From 4003085da1c56b59cc0b5bfc01200b525813d440 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Wed, 5 Jun 2024 12:41:17 +0200 Subject: [PATCH 01/20] Add display and claim metadata --- draft-ietf-oauth-sd-jwt-vc.md | 213 ++++++++++++++++++++++++++++++++++ 1 file changed, 213 insertions(+) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index f08e117..10dbd89 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -540,6 +540,10 @@ defined: * `extends` * OPTIONAL. A URI of another type that this type extends, as described in (#extending-type-metadata). +* `display`: An object containing display information for the type, as described + in (#DisplayMetadata). This property is OPTIONAL. +* `claims`: An object containing claim information for the type, as described in + (#ClaimMetadata). This property is OPTIONAL. ## Extending Type Metadata {#extending-type-metadata} @@ -624,6 +628,215 @@ The value MUST be an "integrity metadata" string as defined in Section 3 of [@!W3C.SRI]. A Consumer of the respective documents MUST verify the integrity of the retrieved document as defined in Section 3.3.5 of [@!W3C.SRI]. + + +# Display Metadata {#DisplayMetadata} + +The `display` property is an object containing display information for the type. +The object MUST contain a property for each language that is supported by the +type. The property name MUST be a language tag as defined in Section 2 of +[@!RFC5646]. The property value MUST be an object containing the following +properties: + +- `name`: A human-readable name for the type, intended for end users. This + property is OPTIONAL. +- `description`: A human-readable description for the type, intended for end + users. This property is OPTIONAL. +- `rendering`: An object containing rendering information for the type, as + described in (#RenderingMetadata). This property is OPTIONAL. + +## Rendering Metadata {#RenderingMetadata} + +The `rendering` property is an object containing rendering information for the +type. The object MUST contain a property for each rendering method that is +supported by the type. The property name MUST be a rendering method identifier +and the property value MUST be an object containing the properties defined for +the rendering method. + +### Rendering Method "simple" {#RenderingMethodSimple} + +The `simple` rendering method is intended for use in applications that do not +support SVG rendering. The object MUST contain the following properties: + +- `logo`: An object containing information about the logo to be displayed for + the type, as described in (#LogoMetadata). This property is OPTIONAL. +- `background_color`: A CSS color value for the background of the credential. + This property is OPTIONAL. +- `text_color`: A CSS color value for the text of the credential. This property + is OPTIONAL. + +#### Logo Metadata {#LogoMetadata} + +The `logo` property is an object containing information about the logo to be +displayed for the type. The object contains the following properties: + +- `uri`: A URI pointing to the logo image. This property is REQUIRED. +- `uri#integrity`: An "integrity metadata" string as described in + (#Integrity). This property is OPTIONAL. +- `alt_text`: A string containing alternative text for the logo image. This + property is OPTIONAL. + +### Rendering Method "svg_template" {#RenderingMethodSvg} + +The `svg_template` rendering method is intended for use in applications that +support SVG rendering. The object MUST contain an array of objects containing +information about the SVG templates available for the type. Each object contains +the following properties: + +- `uri`: A URI pointing to the SVG template. This property is REQUIRED. +- `uri#integrity`: An "integrity metadata" string as described in + (#Integrity). This property is OPTIONAL. +- `properties`: An object containing properties for the SVG template, as + described in (#SvgTemplateProperties). This property is REQUIRED if more than + one SVG template is present, otherwise it is OPTIONAL. + +#### SVG Template Properties {#SvgTemplateProperties} + +The `properties` property is an object containing properties for the SVG +template. Consuming applications MUST use these properties to find the best SVG +template available for display to the user based on the display properties +(landscape/portrait) and user preferences (color scheme, contrast). The object +MUST contain at least one of the following properties: + +- `orientation`: The orientation for which the SVG template is optimized, with + valid values being `portrait` and `landscape`. This property is OPTIONAL. +- `color_scheme`: The color scheme for which the SVG template is optimized, with + valid values being `light` and `dark`. This property is OPTIONAL. +- `contrast`: The contrast for which the SVG template is optimized, with valid + values being `normal` and `high`. This property is OPTIONAL. + +# Claim Metadata {#ClaimMetadata} + +The `claims` property is an array of objects containing information about +particular claims for displaying and validating the claims. + +The array MAY contain an object for each claim that is supported by the type. +Each object contains the following properties: + +- `path`: An array indicating the claim or claims that are being addressed, as + described below. This property is REQUIRED. +- `display`: An object containing display information for the claim, as + described in (#ClaimDisplayMetadata). This property is OPTIONAL. +- `verification`: A string indicating how the claim is verified, as described in + (#ClaimVerificationMetadata). This property is OPTIONAL. +- `sd`: A string indicating whether the claim is selectively disclosable, as + described in (#ClaimSelectiveDisclosureMetadata). This property is OPTIONAL. + +## Claim Path {#ClaimPath} + +The `path` property MUST be a non-empty array of strings, `null` values, or +non-negative integers. It is used to select a particular claim in the credential +or a set of claims. A string indicates that the respective key is to be +selected, a `null` value indicates that all elements of the currently selected +array(s) are to be selected, and a non-negative integer indicates that the +respective index in an array is to be selected. + +The following shows a non-normative, reduced example of a credential: + +```json +{ + "vct": "https://betelgeuse.example.com/education_credential", + "name": "Arthur Dent", + "address": { + "street_address": "42 Market Street", + "city": "Milliways", + "postal_code": "12345" + }, + "degrees": [ + { + "type": "Bachelor of Science", + "university": "University of Betelgeuse" + }, + { + "type": "Master of Science", + "university": "University of Betelgeuse" + } + ], + "nationalities": ["British", "Betelgeusian"] +} +``` + +The following shows examples of `path` values and the respective selected +claims in the credential above: + +- `["name"]`: The claim `name` with the value `Arthur Dent` is selected. +- `["address"]`: