable Credentials for Global Supply Chains
Verifiable Credentials for Global Supply ChainsVerifiable Credentials for Global Supply Chains
Verifiable Credentials for Global Supply Chains
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Web5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBDWeb5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBD
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
 

Similaire à OpenID 4 Verifiable Credentials + HAIP (Update)

Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
Raj Chanchal
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
Cloud Identity Webinar
Cloud Identity WebinarCloud Identity Webinar
Cloud Identity Webinar
WSO2
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign Identity
SSIMeetup
 
SmartCard Forum 2009 - OpenTrust SCM
SmartCard Forum 2009 - OpenTrust SCMSmartCard Forum 2009 - OpenTrust SCM
SmartCard Forum 2009 - OpenTrust SCM
OKsystem
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
Oliver Pfaff
 

Similaire à OpenID 4 Verifiable Credentials + HAIP (Update) (20)

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity Server
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Cloud Identity Webinar
Cloud Identity WebinarCloud Identity Webinar
Cloud Identity Webinar
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
 
ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign On
 
Value proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign IdentityValue proposition of SSI tech providers - Self-Sovereign Identity
Value proposition of SSI tech providers - Self-Sovereign Identity
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized Identifiers
 
SmartCard Forum 2009 - OpenTrust SCM
SmartCard Forum 2009 - OpenTrust SCMSmartCard Forum 2009 - OpenTrust SCM
SmartCard Forum 2009 - OpenTrust SCM
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
Blockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain CredentialsBlockcerts: The Open Standard for Blockchain Credentials
Blockcerts: The Open Standard for Blockchain Credentials
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 

Plus de Torsten Lodderstedt

Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
Torsten Lodderstedt
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 

Plus de Torsten Lodderstedt (13)

GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID Connect
 

Dernier

一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
Fir
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
Fi
 
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
C
 
一比一原版(Cranfield毕业证书)英国克兰菲尔德大学毕业证如何办理
一比一原版(Cranfield毕业证书)英国克兰菲尔德大学毕业证如何办理一比一原版(Cranfield毕业证书)英国克兰菲尔德大学毕业证如何办理
一比一原版(Cranfield毕业证书)英国克兰菲尔德大学毕业证如何办理
gfhdsfr
 
一比一原版加拿大多伦多大学毕业证(UofT毕业证书)如何办理
一比一原版加拿大多伦多大学毕业证(UofT毕业证书)如何办理一比一原版加拿大多伦多大学毕业证(UofT毕业证书)如何办理
一比一原版加拿大多伦多大学毕业证(UofT毕业证书)如何办理
egfdgfd
 
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
B
 
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
asdafd
 
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
gfhdsfr
 
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
Fir
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
B
 
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
rgdasda
 

Dernier (20)

一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...
💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...
💞 Safe And Seℂure ℂall Girls Dehradun ℂall Girls Serviℂe Just ℂall 🍑👄93157910...
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
I’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 ShirtI’ll See Y’All Motherfuckers In Game 7 Shirt
I’ll See Y’All Motherfuckers In Game 7 Shirt
 
Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdf
 
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
一比一原版(Princeton毕业证书)普林斯顿大学毕业证如何办理
 
一比一原版(Cranfield毕业证书)英国克兰菲尔德大学毕业证如何办理
一比一原版(Cranfield毕业证书)英国克兰菲尔德大学毕业证如何办理一比一原版(Cranfield毕业证书)英国克兰菲尔德大学毕业证如何办理
一比一原版(Cranfield毕业证书)英国克兰菲尔德大学毕业证如何办理
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirts
 
一比一原版加拿大多伦多大学毕业证(UofT毕业证书)如何办理
一比一原版加拿大多伦多大学毕业证(UofT毕业证书)如何办理一比一原版加拿大多伦多大学毕业证(UofT毕业证书)如何办理
一比一原版加拿大多伦多大学毕业证(UofT毕业证书)如何办理
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
 
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
一比一定制(Dundee毕业证书)英国邓迪大学毕业证学位证书
 
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
 
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
一比一定制(OSU毕业证书)美国俄亥俄州立大学毕业证学位证书
 

OpenID 4 Verifiable Credentials + HAIP (Update)

