Skip to content
This repository has been archived by the owner on Apr 18, 2024. It is now read-only.

Apply feedback from consensus call #31

Merged
merged 10 commits into from
Mar 4, 2024
Merged

Apply feedback from consensus call #31

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
a965200
Apply feedback from Tony Nadalin
OR13 Mar 1, 2024
a60801b
Add reference for key discovery
OR13 Mar 1, 2024
384d54b
Apply feedback from Watson Ladd
OR13 Mar 1, 2024
84203ca
Apply feedback from Michael Richardson
OR13 Mar 1, 2024
63f3b1c
Address feedback from Nick Doty
OR13 Mar 1, 2024
f9da668
Address feedback from Denis and Manu
OR13 Mar 1, 2024
ce95864
Address feedback from Christopher Allen
OR13 Mar 1, 2024
0936b61
Update charter.md
henkbirkholz Mar 4, 2024
ea6d642
Update charter.md
henkbirkholz Mar 4, 2024
358a3eb
Update charter.md
henkbirkholz Mar 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 22 additions & 15 deletions charter.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,20 @@
## Introduction

Digital credentials are essential to identity, authorization, licenses, certificates and digitization use cases that are part of modernization efforts targeting efficiency, and transparency, such as digital licenses or certificates of origin.
Digital credentials are essential to identity, authorization, licenses, certificates, and digitization use cases that are part of modernization efforts targeting efficiency and transparency.

A digital credential expresses claims or attributes about a subject, such as their name or age, and their cryptographic keys.
Some sets of claim names have already been defined by the IETF and other standards development groups (e.g., OpenID Foundation).
Digital credentials typically involve at least three entities:
A digital credential expresses claims, assertions, or attributes about a subject, such as their name or age, and their cryptographic keys. Some sets of claim names have already been defined by the IETF and other standards development groups (e.g., OpenID Foundation).

* An "issuer", an entity (person, device, organization, or software agent) that constructs and secures digital credentials.
* A "holder", an entity (person, device, organization, or software agent) that controls the disclosure of credentials.
* A "verifier", an entity (person, device, organization, or software agent) that verifies and validates secured digital credentials.
Digital credentials typically involve at least three entities but can include more:

In some contexts, holders may be willing either to partially disclose some values of their attributes or to demonstrate some properties about their attributes without disclosing their values.
* An "issuer", an entity (person, device, organization, or software agent) that constructs and secures digital credentials.
* A "holder", an entity (person, device, organization, or software agent) that controls the disclosure of credentials.
* A "verifier", an entity (person, device, organization, or software agent) that verifies and validates secured digital credentials.

When disclosed by an entity, a proof of the digital credential needs to be provided and verified, so that only the legitimate holder of the digital credential can take advantage of its possession.
In some contexts, holders may be willing either to partially disclose some values of their attributes or to demonstrate some properties about their attributes without disclosing their values. When disclosed by an entity, a proof of the digital credential needs to be provided and verified, so that only the legitimate holder of the digital credential can take advantage of its possession.

Some holders may wish to carry more than one digital credential.
These credentials, together with associated key material, can be stored in an identity digital wallet.

The W3C has published the 'Verifiable Credentials Data Model v2.0' specification (VCDM) with data serialization in JSON-LD. In this charter, the VCDM defined concept of “verifiable credential” and “verifiable presentation” is captured using the wording "digital credential" and "digital presentation" respectively.


## Goal

Expand All @@ -32,18 +28,29 @@ The SPICE WG will profile existing IETF technologies and address residual gaps t

The SPICE WG, coordinates with RATS, OAuth, JOSE, COSE and SCITT working groups that develop documents related to the identity and credential space. The SPICE WG builds on cryptographic primitives defined in the CFRG (e.g., BBS Signatures) and does not define novel cryptographic schemes.

The SPICE WG will not develop digital credentials for any particular use case. The general purpose profiles the WG will define will enable credential issuers to more easily build on existing IETF technologies.
The SPICE WG develops digital credential profiles which can support a number of use cases.
To help guide engineering decisions, requirements for proposed standards in the program of work will be created in coordination with the working groups listed above.
The profiles developed by the SPICE WG will enable digital credentials to leverage existing IETF technologies.

Privacy by design, confidentiality, and consent will be considered, and guidance will be given for each proposed standards in the program of work.

The privacy and security considerations related to the impact of confidential computing, remote attestation, and hardware security modules (HSM) on digital credentials will be developed in coordination with relevant IETF WGs, and feedback from experts on the mailing list.

Privacy and security considerations regarding redaction, linkability and selective disclosure will be developed for proposed standards in the program of work that offer data minimization capabilities.

## Out of Scope

* General Key discovery is out of scope for this document, there are several mechanisms for distributing or discovering key material, for example https://openid.net/specs/openid-connect-discovery-1_0.html.

## Program of Work

* An informational Architecture that defines the terminology (e.g., Issuer, Holder, Verifier, Claims, Credentials, Presentations) and the essential communication patterns between roles, such as credential issuance, where an issuer delivers a credential to a holder, and presentation, where a holder delivers a presentation to a verifier.

* Proposed standard documents for digital credential profiles covering JWP and CWP (from JOSE) that enable digital credentials with unlinkability and selective disclosure. This work will include registering claims that are in the JWT and CWT registries to enable digital credentials to transition from one security format to another (i.e., JSON/CBOR).
* Proposed standard document defining SD-CWT, a profile of CWT inspired by SD-JWT (from OAuth) that enables digital credentials with unlinkability and selective disclosure.


* Proposed standard document defining SD-CWT, a profile of CWT inspired by SD-JWT (from OAuth) that enables digital credentials with unlinkability and selective disclosure.

* A proposed standard Metadata Discovery protocol using HTTPS/CoAP for CBOR-based digital credentials to enable the 3 roles (issuers, holders and verifiers) to discover supported protocols and formats for keys, claims, credential types and proofs. The design will be inspired by the OAuth "vc-jwt-issuer" metadata work (draft-ietf-oauth-sd-jwt-vc) which supports ecosystems using JSON serialization.
* A proposed standard Metadata Discovery protocol for JWT, CWT, SD-JWT, SD-CWT, CWP and JWP using HTTPS/CoAP for CBOR-based digital credentials to enable the 3 roles (issuers, holders and verifiers) to discover supported capabilities, protocols and formats for keys, claims, credential types and proofs. The design will be inspired by the OAuth "vc-jwt-issuer" metadata work (draft-ietf-oauth-sd-jwt-vc) which supports ecosystems using JSON serialization.

## Milestones

Expand Down