The claim `address` with its sub-claims as the value is selected. +- `["address", "street_address"]`: The claim `street_address` with the value + `42 Market Street` is selected. +- `["degrees", null, "type"]`: All `type` claims in the `degrees` array are + selected. + +In detail, the array is processed from left to right as follows: + + 1. Select the root element of the credential, i.e., the top-level JSON object. + 2. Process the `path` components from left to right: + 1. If the `path` component is a string, select the element in the respective + key in the currently selected element(s). If any of the currently + selected element(s) is not an object, abort processing and return an + error. If the key does not exist in any element currently selected, + remove that element from the selection. + 2. If the `path` component is `null`, select all elements of the currently + selected array(s). If any of the currently selected element(s) is not an + array, abort processing and return an error. + 3. If the `path` component is a non-negative integer, select the element at + the respective index in the currently selected array(s). If any of the + currently selected element(s) is not an array, abort processing and + return an error. If the index does not exist in a selected array, remove + that array from the selection. + 3. If the set of elements currently selected is empty, abort processing and + return an error. + +The result of the processing is the set of elements to which the respective +claim metadata applies. + +Note: The `path` property MUST point to the respective claim as if all +selectively disclosable claims were disclosed to a Verifier. That means that a +consuming application which does not have access to all disclosures may not be +able to identify the claim which is being addressed. + +## Claim Display Metadata {#ClaimDisplayMetadata} + +The `display` property is an object containing display information for the +claim. The object MUST contain a property for each language that is supported by +the type. The property name MUST be a language tag as defined in Section 2 of +[@!RFC5646]. The consuming application MUST use the language tag it considers most +appropriate for the user. + +The property value MUST be an object containing the following properties: + +- `label`: A human-readable label for the claim, intended for end users. This + property is OPTIONAL. +- `description`: A human-readable description for the claim, intended for end + users. This property is OPTIONAL. + +## Claim Verification Metadata {#ClaimVerificationMetadata} + +The `verification` property is a string indicating how the claim is verified. +The following values are defined: + +- `self-attested`: The claim's value was self-attested by the End-User towards + the Issuer. The Issuer did not verify the claim. For example, in a diploma, + the residential address of the student may be self-attested. +- `verified`: The claim's value was verified by the Issuer. The Issuer may have + used a third party to verify the claim. For example, in a diploma, the birth + date of the student may have been verified by the university using the + student's passport. +- `authoritative`: The Issuer claims to be the authority to make a statement + about the claim's value. For example, in a diploma, the degree earned by the + student may be authoritative if the Issuer is the university that issued the + degree. + +## Claim Selective Disclosure Metadata {#ClaimSelectiveDisclosureMetadata} + +The `sd` property is a string indicating whether the claim is selectively +disclosable. The following values are defined: + +- `always`: The Issuer MUST make the claim selectively disclosable. +- `allowed`: The Issuer MAY make the claim selectively disclosable. +- `never`: The Issuer MUST NOT make the claim selectively disclosable. + +If omitted, the default value is `allowed`. + # Security Considerations {#security-considerations} The Security Considerations in the SD-JWT specification From d9c67356b1cadc72143a53cfdba1a375abbb5fc7 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Wed, 5 Jun 2024 12:52:27 +0200 Subject: [PATCH 02/20] Fix references --- draft-ietf-oauth-sd-jwt-vc.md | 42 +++++++++++++++++------------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index 10dbd89..08c3c79 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -541,9 +541,9 @@ defined: * OPTIONAL. A URI of another type that this type extends, as described in (#extending-type-metadata). * `display`: An object containing display information for the type, as described - in (#DisplayMetadata). This property is OPTIONAL. + in (#display-metadata). This property is OPTIONAL. * `claims`: An object containing claim information for the type, as described in - (#ClaimMetadata). This property is OPTIONAL. + (#claim-metadata). This property is OPTIONAL. ## Extending Type Metadata {#extending-type-metadata} @@ -630,7 +630,7 @@ integrity of the retrieved document as defined in Section 3.3.5 of [@!W3C.SRI]. -# Display Metadata {#DisplayMetadata} +# Display Metadata {#display-metadata} The `display` property is an object containing display information for the type. The object MUST contain a property for each language that is supported by the @@ -643,9 +643,9 @@ properties: - `description`: A human-readable description for the type, intended for end users. This property is OPTIONAL. - `rendering`: An object containing rendering information for the type, as - described in (#RenderingMetadata). This property is OPTIONAL. + described in (#rendering-metadata). This property is OPTIONAL. -## Rendering Metadata {#RenderingMetadata} +## Rendering Metadata {#rendering-metadata} The `rendering` property is an object containing rendering information for the type. The object MUST contain a property for each rendering method that is @@ -653,30 +653,30 @@ supported by the type. The property name MUST be a rendering method identifier and the property value MUST be an object containing the properties defined for the rendering method. -### Rendering Method "simple" {#RenderingMethodSimple} +### Rendering Method "simple" {#rendering-method-simple} The `simple` rendering method is intended for use in applications that do not support SVG rendering. The object MUST contain the following properties: - `logo`: An object containing information about the logo to be displayed for - the type, as described in (#LogoMetadata). This property is OPTIONAL. + the type, as described in (#logo-metadata). This property is OPTIONAL. - `background_color`: A CSS color value for the background of the credential. This property is OPTIONAL. - `text_color`: A CSS color value for the text of the credential. This property is OPTIONAL. -#### Logo Metadata {#LogoMetadata} +#### Logo Metadata {#logo-metadata} The `logo` property is an object containing information about the logo to be displayed for the type. The object contains the following properties: - `uri`: A URI pointing to the logo image. This property is REQUIRED. - `uri#integrity`: An "integrity metadata" string as described in - (#Integrity). This property is OPTIONAL. + (#document-integrity). This property is OPTIONAL. - `alt_text`: A string containing alternative text for the logo image. This property is OPTIONAL. -### Rendering Method "svg_template" {#RenderingMethodSvg} +### Rendering Method "svg_template" {#rendering-method-svg} The `svg_template` rendering method is intended for use in applications that support SVG rendering. The object MUST contain an array of objects containing @@ -685,12 +685,12 @@ the following properties: - `uri`: A URI pointing to the SVG template. This property is REQUIRED. - `uri#integrity`: An "integrity metadata" string as described in - (#Integrity). This property is OPTIONAL. + (#document-integrity). This property is OPTIONAL. - `properties`: An object containing properties for the SVG template, as - described in (#SvgTemplateProperties). This property is REQUIRED if more than + described in (#svg-template-properties). This property is REQUIRED if more than one SVG template is present, otherwise it is OPTIONAL. -#### SVG Template Properties {#SvgTemplateProperties} +#### SVG Template Properties {#svg-template-properties} The `properties` property is an object containing properties for the SVG template. Consuming applications MUST use these properties to find the best SVG @@ -705,7 +705,7 @@ MUST contain at least one of the following properties: - `contrast`: The contrast for which the SVG template is optimized, with valid values being `normal` and `high`. This property is OPTIONAL. -# Claim Metadata {#ClaimMetadata} +# Claim Metadata {#claim-metadata} The `claims` property is an array of objects containing information about particular claims for displaying and validating the claims. @@ -716,13 +716,13 @@ Each object contains the following properties: - `path`: An array indicating the claim or claims that are being addressed, as described below. This property is REQUIRED. - `display`: An object containing display information for the claim, as - described in (#ClaimDisplayMetadata). This property is OPTIONAL. + described in (#claim-display-metadata). This property is OPTIONAL. - `verification`: A string indicating how the claim is verified, as described in - (#ClaimVerificationMetadata). This property is OPTIONAL. + (#claim-verification-metadata). This property is OPTIONAL. - `sd`: A string indicating whether the claim is selectively disclosable, as - described in (#ClaimSelectiveDisclosureMetadata). This property is OPTIONAL. + described in (#claim-selective-disclosure-metadata). This property is OPTIONAL. -## Claim Path {#ClaimPath} +## Claim Path {#claim-path} The `path` property MUST be a non-empty array of strings, `null` values, or non-negative integers. It is used to select a particular claim in the credential @@ -794,7 +794,7 @@ selectively disclosable claims were disclosed to a Verifier. That means that a consuming application which does not have access to all disclosures may not be able to identify the claim which is being addressed. -## Claim Display Metadata {#ClaimDisplayMetadata} +## Claim Display Metadata {#claim-display-metadata} The `display` property is an object containing display information for the claim. The object MUST contain a property for each language that is supported by @@ -809,7 +809,7 @@ The property value MUST be an object containing the following properties: - `description`: A human-readable description for the claim, intended for end users. This property is OPTIONAL. -## Claim Verification Metadata {#ClaimVerificationMetadata} +## Claim Verification Metadata {#claim-verification-metadata} The `verification` property is a string indicating how the claim is verified. The following values are defined: @@ -826,7 +826,7 @@ The following values are defined: student may be authoritative if the Issuer is the university that issued the degree. -## Claim Selective Disclosure Metadata {#ClaimSelectiveDisclosureMetadata} +## Claim Selective Disclosure Metadata {#claim-selective-disclosure-metadata} The `sd` property is a string indicating whether the claim is selectively disclosable. The following values are defined: From 9aac8d4413e661aa9a9541723a58ab5854e51f57 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Wed, 5 Jun 2024 13:00:14 +0200 Subject: [PATCH 03/20] Missing line --- draft-ietf-oauth-sd-jwt-vc.md | 1 + 1 file changed, 1 insertion(+) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index 08c3c79..2bbbd40 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -623,6 +623,7 @@ document MAY be accompanied by a respective claim suffixed with `#integrity`, in * `vct` as defined in (#claims), * `extends` as defined in (#extending-type-metadata) + * `uri` as used in two places in (#rendering-metadata) The value MUST be an "integrity metadata" string as defined in Section 3 of [@!W3C.SRI]. A Consumer of the respective documents MUST verify the From 078e8f126968f258177439da0012599bf28f62b9 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Sat, 6 Jul 2024 21:38:58 +0200 Subject: [PATCH 04/20] Apply suggestions from code review Co-authored-by: Brian Campbell <71398439+bc-pi@users.noreply.github.com> --- draft-ietf-oauth-sd-jwt-vc.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index 2bbbd40..2f2c5e3 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -718,7 +718,7 @@ Each object contains the following properties: described below. This property is REQUIRED. - `display`: An object containing display information for the claim, as described in (#claim-display-metadata). This property is OPTIONAL. -- `verification`: A string indicating how the claim is verified, as described in +- `verification`: A string indicating how the claim was verified, as described in (#claim-verification-metadata). This property is OPTIONAL. - `sd`: A string indicating whether the claim is selectively disclosable, as described in (#claim-selective-disclosure-metadata). This property is OPTIONAL. @@ -812,7 +812,7 @@ The property value MUST be an object containing the following properties: ## Claim Verification Metadata {#claim-verification-metadata} -The `verification` property is a string indicating how the claim is verified. +The `verification` property is a string indicating how the claim was verified. The following values are defined: - `self-attested`: The claim's value was self-attested by the End-User towards From 0a26a60bd8ae80776df4d2efc424d0815b6de385 Mon Sep 17 00:00:00 2001 From: Brian Campbell Date: Mon, 8 Jul 2024 09:12:19 -0600 Subject: [PATCH 05/20] display and claim type metadata to doc history --- draft-ietf-oauth-sd-jwt-vc.md | 1 + 1 file changed, 1 insertion(+) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index 5f6c3d9..fed70f7 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -1225,6 +1225,7 @@ for their contributions (some of which