  • 1. OpenID for Verifiable Credentials The next generation of OpenID Kristina Yasuda, Microsoft Paul Bastian, Bundesdruckerei Dr. Torsten Lodderstedt, Tuconic
  • 2. What is Decentralized Identity? Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Credential Issuance Credential Presentation User Interactions ● The User presenting the Identity data directly to the Verifier from the Wallet ○ <> In the federated model where Identity data is sent directly from the IdP to the Verifier ● Usually expressed with the flow below:
  • 3. Verifiable Credentials: Benefits ● End-Users gain more privacy, and portability over their identity information. ● Cheaper, faster, and more secure identity verification, when transforming physical credentials into digital ones. ● Universal approach to handle identification, authentication, and authorization in digital and physical space.
  • 4. Issuer (Website) Issuer (Website) Issuer (Website) Why Protocol Layer Interoperability is Crucial. Credential Issuance Credential Presentation One entity needs to talk to the large the number of entities, to increase the value of “Decentralized Identity”. Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) User Interactions Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Issuer (Website) Wallet (user’s device, cloud or hybrid) Verifier (Website) Issuer (Website)
  • 5. Problems we identified and how we solved them Problem Solution A lot of entirely new Protocols. (Hard to get security right, steep learning curve) ⇒ Building upon currently widely used protocols: OAuth 2.0 and OpenID Connect. (Secure, already understood) No clear winner among Credential Formats ⇒ Designing a protocol agnostic to the Credential Formats. No one way to do key management. ⇒ Designing a protocol agnostic to the key management mechanism. Participating entities cannot typically establish trust upfront, using traditional mechanisms. ⇒ Flexibility in Trust Management. Third Party Trust.
  • 6. OpenID for Verifiable Credential Issuance ...so here comes OpenID for Verifiable Credentials (OID4VC)! Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Credential Issuance Credential Presentation User Interactions OpenID for Verifiable Presentations Self-Issued OP v2
  • 7. Adoption (selected use-cases) The European Digital Identity Wallet[1], ARF v.1.1: “the EUDI Wallet Solution MUST support OpenID4VCI as an Issuance protocol. Member States are free to include additional issuance protocol alternatives in their national solutions.” NIST National Cybersecurity Center of Excellence[2] is running a project implementing and testing implementations for OID4VP to present mdocs/mDL. DIF JWT VC Issuance / Presentation Profile [3] [4] uses OID4VC protocols for the enterprise identity use-cases: fraud prevention in B2B, B2E scenarios. [1] https://cloudsignatureconsortium.org/new-eu-eidas-regulation-a-quantum-leap-for-electronic-identity/ [2] https://www.nccoe.nist.gov/projects/digital-identities-mdl [3] https://identity.foundation/jwt-vc-issuance-profile/ [4] https://identity.foundation/jwt-vc-presentation-profile/
  • 8. 1. Walt.id ○ https://github.com/walt-id/waltid-ssikit (Kotlin) 2. Sphereon ○ https://github.com/Sphereon-Opensource/SIOP-OpenID4VP (Typescript) ○ https://github.com/Sphereon-Opensource/OpenID4VCI-client (Typescript) ○ https://github.com/Sphereon-Opensource/ssi-sdk (Typescript) 3. Microsoft ○ https://github.com/microsoft/VerifiableCredential-SDK-Android (Kotlin) ○ https://github.com/microsoft/VerifiableCredential-SDK-iOS (Swift) 4. Spruce ○ https://github.com/spruceid/oidc4vci-rs (Rust) ○ https://github.com/spruceid/oidc4vci-issuer (Rust) 5. EBSI ○ https://api-pilot.ebsi.eu/docs/libraries (Javascript) Open Source libraries 6. Impierce Technologies ○ https://github.com/impierce/openid4vc (Rust) 7. Animo ○ https://github.com/animo/paradym-wallet (Typescript) 8. Trustbloc ○ https://github.com/trustbloc/vcs (Go) ○ https://github.com/trustbloc/wallet-sdk (Go) 9. Italian Government ○ https://github.com/italia/eudi-wallet-it-python (Python) ○ https://github.com/italia/eudi-wallet-it-pid-provi der/tree/v.1.1.1 (Python)
