SlideShare une entreprise Scribd logo

OpenID for Verifiable Credentials (IIW 35)

T
Torsten Lodderstedt

This slide deck gives an introduction to OpenID for Verifiable Credentials and an update on the changes since last IIW.

Technologie
1  sur  13
Télécharger pour lire hors ligne
OpenID for Verifiable Credentials The next generation of OpenID Kristina Yasuda, Microsoft Oliver Terbu, Spruce, Tobias Looker, Mattr, Dr. Torsten Lodderstedt, yes.com
2 What is it? OpenID for Verifiable Credential Issuance (Issuance of verifiable credentials) Issuer (Website) Verifier (Website) Holder (Digital Wallet) Can be hosted locally on the user’s device, have cloud components, or be entirely hosted in the cloud Issue Credentials Present Credentials Self-Issued OP v2 (authentication using identifiers not namespaced to a third-party identity provider) OpenID for Verifiable Presentations (Presentation of verifiable credentials)
3 Credential Issuer Wallet OP Alice Stored Verifiable Credentials ⓪ Wallet requests & User authorizes credential issuance ③ Credential is issued ① access token(, refresh token) ② Wallet requests credential issuance Credential issuance via simple OAuth-authorized API OpenID for Verifiable Credential Issuance
4 - RP can request credentials by format*, type and select claims for selective disclosure, e.g ○ format: “ldp_vc” type: “IDCredential” claims: “given_name” & “last_name” ○ format: “mso_mdoc” doctype: “org.iso.18013.5.1.mDL” claims: “driving_privileges” OpenID for Verifiable Presentations Website or App (RP) Wallet OP Alice ⓪ User tries to get access to a resource Stored Verifiable Credentials ② Wallet issues Verifiable Presentation(s) in VP Token ① RP requests Credential(s) - Verifiable Presentations* are returned in the so-called VP Token (one or more)
5 OpenID4VCs allows variety of choices in the VC tech stack Component Implementer’s choices when using OpenID4VP Format of VCs/PID/(Q)EAA Any format (W3C VCs, ISO mDL, SD-JWT, AnonCreds, …) Method to obtain Public Keys Any DID method, raw keys, or X.509 certs Cryptography Any crypto suite (EdDSA, ES256K, etc.) Revocation Any mechanism (Status List 2021, etc.) Trust Management Any mechanism for managing trusted Issuers, Wallets and Relying Parties (EU Trusted List, OpenID Connect Federation, TRAIN, …)
6 Working Group Updates Since Last Workshop – May 2022 ■ Renamed from “OpenID Connect 4 SSI” to “OpenID 4 Verifiable Credentials” ■ OpenID 4 VCs is a new kind of OpenID ■ Started comprehensive security threat analysis ■ Conformance Test (1st revision) ■ New sub page https://openid.net/openid4vc/
7 OpenID for Verifiable Credential Issuance ● Pre-authorized code flow ● Changed base protocol to OAuth 2.0 ● Improved Credential type identification (flexible yet format native) ● Added issuer/credential metadata ● Batch credential issuance ● Enabled protocol for high level security credential issuance { "format": "mso_mdoc", "doctype": "org.iso.18013.5.1.mDL", "claims": { "org.iso.18013.5.1": { "given_name": {}, "last_name": {}, "birth_date": {} } }, "... } { "format": "jwt_vc_json", "types": [ "VerifiableCredential", "UniversityDegreeCredential" ], "CredentialSubject": { "given_name": {}, "last_name": {}, "degree": {} } ... }
8 OpenID 4 Verifiable Presentations ● Changed base protocol to OAuth 2.0 ● Replaced “claims” parameter by following options: ▪ scope (definition left to spec or deployment) ▪ presentation definition (by value or by reference) ● Started to move SIOP v2 pieces to make OpenID4VPs self-contained ▪ cross device flow ▪ client metadata
9 SIOP v2 ● SIOP “just” means “iss” == “sub” ● id_token_types_supported ▪ subject_signed: self-issued id token, i.e. the id token is signed with key material under the end-user's control. ▪ attester_signed: signed by the OP , classical ID Token ● SIOP now supports all OpenID Connect flows
10 Other standards bodies & non profits & government activities ■ Incorporated OpenID4VCs into ISO drafts (18013-7/mDL & 23220-3&4/eID) ■ The European Blockchain Services Infrastructure (EBSI) adopted OpenID4VCs ■ EU eIDAS v2 ● Presented to EU eIDAS expert group ● OpenID4VCs was added to short list ■ Established liaison with ETSi ■ Working on BLE mode with MOSIP
11 Implementers ■ Finnish ID, CA DMV, Microsoft, Mattr, IDunion, walt.id & yes.com & BCDiploma (eSSIF-Lab), Talao.io, Workday, Ping Identity, Trinsic/Dentity (incl. Auth0 plugin), Convergence.Tech, Sphereon, Gimly, CAS Software AG, Verimi/Deutsche Telekom, Spruce, Crossword, ValidatedID, IQ4, Diwala, Entrustient, Danube Tech, …
12 Working Group Issues to be Addressed ■ More implementers feedback (preparing IDs for all spec) ■ Overall trust model and security considerations draft ■ Issuance: issuer metadata path & file content, issuer identification by DID, anonymous & externally managed clients ■ Offline support (BLE) - first non-WG draft -> ■ Conformance Testing
13 Q & A