substantial) to this draft and to the ini * update reference to IETF Status List * Include Type Metadata +* Include display and claim type metadata * Editorial changes * Updated terminology to clarify digital signatures are one way to secure VCs and presentations From 9e3c3e572822f432c2b873c61a3e019a4540bcc8 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Thu, 15 Aug 2024 10:06:57 +0200 Subject: [PATCH 06/20] Add example --- .gitignore | 7 +++++-- draft-ietf-oauth-sd-jwt-vc.md | 37 +++++++++++++++++++++++------------ 2 files changed, 30 insertions(+), 14 deletions(-) diff --git a/.gitignore b/.gitignore index f1b1b91..8c72582 100644 --- a/.gitignore +++ b/.gitignore @@ -23,5 +23,8 @@ report.xml !requirements.txt # Ignore output of examples except for specification.yml -examples/*/* -!examples/*/specification.yml \ No newline at end of file +examples/*/kb_jwt_* +examples/*/sd_jwt_* +examples/*/user_claims.json +examples/*/verified_contents.json +examples/*/disclosures.md \ No newline at end of file diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index fed70f7..6c4bd24 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -528,6 +528,8 @@ retrieved from the URL } ``` +This example is shortened for presentation, a full Type Metadata example can be found in (#ExampleTypeMetadata). + Note: The hash of the Type Metadata document shown in the second example must be equal to the one in the `vct#integrity` claim in the SD-JWT VC payload, `WRL5ca_xGgX3c1VLmXfh-9cLlJNXN-TsMk-PmKjZ5t0`. @@ -551,6 +553,8 @@ defined: * `claims`: An object containing claim information for the type, as described in (#claim-metadata). This property is OPTIONAL. +An example of a Type Metadata document is shown in (#ExampleTypeMetadata). + ## Extending Type Metadata {#extending-type-metadata} A type can extend another type. The extended type is identified by the URI in @@ -639,12 +643,14 @@ integrity of the retrieved document as defined in Section 3.3.5 of [@!W3C.SRI]. # Display Metadata {#display-metadata} -The `display` property is an object containing display information for the type. -The object MUST contain a property for each language that is supported by the -type. The property name MUST be a language tag as defined in Section 2 of -[@!RFC5646]. The property value MUST be an object containing the following -properties: +The `display` property is an array containing display information for the type. +The array MUST contain an object for each language that is supported by the +type. The consuming application MUST use the language tag it considers most +appropriate for the user. + +The objects in the array MUST have the following properties: +- `lang`: A language tag as defined in Section 2 of [@!RFC5646]. This property is REQUIRED. - `name`: A human-readable name for the type, intended for end users. This property is OPTIONAL. - `description`: A human-readable description for the type, intended for end @@ -803,14 +809,14 @@ able to identify the claim which is being addressed. ## Claim Display Metadata {#claim-display-metadata} -The `display` property is an object containing display information for the -claim. The object MUST contain a property for each language that is supported by -the type. The property name MUST be a language tag as defined in Section 2 of -[@!RFC5646]. The consuming application MUST use the language tag it considers most +The `display` property is an array containing display information for the +claim. The array MUST contain an object for each language that is supported by +the type. The consuming application MUST use the language tag it considers most appropriate for the user. -The property value MUST be an object containing the following properties: +The objects in the array MUST have the following properties: +- `lang`: A language tag as defined in Section 2 of [@!RFC5646]. This property is REQUIRED. - `label`: A human-readable label for the claim, intended for end users. This property is OPTIONAL. - `description`: A human-readable description for the claim, intended for end @@ -1202,6 +1208,10 @@ After the validation, the Verifier will have the following data for further proc <{{examples/03-pid/verified_contents.json}} +## Example 2: Type Metadata {#ExampleTypeMetadata} + +<{{examples/typemetadata/example.json}} + # Acknowledgements {#Acknowledgements} We would like to thank @@ -1221,11 +1231,14 @@ for their contributions (some of which substantial) to this draft and to the ini # Document History --04 +-05 -* update reference to IETF Status List * Include Type Metadata * Include display and claim type metadata + +-04 + +* update reference to IETF Status List * Editorial changes * Updated terminology to clarify digital signatures are one way to secure VCs and presentations From d337dbd4f51d4355df57fd96619a67c9c531c54f Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Thu, 15 Aug 2024 10:08:11 +0200 Subject: [PATCH 07/20] Really add example now --- examples/typemetadata/example.json | 142 +++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 examples/typemetadata/example.json diff --git a/examples/typemetadata/example.json b/examples/typemetadata/example.json new file mode 100644 index 0000000..ba55145 --- /dev/null +++ b/examples/typemetadata/example.json @@ -0,0 +1,142 @@ +{ + "vct": "https://betelgeuse.example.com/education_credential", + "name": "Betelgeuse Education Credential - Preliminary Version", + "description": "This is our development version of the education credential. Don't panic.", + "extends": "https://galaxy.example.com/galactic-education-credential-0.9", + "extends#integrity": "sha256-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-WRL5", + "display": [ + { + "lang": "en-US", + "name": "Betelgeuse Education Credential", + "description": "An education credential for all carbon-based life forms on Betelgeusians", + "rendering": { + "simple": { + "logo": { + "uri": "https://betelgeuse.example.com/public/education-logo.png", + "uri#integrity": "sha256-LmXfh-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1V", + "alt_text": "Betelgeuse Ministry of Education logo" + }, + "background_color": "#12107c", + "text_color": "#FFFFFF" + }, + "svg_templates": [ + { + "uri": "https://betelgeuse.example.com/public/credential-english.svg", + "uri#integrity": "sha256-8cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-9c", + "properties": { + "orientation": "landscape", + "color_scheme": "light", + "contrast": "high" + } + } + ] + } + }, + { + "lang": "de-DE", + "name": "Betelgeuse-Bildungsnachweis", + "rendering": { + "simple": { + "logo": { + "uri": "https://betelgeuse.example.com/public/education-logo-de.png", + "uri#integrity": "sha256-LmXfh-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1V", + "alt_text": "Logo des Betelgeusischen Bildungsministeriums" + }, + "background_color": "#12107c", + "text_color": "#FFFFFF" + }, + "svg_templates": [ + { + "uri": "https://betelgeuse.example.com/public/credential-german.svg", + "uri#integrity": "sha256-8cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-9c", + "properties": { + "orientation": "landscape", + "color_scheme": "light", + "contrast": "high" + } + } + ] + } + } + ], + "claims": [ + { + "path": [ + "name" + ], + "display": [ + { + "lang": "de-DE", + "label": "Vor- und Nachname", + "description": "Der Name des Studenten" + }, + { + "lang": "en-US", + "label": "Name", + "description": "The name of the student" + } + ], + "verification": "verified", + "sd": "allowed" + }, + { + "path": [ + "address" + ], + "display": [ + { + "lang": "de-DE", + "label": "Adresse", + "description": "Adresse zum Zeitpunkt des Abschlusses" + }, + { + "lang": "en-US", + "label": "Address", + "description": "Address at the time of graduation" + } + ], + "verification": "self-attested", + "sd": "always" + }, + { + "path": [ + "address", + "street_address" + ], + "display": [ + { + "lang": "de-DE", + "label": "Straße" + }, + { + "lang": "en-US", + "label": "Street Address" + } + ], + "verification": "self-attested", + "sd": "always" + }, + { + "path": [ + "degrees", + null + ], + "display": [ + { + "lang": "de-DE", + "label": "Abschluss", + "description": "Der Abschluss des Studenten" + }, + { + "lang": "en-US", + "label": "Degree", + "description": "Degree earned by the student" + } + ], + "verification": "authoritative", + "sd": "allowed" + } + ], + "schema_url": "https://exampleuniversity.com/public/credential-schema-0.9", + "schema_url#integrity": "sha256-o984vn819a48ui1llkwPmKjZ5t0WRL5ca_xGgX3c1VLmXfh" +} \ No newline at end of file From acbba6eabbff020f6ffb91ff12156a4b07c7898b Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Fri, 16 Aug 2024 09:11:41 +0200 Subject: [PATCH 08/20] Fix typo --- draft-ietf-oauth-sd-jwt-vc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index c9fa031..7705078 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -482,7 +482,7 @@ MUST NOT be used. # Type Metadata {#type-metadata} -A SD-JWT VC type, i.e., the `vct` value, is associated with Type Metadata defining, for example, information about the type or a schema defining (see (#schema-definition)) which claims MAY or MUST appear in the SD-JWT VC. +An SD-JWT VC type, i.e., the `vct` value, is associated with Type Metadata defining, for example, information about the type or a schema defining (see (#schema-definition)) which claims MAY or MUST appear in the SD-JWT VC. This section defines Type Metadata that can be associated with a type of a SD-JWT VC, as well as a method for retrieving the Type Metadata and processing rules. This Type Metadata is intended to be used, among other things, for the following purposes: From d0dfe3df2d50640c020628054c6753dd31d3c762 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Tue, 20 Aug 2024 20:14:58 +0200 Subject: [PATCH 09/20] inline example because Brian's brain can't handle outsourced examples --- examples/typemetadata/example.json | 142 ----------------------------- 1 file changed, 142 deletions(-) delete mode 100644 examples/typemetadata/example.json diff --git a/examples/typemetadata/example.json b/examples/typemetadata/example.json deleted file mode 100644 index ba55145..0000000 --- a/examples/typemetadata/example.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "vct": "https://betelgeuse.example.com/education_credential", - "name": "Betelgeuse Education Credential - Preliminary Version", - "description": "This is our development version of the education credential. Don't panic.", - "extends": "https://galaxy.example.com/galactic-education-credential-0.9", - "extends#integrity": "sha256-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-WRL5", - "display": [ - { - "lang": "en-US", - "name": "Betelgeuse Education Credential", - "description": "An education credential for all carbon-based life forms on Betelgeusians", - "rendering": { - "simple": { - "logo": { - "uri": "https://betelgeuse.example.com/public/education-logo.png", - "uri#integrity": "sha256-LmXfh-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1V", - "alt_text": "Betelgeuse Ministry of Education logo" - }, - "background_color": "#12107c", - "text_color": "#FFFFFF" - }, - "svg_templates": [ - { - "uri": "https://betelgeuse.example.com/public/credential-english.svg", - "uri#integrity": "sha256-8cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-9c", - "properties": { - "orientation": "landscape", - "color_scheme": "light", - "contrast": "high" - } - } - ] - } - }, - { - "lang": "de-DE", - "name": "Betelgeuse-Bildungsnachweis", - "rendering": { - "simple": { - "logo": { - "uri": "https://betelgeuse.example.com/public/education-logo-de.png", - "uri#integrity": "sha256-LmXfh-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1V", - "alt_text": "Logo des Betelgeusischen Bildungsministeriums" - }, - "background_color": "#12107c", - "text_color": "#FFFFFF" - }, - "svg_templates": [ - { - "uri": "https://betelgeuse.example.com/public/credential-german.svg", - "uri#integrity": "sha256-8cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-9c", - "properties": { - "orientation": "landscape", - "color_scheme": "light", - "contrast": "high" - } - } - ] - } - } - ], - "claims": [ - { - "path": [ - "name" - ], - "display": [ - { - "lang": "de-DE", - "label": "Vor- und Nachname", - "description": "Der Name des Studenten" - }, - { - "lang": "en-US", - "label": "Name", - "description": "The name of the student" - } - ], - "verification": "verified", - "sd": "allowed" - }, - { - "path": [ - "address" - ], - "display": [ - { - "lang": "de-DE", - "label": "Adresse", - "description": "Adresse zum Zeitpunkt des Abschlusses" - }, - { - "lang": "en-US", - "label": "Address", - "description": "Address at the time of graduation" - } - ], - "verification": "self-attested", - "sd": "always" - }, - { - "path": [ - "address", - "street_address" - ], - "display": [ - { - "lang": "de-DE", - "label": "Straße" - }, - { - "lang": "en-US", - "label": "Street Address" - } - ], - "verification": "self-attested", - "sd": "always" - }, - { - "path": [ - "degrees", - null - ], - "display": [ - { - "lang": "de-DE", - "label": "Abschluss", - "description": "Der Abschluss des Studenten" - }, - { - "lang": "en-US", - "label": "Degree", - "description": "Degree earned by the student" - } - ], - "verification": "authoritative", - "sd": "allowed" - } - ], - "schema_url": "https://exampleuniversity.com/public/credential-schema-0.9", - "schema_url#integrity": "sha256-o984vn819a48ui1llkwPmKjZ5t0WRL5ca_xGgX3c1VLmXfh" -} \ No newline at end of file From a33636a0297800785b3bf713829c2ed3f8cf71f9 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Tue, 20 Aug 2024 20:15:57 +0200 Subject: [PATCH 10/20] inline example because Brian's brain can't handle outsourced examples --- draft-ietf-oauth-sd-jwt-vc.md | 145 +++++++++++++++++++++++++++++++++- 1 file changed, 144 insertions(+), 1 