  • 9. ● A light-weight, low-cost, self-certification program to serve members, drive adoption and promote high-quality implementations (since 2015~) ● 2,400+ total certifications to date! ● Benefits (there are more!) ○ Testers get direct support from the OIDF certification team ○ Internationally recognized, award winning ○ Updated as the specification evolves ● Current progress ○ Started development for OpenID for Verifiable Presentations. initial focus is on testing wallets. ○ OpenID for Verifiable Credential Issuance planned ● Things to know ○ Strictly tests protocol specification conformance and does not test what happens inside the wallet ○ Can be integrated in continuous development and deployment processes ○ Tests are open source OpenID Foundation Certification for OID4VC specs
  • 10. ● “Security and Trust in OpenID for Verifiable Credentials” ○ Describes the trust architecture in OpenID for Verifiable Credentials, outlines security considerations and requirements for the components in an ecosystem. ● Results of the formal security analysis of OpenID for VC protocols were also presented at the OAuth Security Workshop in August: “Protocols are secure under the assumptions made”. Official publication shortly. OID4VC Formal Security Analysis
  • 11. Let us tell you more about the protocol
  • 12. OpenID for Verifiable Credential Issuance (Highlights) - It’s an OAuth-protected API (Credential Endpoint at the Resource Server) ○ Leverages existing OAuth features and implementations ○ Easy of use for developers - Supports various Security levels (including high security with hardware bound keys) - Various business requirements supported (ex. remote and in-person provisioning) - Different user-experiences can be achieved (multiple ways to initiate the flow) - Issuer can check Wallet’s capabilities & Wallet can discover Issuer metadata
  • 13. Wallet ⓪ Wallet requests & User authorizes credential issuance ③ Credential is issued ① access token(, refresh token) ② Wallet requests credential issuance Protocol Flow Alice Credential Issuer
  • 18. Credential Offer { "credential_issuer": "https://credential-issuer.example.com", "credentials": [ { "format": "vc+sd-jwt", "type": "Identity" }], "grants": { "urn:ietf:params:oauth:grant-type:pre-authorized_code": { "pre-authorized_code": "9JSsozW2G2cluWcyCqHK", "user_pin_required": true } } }
  • 19. Example: Token Request POST /token HTTP/1.1 Host: credential-issuer.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code &pre-authorized_code=SplxlOBeZQQYbYS6WxSbIA &user_pin=493536
  • 20. Example: Credential Issuance HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "format": "vc+sd-jwt", "credential" : "eyJhbGciOiAiRVMyNTYifQ.eyJfc2QiOiBbIl ... gImVtYWlsIiwgInRlc3RAZXhhbXBsZS5jb20iXQ" } POST /credential HTTP/1.1 Host: credential-issuer.example.com Content-Type: application/json Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW { "format":"vc+sd-jwt", "type":"Identity", "proof":{ "proof_type":"jwt", "jwt":"eyJhbGciOiJFUzI1NiIsInR5cCI6Im9wZW5pZDR2Y2ktcHJvb2Yrand0Iiw ... jhe0xQmfIBCQz20xVjaM91ODdIt5JX_ztrcq4nkglH907Ofbugg" } } Request Response
  • 21. Example: Issued Credential { "iss": "https://credential-issuer.example.com", "iat": 1516239022, "exp": 1516247022, "type": "Identity", "_sd": [ "UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM", "tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ", "vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk" ], "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } } }
  • 22. OpenID for Verifiable Presentations (Highlights) - Designed for highest degree of privacy - Easy of use for developers - Supports various Security levels (e.g. mutual authentication among the parties) - Different user-experiences can be achieved (same-device and cross-device) - Presentation of multiple Credentials supported - Various Wallet deployment models supported - All local to a native app - Native app with cloud backend - Web wallet
  • 26. Cross-Device Flow (VP Token sent via HTTP POST)
  • 27. Same Device (VP Token sent via HTTP POST + redirect)
  • 29. Presentation Response { "definition_id": "mDL-sample-req", "id": "org.iso.18013.5.1.mDL", "descriptor_map": [ { "id": "mDL", "format": "mso_mdoc", "path": "$" } ] } presentation_submission vp_token HTTP/1.1 302 Found Location: https://client.example.org/cb# presentation_submission=... &vp_token=... { "status": 0, "version": "1.0", "documents": [ { "docType": "org.iso.18013.5.1.mDL", "deviceSigned": { "deviceAuth": { "deviceMac": [ << {1: 5} >>, {}, null, h'A574C64F18902BFE18B742F17C581218F88EA279AA ] }, "nameSpaces": 24(h'A0') }, "issuerSigned": { "issuerAuth": [ << {1: -7} >>, { 33: h'30820215308201BCA003020102021404AD06A30C1A6DC6E93BE0E2E8F78DCAFA7907C230 040613025A453059301306072A8648CE3D020106082A8648CE3D030107034200047C5545E9 000E9C46618C02202C1F778AD252285ED05D9B55469F1CB78D773671F30FE7AB8153719423 }, << 24(<< { "docType": "org.iso.18013.5.1.mDL", "version": "1.0",