Recommandé

OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
Lal Chandran
 

Recommandé

OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
Torsten Lodderstedt
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
Lal Chandran
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
Torsten Lodderstedt
 
Masterclass on the DID Universal Resolver
Masterclass on the DID Universal ResolverMasterclass on the DID Universal Resolver
Masterclass on the DID Universal Resolver
Markus Sabadello
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
Torsten Lodderstedt
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
Torsten Lodderstedt
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
Torsten Lodderstedt
 
Verifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & HospitalityVerifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & Hospitality
Evernym
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
Vasiliy Suvorov
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)
Evernym
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with Passkeys
Nordic APIs
 
Verifiable credentials explained by CCI
Verifiable credentials explained by CCIVerifiable credentials explained by CCI
Verifiable credentials explained by CCI
Kaliya "Identity Woman" Young
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign Identity
Heather Vescent
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Kristina Yasuda
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
SSIMeetup
 
What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?
Evernym
 
The Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized IdentityThe Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized Identity
Evernym
 
次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15
OpenID Foundation Japan
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
Torsten Lodderstedt
 
PolygonID Zero-Knowledge Identity Web2 & Web3
PolygonID Zero-Knowledge Identity Web2 & Web3PolygonID Zero-Knowledge Identity Web2 & Web3
PolygonID Zero-Knowledge Identity Web2 & Web3
SSIMeetup
 

Contenu connexe

Tendances

Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
SSIMeetup
 
The Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized IdentityThe Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized Identity
Evernym
 

Tendances (20)

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
 
Masterclass on the DID Universal Resolver
Masterclass on the DID Universal ResolverMasterclass on the DID Universal Resolver
Masterclass on the DID Universal Resolver
 
Identity Assurance with OpenID Connect
Identity Assurance with OpenID ConnectIdentity Assurance with OpenID Connect
Identity Assurance with OpenID Connect
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
 
OpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential ObjectsOpenID Connect for W3C Verifiable Credential Objects
OpenID Connect for W3C Verifiable Credential Objects
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
Verifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & HospitalityVerifiable Credentials for Travel & Hospitality
Verifiable Credentials for Travel & Hospitality
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with Passkeys
 
Verifiable credentials explained by CCI
Verifiable credentials explained by CCIVerifiable credentials explained by CCI
Verifiable credentials explained by CCI
 
Introduction to Self Sovereign Identity
Introduction to Self Sovereign IdentityIntroduction to Self Sovereign Identity
Introduction to Self Sovereign Identity
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
 
What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?What is self-sovereign identity (SSI)?
What is self-sovereign identity (SSI)?
 
The Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized IdentityThe Shift from Federated to Decentralized Identity
The Shift from Federated to Decentralized Identity
 
次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15次世代 KYC に関する検討状況 - OpenID BizDay #15
次世代 KYC に関する検討状況 - OpenID BizDay #15
 

Similaire à OpenID for Verifiable Credentials (IIW 35)

Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
Raj Chanchal
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
Oliver Pfaff
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
Svetlin Nakov
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10
githe26200
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pki
phanleson
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 

Similaire à OpenID for Verifiable Credentials (IIW 35) (20)

How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
PolygonID Zero-Knowledge Identity Web2 & Web3
PolygonID Zero-Knowledge Identity Web2 & Web3PolygonID Zero-Knowledge Identity Web2 & Web3
PolygonID Zero-Knowledge Identity Web2 & Web3
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffapi-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity Server
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pki
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized Identifiers
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
 

Plus de Torsten Lodderstedt

The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
Torsten Lodderstedt
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
Torsten Lodderstedt
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 

Plus de Torsten Lodderstedt (13)

The European Union goes Decentralized
The European Union goes DecentralizedThe European Union goes Decentralized
The European Union goes Decentralized
 
GAIN Presentation.pptx
GAIN Presentation.pptxGAIN Presentation.pptx
GAIN Presentation.pptx
 
Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2Comprehensive overview FAPI 1 and 2
Comprehensive overview FAPI 1 and 2
 
OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32OpenID Connect 4 Identity Assurance at IIW #32
OpenID Connect 4 Identity Assurance at IIW #32
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OpenID Connect for Identity Assurance
OpenID Connect for Identity AssuranceOpenID Connect for Identity Assurance
OpenID Connect for Identity Assurance
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Identiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical InteroperabilityIdentiverse: PSD2, Open Banking, and Technical Interoperability
Identiverse: PSD2, Open Banking, and Technical Interoperability
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27OAuth Security 4 Dummies iiw#27
OAuth Security 4 Dummies iiw#27
 
Identity Proofing with OpenID Connect
Identity Proofing with OpenID ConnectIdentity Proofing with OpenID Connect
Identity Proofing with OpenID Connect
 

Dernier

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Skynet Technologies
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 

Dernier (20)

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 

OpenID for Verifiable Credentials (IIW 35)