deletion(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index 7705078..12339f1 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -1362,7 +1362,150 @@ After the validation, the Verifier will have the following data for further proc ## Example 2: Type Metadata {#ExampleTypeMetadata} -<{{examples/typemetadata/example.json}} +```json +{ + "vct": "https://betelgeuse.example.com/education_credential", + "name": "Betelgeuse Education Credential - Preliminary Version", + "description": "This is our development version of the education credential. Don't panic.", + "extends": "https://galaxy.example.com/galactic-education-credential-0.9", + "extends#integrity": "sha256-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-WRL5", + "display": [ + { + "lang": "en-US", + "name": "Betelgeuse Education Credential", + "description": "An education credential for all carbon-based life forms on Betelgeusians", + "rendering": { + "simple": { + "logo": { + "uri": "https://betelgeuse.example.com/public/education-logo.png", + "uri#integrity": "sha256-LmXfh-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1V", + "alt_text": "Betelgeuse Ministry of Education logo" + }, + "background_color": "#12107c", + "text_color": "#FFFFFF" + }, + "svg_templates": [ + { + "uri": "https://betelgeuse.example.com/public/credential-english.svg", + "uri#integrity": "sha256-8cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-9c", + "properties": { + "orientation": "landscape", + "color_scheme": "light", + "contrast": "high" + } + } + ] + } + }, + { + "lang": "de-DE", + "name": "Betelgeuse-Bildungsnachweis", + "rendering": { + "simple": { + "logo": { + "uri": "https://betelgeuse.example.com/public/education-logo-de.png", + "uri#integrity": "sha256-LmXfh-9cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1V", + "alt_text": "Logo des Betelgeusischen Bildungsministeriums" + }, + "background_color": "#12107c", + "text_color": "#FFFFFF" + }, + "svg_templates": [ + { + "uri": "https://betelgeuse.example.com/public/credential-german.svg", + "uri#integrity": "sha256-8cLlJNXN-TsMk-PmKjZ5t0WRL5ca_xGgX3c1VLmXfh-9c", + "properties": { + "orientation": "landscape", + "color_scheme": "light", + "contrast": "high" + } + } + ] + } + } + ], + "claims": [ + { + "path": [ + "name" + ], + "display": [ + { + "lang": "de-DE", + "label": "Vor- und Nachname", + "description": "Der Name des Studenten" + }, + { + "lang": "en-US", + "label": "Name", + "description": "The name of the student" + } + ], + "verification": "verified", + "sd": "allowed" + }, + { + "path": [ + "address" + ], + "display": [ + { + "lang": "de-DE", + "label": "Adresse", + "description": "Adresse zum Zeitpunkt des Abschlusses" + }, + { + "lang": "en-US", + "label": "Address", + "description": "Address at the time of graduation" + } + ], + "verification": "self-attested", + "sd": "always" + }, + { + "path": [ + "address", + "street_address" + ], + "display": [ + { + "lang": "de-DE", + "label": "Straße" + }, + { + "lang": "en-US", + "label": "Street Address" + } + ], + "verification": "self-attested", + "sd": "always" + }, + { + "path": [ + "degrees", + null + ], + "display": [ + { + "lang": "de-DE", + "label": "Abschluss", + "description": "Der Abschluss des Studenten" + }, + { + "lang": "en-US", + "label": "Degree", + "description": "Degree earned by the student" + } + ], + "verification": "authoritative", + "sd": "allowed" + } + ], + "schema_url": "https://exampleuniversity.com/public/credential-schema-0.9", + "schema_url#integrity": "sha256-o984vn819a48ui1llkwPmKjZ5t0WRL5ca_xGgX3c1VLmXfh" +} +``` # Acknowledgements {#Acknowledgements} From aacc49af0d2eb02204ca9e051dfcbe41e8445046 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Tue, 20 Aug 2024 20:21:17 +0200 Subject: [PATCH 11/20] Add back missing parts of usage description --- draft-ietf-oauth-sd-jwt-vc.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index 12339f1..7454af5 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -482,7 +482,7 @@ MUST NOT be used. # Type Metadata {#type-metadata} -An SD-JWT VC type, i.e., the `vct` value, is associated with Type Metadata defining, for example, information about the type or a schema defining (see (#schema-definition)) which claims MAY or MUST appear in the SD-JWT VC. +An SD-JWT VC type, i.e., the `vct` value, is associated with Type Metadata defining, for example, information about the type or a schema defining (see (#schema-definition)) which claims MAY or MUST appear in the SD-JWT VC, and how credentials are displayed. This section defines Type Metadata that can be associated with a type of a SD-JWT VC, as well as a method for retrieving the Type Metadata and processing rules. This Type Metadata is intended to be used, among other things, for the following purposes: @@ -495,6 +495,8 @@ This section defines Type Metadata that can be associated with a type of a SD-JW according to the rules of the type. For example, a Verifier can check whether a credential contains all required claims and whether the claims are selectively disclosable. + * Wallets can use the metadata to display the credential in a way that is + consistent with the Issuer's intent. Type Metadata can be retrieved as described in (#retrieving-type-metadata). From be04290ff182c65921c633a46859a4bc03962667 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Tue, 20 Aug 2024 20:22:08 +0200 Subject: [PATCH 12/20] Remove changes to gitignore file --- .gitignore | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 8c72582..f1b1b91 100644 --- a/.gitignore +++ b/.gitignore @@ -23,8 +23,5 @@ report.xml !requirements.txt # Ignore output of examples except for specification.yml -examples/*/kb_jwt_* -examples/*/sd_jwt_* -examples/*/user_claims.json -examples/*/verified_contents.json -examples/*/disclosures.md \ No newline at end of file +examples/*/* +!examples/*/specification.yml \ No newline at end of file From daf13d2a7fe15ac57efd089294237c77eaf21bbf Mon Sep 17 00:00:00 2001 From: Brian Campbell <71398439+bc-pi@users.noreply.github.com> Date: Thu, 22 Aug 2024 16:47:03 -0600 Subject: [PATCH 13/20] Issuer's intent -> consistent with the intent of the provider of the Type Metadata Co-authored-by: Daniel Fett --- draft-ietf-oauth-sd-jwt-vc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index 7454af5..bec360e 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -496,7 +496,7 @@ This section defines Type Metadata that can be associated with a type of a SD-JW whether a credential contains all required claims and whether the claims are selectively disclosable. * Wallets can use the metadata to display the credential in a way that is - consistent with the Issuer's intent. + consistent with the intent of the provider of the Type Metadata. Type Metadata can be retrieved as described in (#retrieving-type-metadata). From 88467bf551921041be03baf33501e4499e1df1ef Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Wed, 28 Aug 2024 18:39:33 +0200 Subject: [PATCH 