  • 30. OpenID for Verifiable Credential Issuance New additions to the family coming! Self-Issued OP v2 OpenID for Verifiable Presentations OpenID for Verifiable Presentations over BLE Security and Trust in OpenID for Verifiable Credentials Core specs additions Certification Suite OID4VC High Assurance Interoperability Profile with SD-JWT VC Issuer (Website) Verifier (Website) Wallet (user’s device, cloud or hybrid) Issue Credentials Present Credentials User Interactions
  • 31. Latest Updates - Formal Security Analysis of Issuance and Presentation is about to be published. - Automated Conformance Tests for Wallets (Presentation) are available (1st revision). - Growing number of Open Source Implementations. - OpenID4VC driving convergence at the protocol layer. Getting traction in the - Aries community (.NET and JS Framework are being extended to support OID4VC) - mdoc community (18013-7, 23220-4, 23220-3) - etc.
  • 32. OID4VC High Assurance Interoperability Profile with SD-JWT VC
  • 33. OpenID4VC as Framework vs Profiles - Interoperability requires instantiation of OpenID 4 VC with concrete - Definition of “Mandatory to Implement” elements of the protocols, e.g. grant types & response types - Custom scheme for wallet invocation - Definition of authentication mechanisms for Verifiers and Wallets - Credential Format(s) with ■ issuer identification and key resolution ■ holder key binding - Crypto algorithms - Instantiation designated as “Profile”
  • 34. OID4VC High Assurance Interoperability Profile with SD-JWT VC - Interoperability across parties while being - Privacy preserving and - able to fulfill security and regulatory requirements - Intended audience - Proposal for eIDAS ARF (through OIDF/EC liaison) - CA DMV wallet - Basis for OWF project(s) - IDunion Tech Stack - GAIN PoC - Japanese government (Trusted Web project) - Basis for Userinfo - other jurisdictions - private companies / infrastructure companies
  • 35. OID4VC High Assurance Interoperability Profile with SD-JWT VC SIOPv2 OID4VP OID4VCI custom scheme crypto suites custom scheme credential profile client id scheme custom scheme credential profile wallet attestation scheme Protocols Attestation based Client Authentication crypto suites issuer key resolution Wallet Attestation Scheme Credential profile: SD-JWT VC SD-JWT VC JWT/CWT Statuslist crypto suites issuer key resolution crypto suites issuer key resolution - Custom Scheme: haip:// - issuer key resolution: web-based, x509 - Crypto Suites: P-256(secp256r1), SHA256 Basic Choices ● Authenticated issuer identifiers as basis for trust management ● Trust Management Mechanism can be defined on top Note: Similar profile for ISO mdoc is being worked on for 18013-7, 23220-4 and -3 IETF OAuth WG adopted draft IETF OAuth WG adopted draft
  • 36. Credential Format - SD-JWT VC with JSON payload (“typ”: “vc+sd-jwt”) - both compact and JSON serialization - Issuer identification and key resolution 1. Web PKI based: ■ issuer URL (“iss” claim) used to obtain jwks_uri ■ key id in the “kid” JWS header 2. x.509: ■ x.509 cert chain in the “x5c” JWS header ■ issuer URL (“iss” claim) MUST be Subject Alternative Name (dnsName) in x.509 cert - Key binding: - raw public key (jwk) in “cnf” JWT claim - Credential Revocation: Bitmap type style Status list using JWTs
  • 37. SD-JWT VC with web PKI based Issuer key resolution { "alg": "ES256", "typ": "vc+sd-jwt", "kid":"4" } { "iss": "https://credential-issuer.example.com", "iat": 1516239022, "exp": 1516247022, "type": "Identity", "_sd": [ "UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM", "tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ", "vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk" ], "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } }, "status": { "idx": "0,", "uri": "https://example.com/statuslists/1" } }
