Skip to content

Commit

Permalink
add Oliver's processor usage text as a starting point
Browse files Browse the repository at this point in the history 
Co-authored-by: Oliver Terbu <oliver.terbu@mattr.global>
  • Loading branch information
@Sakurann @awoie
Sakurann and awoie authored Jan 28, 2025
1 parent 6a3f16b commit 5266cf8
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion openid4vc-high-assurance-interoperability-profile-1_0.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,15 @@ For backward compatibility with JWT processors, the following registered JWT cla
IETF SD-JWT VC is extended with the following claims:

* `vcdm`: OPTIONAL. Contains properties defined in [@!W3C.VCDM1.1] or [@!W3C.VCDM2.0] that are not represented by their counterpart JWT Claims as defined above.

The following outlines a suggested non-normative processing model for SD-JWT VCDM:

1. SD-JWT VC Processing:
- A receiver (holder or verifier) of an SD-JWT VCDM applies the processing rules outlined in SD-JWT VC Section 4 of [@!I-D.ietf-oauth-sd-jwt-vc], including verifying signatures, validity periods, status information etc.
- If the `vct` value is associated with any SD-JWT VC Type Metadata, schema validation of the entire SD-JWT VCDM is performed, including the nested `vcdm` claim.
- Additionally, trust framework rules are applied, such as ensuring the issuer is authorized to issue SD-JWT VCDMs for the specified `vct` value.
2. Business Logic Processing:
- Once the SD-JWT VC is verified and trusted by the SD-JWT VC processor, and if the `vcdm` claim is present, the receiver extracts the VCDM (1.1 or 2.0) object from the `vcdm` claim and uses this for the business logic object. If the `vcdm` claim is not present, the entire SD-JWT VC is considered to represent the business logic object.
- The business logic object is then passed on for further use case-specific processing and validation. The business logic assumes that all security-critical functions (e.g., signature verification, trusted issuer) have already been performed during the previous step. Additional schema validation is applied if provided in the `vcdm` claim, e.g., to support SHACL schemas. Note that while a `vct` claim is required, SD-JWT VC type metadata resolution and related schema validation is optional in certain cases.
The following is a non-normative example of an unsecured payload of an SD-JWT VCDM, that is built using the example of unsecured payload in Section 3.3 of [@!I-D.ietf-oauth-sd-jwt-vc]:

```json
Expand Down

0 comments on commit 5266cf8

Please sign in to comment.