14/20] Apply suggestions from code review Co-authored-by: Oliver Terbu --- draft-ietf-oauth-sd-jwt-vc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index bec360e..95fa83b 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -949,7 +949,7 @@ In detail, the array is processed from left to right as follows: The result of the processing is the set of elements to which the respective claim metadata applies. -Note: The `path` property MUST point to the respective claim as if all +The `path` property MUST point to the respective claim as if all selectively disclosable claims were disclosed to a Verifier. That means that a consuming application which does not have access to all disclosures may not be able to identify the claim which is being addressed. From 17b29d8ff772994a09a42acc4c1c3b274795b2c0 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Wed, 28 Aug 2024 18:43:10 +0200 Subject: [PATCH 15/20] Apply suggestions from code review as discussed on the editor's call --- draft-ietf-oauth-sd-jwt-vc.md | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index 95fa83b..b6e2222 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -799,7 +799,7 @@ The objects in the array MUST have the following properties: - `lang`: A language tag as defined in Section 2 of [@!RFC5646]. This property is REQUIRED. - `name`: A human-readable name for the type, intended for end users. This - property is OPTIONAL. + property is REQUIRED. - `description`: A human-readable description for the type, intended for end users. This property is OPTIONAL. - `rendering`: An object containing rendering information for the type, as @@ -965,27 +965,10 @@ The objects in the array MUST have the following properties: - `lang`: A language tag as defined in Section 2 of [@!RFC5646]. This property is REQUIRED. - `label`: A human-readable label for the claim, intended for end users. This - property is OPTIONAL. + property is REQUIRED. - `description`: A human-readable description for the claim, intended for end users. This property is OPTIONAL. -## Claim Verification Metadata {#claim-verification-metadata} - -The `verification` property is a string indicating how the claim was verified. -The following values are defined: - -- `self-attested`: The claim's value was self-attested by the End-User towards - the Issuer. The Issuer did not verify the claim. For example, in a diploma, - the residential address of the student may be self-attested. -- `verified`: The claim's value was verified by the Issuer. The Issuer may have - used a third party to verify the claim. For example, in a diploma, the birth - date of the student may have been verified by the university using the - student's passport. -- `authoritative`: The Issuer claims to be the authority to make a statement - about the claim's value. For example, in a diploma, the degree earned by the - student may be authoritative if the Issuer is the university that issued the - degree. - ## Claim Selective Disclosure Metadata {#claim-selective-disclosure-metadata} The `sd` property is a string indicating whether the claim is selectively From 982f49fe165fcf08865e662f2a3ca164fc22b211 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Wed, 28 Aug 2024 18:46:01 +0200 Subject: [PATCH 16/20] Update draft-ietf-oauth-sd-jwt-vc.md --- draft-ietf-oauth-sd-jwt-vc.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index b6e2222..efe18ba 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -569,17 +569,6 @@ defined: An example of a Type Metadata document is shown in (#ExampleTypeMetadata). -## Extending Type Metadata {#extending-type-metadata} - -A type can extend another type. The extended type is identified by the URI in -the `extends` property. Consumers MUST retrieve and process -Type Metadata for the extended type before processing the Type Metadata for the extending -type. - -The extended type MAY itself extend another type. This can be used to create a -chain or hierarchy of types. The security considerations described in -(#circular-extends) apply in order to avoid problems with circular dependencies. - ## Retrieving Type Metadata {#retrieving-type-metadata} ### From a URL in the `vct` Claim {#retrieval-from-vct-claim} From 142109b0cb5963068d99f8d8617122eea12258dd Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Wed, 11 Sep 2024 13:26:54 +0200 Subject: [PATCH 17/20] Fix example and add CSS color reference --- draft-ietf-oauth-sd-jwt-vc.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index efe18ba..452ec61 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -809,9 +809,9 @@ support SVG rendering. The object MUST contain the following properties: - `logo`: An object containing information about the logo to be displayed for the type, as described in (#logo-metadata). This property is OPTIONAL. -- `background_color`: A CSS color value for the background of the credential. +- `background_color`: An RGB color value as defined in [@!W3C.CSS-COLOR] for the background of the credential. This property is OPTIONAL. -- `text_color`: A CSS color value for the text of the credential. This property +- `text_color`: An RGB color value as defined in [@!W3C.CSS-COLOR] value for the text of the credential. This property is OPTIONAL. #### Logo Metadata {#logo-metadata} @@ -1235,6 +1235,13 @@ recommendations in (#robust-retrieval) apply. JSON Schema (2020-12) + + + + CSS Color Module Level 3 + + + {backmatter} # IANA Considerations @@ -1415,7 +1422,6 @@ After the validation, the Verifier will have the following data for further proc "description": "The name of the student" } ], - "verification": "verified", "sd": "allowed" }, { @@ -1434,7 +1440,6 @@ After the validation, the Verifier will have the following data for further proc "description": "Address at the time of graduation" } ], - "verification": "self-attested", "sd": "always" }, { @@ -1452,7 +1457,6 @@ After the validation, the Verifier will have the following data for further proc "label": "Street Address" } ], - "verification": "self-attested", "sd": "always" }, { @@ -1472,7 +1476,6 @@ After the validation, the Verifier will have the following data for further proc "description": "Degree earned by the student" } ], - "verification": "authoritative", "sd": "allowed" } ], From 6f286710f2f9479978b91cc354f7a728fed08507 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Wed, 11 Sep 2024 14:06:21 +0200 Subject: [PATCH 18/20] Add part on sandboxing --- draft-ietf-oauth-sd-jwt-vc.md | 51 ++++++++++++++++++++++++++++++++--- 1 file changed, 48 insertions(+), 3 deletions(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index 452ec61..afe12a0 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -854,6 +854,48 @@ MUST contain at least one of the following properties: - `contrast`: The contrast for which the SVG template is optimized, with valid values being `normal` and `high`. This property is OPTIONAL. +#### SVG Rendering {#svg-rendering} + +Consuming application MUST