  • 38. SD-JWT VC with x.509 Issuer key resolution { "alg": "ES256", "typ": "vc+sd-jwt", "x5c": [ "MIICOjCCAeG...djzH7lA==", "MIICLTCCAdS...koAmhWVKe" ] } { "iss": "https://credential-issuer.example.com", "iat": 1516239022, "exp": 1516247022, "type": "Identity", "_sd": [ "UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM", "tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ", "vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk" ], "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } }, "status": { "idx": "0,", "uri": "https://example.com/statuslists/1" } }
  • 39. SD-JWT VC with OpenID Connect Federation Trust Chain { "alg": "ES256", "typ": "vc+sd-jwt", "trust_chain" = [ $EntityConfiguration-as-SignedJWT-selfissued-byLeaf, $EntityStatement-as-SignedJWT-issued-byTrustAnchor ] } { "iss": "https://credential-issuer.example.com", "iat": 1516239022, "exp": 1516247022, "type": "Identity", "_sd": [ "UiuRGkTW7e_5UQauGeQRQdF8u3WYevS4Fs0IuB_DgYM", "tmPlXq0MID-oRXbUNHyoVZrc9Qkm8cwJTohVyOVlUgQ", "vTz0JI103v4k4pKIloT83Yzi33L1SdZlWBPmsfJBefk" ], "_sd_alg": "sha-256", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } }, "status": { "idx": "0,", "uri": "https://example.com/statuslists/1" } }
  • 40. SD-JWT VC (decoded) { "iss": "https://credential-issuer.example.com" , "iat": 1541493724, "exp": 1541494724, "type": "Identity", "given_name": "Erika", "family_name": "Mustermann", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc" , "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } } "status": { "idx": "0,", "uri": "https://example.com/statuslists/1" } }
  • 41. OpenID for Verifiable Credential Issuance - custom scheme “haip://” for wallet invocation - Pre-authorized and authorization code flow are both required. - Wallet Attestation & Authentication with sender-constrained JWTs - Sender-constrained Tokens using DPoP required
  • 42. Issuance with Authorization Code and Wallet Attestation
  • 43. ● Extends the established framework of RFC7521 for a new form of client authentication ● Client instance obtains an attestation from client backend ● Client backend may perform any number of security checks before issuing a key-bound attestation JWT to the client instance ● Client instance authenticates towards Authorization server during a Token or PAR Request ● Note - how the client communicates with the client backend in steps 2&4 are out of scope ● Draft adopted by IETF OAuth WG OAuth2 Attestation-Based Client Authentication
  • 44. Wallet Attestation JWT { "iss": "https://attester.example.com" , "sub": "https://client.example.com" , "iat": 1516247022, "exp": 1541493724, "aal" : "https://trust-list.eu/aal/high ", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc" , "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" }, "key_type": "STRONGBOX", //optional "user_authentication" : "SYSTEM_PIN", //optional } } { "typ": "wallet-attestation+jwt" , "alg": "ES256", "kid": "1" }
  • 45. OpenID for Verifiable Presentations - custom scheme “haip://” for wallet invocation. - Universal presentation flow based on “direct_post” response mode for same and cross device flows. - Subset of the Presentation Exchange Syntax in order to simplify implementation and prevent security issues - Verifier Authentication with - x.509 Certificates or - Sender-constrained JWTs
  • 46. Same Device (VP Token sent via HTTP POST + redirect)
  • 47. Links OpenID 4 Verifiable Credential Issuance OpenID 4 Verifiable Presentation SIOP v2 OpenID4VC High Assurance Interoperability Profile with SD-JWT VC Security and Trust in OpenID for Verifiable Credentials Ecosystems https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ Please engage with us: Digital Credentials Protocols (DCP) Working Group
  • 48. Q & A
  • 49. OID4VC High Assurance Interoperability Profile with mdocs (18013-7, 23220-4 and -3) SIOPv2 OID4VP OID4VCI custom scheme crypto suites custom scheme credential profile client id scheme custom scheme credential profile wallet attestation scheme Protocols Attestation based Client Authentication crypto suites issuer key resolution Wallet Attestation Scheme Credential profile: mdoc mdoc JWT/CWT Statuslist crypto suites issuer key resolution crypto suites issuer key resolution - Custom Scheme: haip:// - issuer key resolution: x509 - Crypto Suites: P-256(secp256r1), brainpool curves, etc. Basic Choices IETF OAuth WG adopted draft