  • 1. OpenID for Verifiable Credentials The next generation of OpenID Kristina Yasuda, Microsoft Oliver Terbu, Spruce, Tobias Looker, Mattr, Dr. Torsten Lodderstedt, yes.com
  • 2. 2 What is it? OpenID for Verifiable Credential Issuance (Issuance of verifiable credentials) Issuer (Website) Verifier (Website) Holder (Digital Wallet) Can be hosted locally on the user’s device, have cloud components, or be entirely hosted in the cloud Issue Credentials Present Credentials Self-Issued OP v2 (authentication using identifiers not namespaced to a third-party identity provider) OpenID for Verifiable Presentations (Presentation of verifiable credentials)
  • 3. 3 Credential Issuer Wallet OP Alice Stored Verifiable Credentials ⓪ Wallet requests & User authorizes credential issuance ③ Credential is issued ① access token(, refresh token) ② Wallet requests credential issuance Credential issuance via simple OAuth-authorized API OpenID for Verifiable Credential Issuance
  • 4. 4 - RP can request credentials by format*, type and select claims for selective disclosure, e.g ○ format: “ldp_vc” type: “IDCredential” claims: “given_name” & “last_name” ○ format: “mso_mdoc” doctype: “org.iso.18013.5.1.mDL” claims: “driving_privileges” OpenID for Verifiable Presentations Website or App (RP) Wallet OP Alice ⓪ User tries to get access to a resource Stored Verifiable Credentials ② Wallet issues Verifiable Presentation(s) in VP Token ① RP requests Credential(s) - Verifiable Presentations* are returned in the so-called VP Token (one or more)
  • 5. 5 OpenID4VCs allows variety of choices in the VC tech stack Component Implementer’s choices when using OpenID4VP Format of VCs/PID/(Q)EAA Any format (W3C VCs, ISO mDL, SD-JWT, AnonCreds, …) Method to obtain Public Keys Any DID method, raw keys, or X.509 certs Cryptography Any crypto suite (EdDSA, ES256K, etc.) Revocation Any mechanism (Status List 2021, etc.) Trust Management Any mechanism for managing trusted Issuers, Wallets and Relying Parties (EU Trusted List, OpenID Connect Federation, TRAIN, …)
  • 6. 6 Working Group Updates Since Last Workshop – May 2022 ■ Renamed from “OpenID Connect 4 SSI” to “OpenID 4 Verifiable Credentials” ■ OpenID 4 VCs is a new kind of OpenID ■ Started comprehensive security threat analysis ■ Conformance Test (1st revision) ■ New sub page https://openid.net/openid4vc/
  • 7. 7 OpenID for Verifiable Credential Issuance ● Pre-authorized code flow ● Changed base protocol to OAuth 2.0 ● Improved Credential type identification (flexible yet format native) ● Added issuer/credential metadata ● Batch credential issuance ● Enabled protocol for high level security credential issuance { "format": "mso_mdoc", "doctype": "org.iso.18013.5.1.mDL", "claims": { "org.iso.18013.5.1": { "given_name": {}, "last_name": {}, "birth_date": {} } }, "... } { "format": "jwt_vc_json", "types": [ "VerifiableCredential", "UniversityDegreeCredential" ], "CredentialSubject": { "given_name": {}, "last_name": {}, "degree": {} } ... }
  • 8. 8 OpenID 4 Verifiable Presentations ● Changed base protocol to OAuth 2.0 ● Replaced “claims” parameter by following options: ▪ scope (definition left to spec or deployment) ▪ presentation definition (by value or by reference) ● Started to move SIOP v2 pieces to make OpenID4VPs self-contained ▪ cross device flow ▪ client metadata
  • 9. 9 SIOP v2 ● SIOP “just” means “iss” == “sub” ● id_token_types_supported ▪ subject_signed: self-issued id token, i.e. the id token is signed with key material under the end-user's control. ▪ attester_signed: signed by the OP , classical ID Token ● SIOP now supports all OpenID Connect flows
  • 10. 10 Other standards bodies & non profits & government activities ■ Incorporated OpenID4VCs into ISO drafts (18013-7/mDL & 23220-3&4/eID) ■ The European Blockchain Services Infrastructure (EBSI) adopted OpenID4VCs ■ EU eIDAS v2 ● Presented to EU eIDAS expert group ● OpenID4VCs was added to short list ■ Established liaison with ETSi ■ Working on BLE mode with MOSIP
  • 11. 11 Implementers ■ Finnish ID, CA DMV, Microsoft, Mattr, IDunion, walt.id & yes.com & BCDiploma (eSSIF-Lab), Talao.io, Workday, Ping Identity, Trinsic/Dentity (incl. Auth0 plugin), Convergence.Tech, Sphereon, Gimly, CAS Software AG, Verimi/Deutsche Telekom, Spruce, Crossword, ValidatedID, IQ4, Diwala, Entrustient, Danube Tech, …
  • 12. 12 Working Group Issues to be Addressed ■ More implementers feedback (preparing IDs for all spec) ■ Overall trust model and security considerations draft ■ Issuance: issuer metadata path & file content, issuer identification by DID, anonymous & externally managed clients ■ Offline support (BLE) - first non-WG draft -> ■ Conformance Testing