preprocess the SVG template by replacing placeholders +in the SVG template with properly escaped values of the claims in the credential. The +placeholders MUST be defined in the SVG template using the syntax +`{{svg_id}}`, where `svg_id` is an identifier defined in the claim metadata as +described in (#claim-metadata). + +Placeholders MUST only be used in the text content of the SVG template and MUST NOT +be used in any other part of the SVG template, e.g., in attributes or comments. + +A consuming application MUST ensure that all special characters in the claim +values are properly escaped before inserting them into the SVG template. At +least the following characters MUST be escaped: + +- `&` as `&` +- `<` as `<` +- `>` as `>` +- `"` as `"` +- `'` as `'` + +If the `svg_id` is not present in the claim metadata, the consuming application +SHOULD reject not render the SVG template. If the `svg_id` is present in the +claim metadata, but the claim is not present in the credential, the placeholder +MUST be replaced with an empty string. + +The following non-normative example shows a minimal SVG with one placeholder +using the `svg_id` value `address_street_address` which is defined in the +example in (#ExampleTypeMetadata): + +```svg + + {{address_street_address}} + +``` + +When rendering the SVG template, the consuming application MUST ensure that +malicious schema providers or issuers cannot inject executable code into the SVG +template and thereby compromise the security of the consuming application. The +consuming application MUST NOT execute any code in the SVG template. If code +execution cannot be prevented reliably, the SVG display MUST be sandboxed. + # Claim Metadata {#claim-metadata} The `claims` property is an array of objects containing information about @@ -866,10 +908,12 @@ Each object contains the following properties: described below. This property is REQUIRED. - `display`: An object containing display information for the claim, as described in (#claim-display-metadata). This property is OPTIONAL. -- `verification`: A string indicating how the claim was verified, as described in - (#claim-verification-metadata). This property is OPTIONAL. - `sd`: A string indicating whether the claim is selectively disclosable, as described in (#claim-selective-disclosure-metadata). This property is OPTIONAL. +- `svg_id`: A string defining the ID of the claim for reference in the SVG + template, as described in (#svg-rendering). The ID MUST be unique within the + type metadata. It MUST consist of only alphanumeric characters and underscores + and MUST NOT start with a digit. This property is OPTIONAL. ## Claim Path {#claim-path} @@ -1457,7 +1501,8 @@ After the validation, the Verifier will have the following data for further proc "label": "Street Address" } ], - "sd": "always" + "sd": "always", + "svg_id": "address_street_address" }, { "path": [ From b448cc9c2b5d938c1e0bd14cff8c7c59634143e9 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Wed, 11 Sep 2024 14:10:24 +0200 Subject: [PATCH 19/20] Attempt to fix reference --- draft-ietf-oauth-sd-jwt-vc.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index afe12a0..d3bacf0 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -1284,6 +1284,21 @@ recommendations in (#robust-retrieval) apply. CSS Color Module Level 3 + + + Mozilla Corporation + + + + + W3C + + + + + W3C Invited Experts + + {backmatter} From ee6c131d87dfc11de8d444682ea331c697041e6a Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Tue, 17 Sep 2024 20:15:55 +0200 Subject: [PATCH 20/20] Apply suggestions from Brian's code review Co-authored-by: Brian Campbell <71398439+bc-pi@users.noreply.github.com> --- draft-ietf-oauth-sd-jwt-vc.md | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md index 630935f..15efab1 100644 --- a/draft-ietf-oauth-sd-jwt-vc.md +++ b/draft-ietf-oauth-sd-jwt-vc.md @@ -794,7 +794,7 @@ The array MUST contain an object for each language that is supported by the type. The consuming application MUST use the language tag it considers most appropriate for the user. -The objects in the array MUST have the following properties: +The objects in the array have the following properties: - `lang`: A language tag as defined in Section 2 of [@!RFC5646]. This property is REQUIRED. - `name`: A human-readable name for the type, intended for end users. This @@ -815,7 +815,7 @@ the rendering method. ### Rendering Method "simple" {#rendering-method-simple} The `simple` rendering method is intended for use in applications that do not -support SVG rendering. The object MUST contain the following properties: +support SVG rendering. The object contains the following properties: - `logo`: An object containing information about the logo to be displayed for the type, as described in (#logo-metadata). This property is OPTIONAL. @@ -888,7 +888,8 @@ least the following characters MUST be escaped: If the `svg_id` is not present in the claim metadata, the consuming application SHOULD reject not render the SVG template. If the `svg_id` is present in the claim metadata, but the claim is not present in the credential, the placeholder -MUST be replaced with an empty string. +MUST be replaced with an empty string or a string appropriate to indicate that +the value is absent. The following non-normative example shows a minimal SVG with one placeholder using the `svg_id` value `address_street_address` which is defined in the @@ -896,7 +897,7 @@ example in (#ExampleTypeMetadata): ```svg - {{address_street_address}} + Street address: {{address_street_address}} ``` @@ -1004,7 +1005,7 @@ claim. The array MUST contain an object for each language that is supported by the type. The consuming application MUST use the language tag it considers most appropriate for the user. -The objects in the array MUST have the following properties: +The objects in the array have the following properties: - `lang`: A language tag as defined in Section 2 of [@!RFC5646]. This property is REQUIRED. - `label`: A human-readable label for the claim, intended for end users. This @@ -1476,9 +1477,7 @@ After validation, the Verifier will have the following processed SD-JWT payload ], "claims": [ { - "path": [ - "name" - ], + "path": ["name"], "display": [ { "lang": "de-DE", @@ -1494,9 +1493,7 @@ After validation, the Verifier will have the following processed SD-JWT payload "sd": "allowed" }, { - "path": [ - "address" - ], + "path": ["address"], "display": [ { "lang": "de-DE", @@ -1512,10 +1509,7 @@ After validation, the Verifier will have the following processed SD-JWT payload "sd": "always" }, { - "path": [ - "address", - "street_address" - ], + "path": ["address", "street_address"], "display": [ { "lang": "de-DE", @@ -1530,10 +1524,7 @@ After validation, the Verifier will have the following processed SD-JWT payload "svg_id": "address_street_address" }, { - "path": [ - "degrees", - null - ], + "path": ["degrees", null], "display": [ { "lang": "de-DE",