Skip to content

Commit

Permalink
Merge pull request #157 from vcstuff/danielfett/fix-key-binding-descr…
Browse files Browse the repository at this point in the history
…iption

Fix key binding check description, consolidate into one section
  • Loading branch information
danielfett authored Aug 9, 2023
2 parents 841f159 + 136673c commit 6b787f9
Showing 1 changed file with 19 additions and 26 deletions.
45 changes: 19 additions & 26 deletions draft-terbu-oauth-sd-jwt-vc.md
Original file line number Diff line number Diff line change
Expand Up @@ -294,26 +294,30 @@ The SD-JWT and the Disclosures would then be serialized by the Issuer into the f

## Verification and Processing {#vc-sd-jwt-verification-and-processing}

The recipient of the SD-JWT VC MUST process and verify an SD-JWT VC as
follows:

1. REQUIRED. Process and verify the SD-JWT as defined in
Section 6 of [@!I-D.ietf-oauth-selective-disclosure-jwt]. For the
verification, the `iss` claim in the SD-JWT MAY be used to retrieve the public
key from the JWT Issuer Metadata configuration (as defined in
(#jwt-issuer-metadata)) of the SD-JWT VC issuer. A Verifier MAY use alternative
methods to obtain the public key to verify the signature of the SD-JWT.
The recipient (Holder or Verifier) of an SD-JWT VC MUST process and verify an
SD-JWT VC as described in Section 6 of
[@!I-D.ietf-oauth-selective-disclosure-jwt].

If Key Binding is required (refer to the security considerations in Section 9.6 of [@!I-D.ietf-oauth-selective-disclosure-jwt]), the Verifier MUST verify the Key Binding JWT
according to Section 6 of [@!I-D.ietf-oauth-selective-disclosure-jwt]. To verify
the Key Binding JWT, the `cnf` claim of the SD-JWT MUST be used.

For the verification, the `iss` claim in the SD-JWT MAY be used to retrieve the
public key from the JWT Issuer Metadata configuration (as defined in
(#jwt-issuer-metadata)) of the SD-JWT VC issuer. Alternative methods MAY be used
to obtain the public key to verify the signature of the SD-JWT.

If there are no selectively disclosable claims, there is no need to process the
`_sd` claim nor any Disclosures.
1. OPTIONAL. If `status` is present in the verified payload of the SD-JWT,
the status SHOULD be checked. It depends on the Verifier policy to reject or
accept a presentation of a SD-JWT VC based on the status of the Verifiable
Credential.

If `status` is present in the verified payload of the SD-JWT, the status SHOULD
be checked. It depends on the Verifier policy to reject or accept a presentation
of a SD-JWT VC based on the status of the Verifiable Credential.

Any claims used that are not understood MUST be ignored.

Additional validation rules MAY apply, but their use is out of the scope of
this specification.
Additional validation rules MAY apply, but their use is out of the scope of this
specification.

# JWT Issuer Metadata {#jwt-issuer-metadata}

Expand Down Expand Up @@ -472,17 +476,6 @@ Key Binding JWT:

<{{examples/02/sd_jwt_presentation.txt}}

## Verification and Processing {#vp-sd-jwt-verification-and-processing}

The Verifier MUST process and verify a presentation of SD-JWT VC as follows:

1. REQUIRED. When processing and verifying the presentation of the SD-JWT VC,
the Verifier MUST follow the same verification and processing rules as defined
in (#vc-sd-jwt-verification-and-processing).
1. OPTIONAL. If provided, the Verifier MUST verify the Key Binding JWT
according to Section 6 of [@!I-D.ietf-oauth-selective-disclosure-jwt].
To verify the Key Binding JWT, the `cnf` claim of the SD-JWT MUST be used.

# Security Considerations {#security-considerations}

TBD: Verifier provided `nonce`.
Expand Down

0 comments on commit 6b787f9

Please sign in to comment.