From e3dd100922bac224122c729abcf6a1e893cc78b7 Mon Sep 17 00:00:00 2001 From: Sozai83 Date: Thu, 1 May 2025 17:55:39 +1000 Subject: [PATCH 1/6] added credentail formats article --- SUMMARY.md | 3 +- .../README.md} | 0 .../credential-service/credential-formats.md | 117 ++++++++++++++++++ 3 files changed, 119 insertions(+), 1 deletion(-) rename platform/{credential-service.md => credential-service/README.md} (100%) create mode 100644 platform/credential-service/credential-formats.md diff --git a/SUMMARY.md b/SUMMARY.md index 05785086..93aff562 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -20,7 +20,8 @@ * [Secure Value Exchange](platform/README.md) * [Authorisation, Tenant & Organisation Manager (ATOM)](platform/atom.md) -* [Credential Service](platform/credential-service.md) +* [Credential Service](platform/credential-service/README.md) + * [Credential Formats](platform/credential-service/credential-formats.md) * [Decentralised Identifiers (DIDs)](platform/did.md) * [Keys](platform/keys.md) * [Tenants, Organisations, and End-Users](platform/tenants-organisations-and-end-users.md) diff --git a/platform/credential-service.md b/platform/credential-service/README.md similarity index 100% rename from platform/credential-service.md rename to platform/credential-service/README.md diff --git a/platform/credential-service/credential-formats.md b/platform/credential-service/credential-formats.md new file mode 100644 index 00000000..8fbaf1b6 --- /dev/null +++ b/platform/credential-service/credential-formats.md @@ -0,0 +1,117 @@ +# Verifiable Credentials + +Verifiable credentials (VCs) are digital credentials that use cryptographic methods to prove authenticity and integrity. Different formats for verifiable credentials exist to meet varying needs for security, privacy, interoperability, and implementation contexts: + +1. Security and Cryptographic Methods: Different formats support various cryptographic methods, like JSON Web Tokens (JWT) for compact encoding and Linked Data Proofs (LDP) for integrity through digital signatures. +2. Privacy Requirements: Privacy-focused formats, such as SD-JWT, enable selective disclosure, allowing users to share only specific information without revealing all credential data. +3. Ecosystem Compatibility: Some formats, like JWT, are designed to integrate smoothly with existing systems (e.g., OAuth2, OpenID Connect), while others like DIDs support decentralised ecosystems. +4. International and Legal Standards: Formats like the ISO/IEC 18013-5 (for mobile driver’s licenses) and X.509 certificates are used in regulatory contexts, ensuring that credentials meet specific industry standards. +These variations help verifiable credentials serve diverse applications - from decentralised identity verification to government-issued credentials. + +## Formats Summarised +### Data (Serialisation) Formats +#### JSON +JavaScript Object Notation (JSON) is a text-based format used for the serialisation of structured data as defined in [RFC8259]. It is human-readable and represents data as key-value pairs, utilising JavaScript's object literal syntax. + +#### JSON-LD +JSON-LD is a lightweight Linked Data format built on the JSON specification, defned by W3C. It is a machine-readable format that enables applications to start with a single piece of Linked Data and follow embedded links to access related data hosted across different sites on the Web. + +#### CBOR +CBOR (Concise Binary Object Representation) [RFC8949] is a compact, binary data serialisation format optimised for extremely small code size, efficient message size, and extensibility without requiring version negotiation. + +### Credential Formats +#### JSON Web Token (JWT) +JWT [RFC7519] is for encoding verifiable credentials in a compact, URL-safe way. The claims in a JWT are encoded as a JSON object, which can be included as the payload of a JSON Web Signature (JWS) to provide digital signing or integrity protection, or as the plaintext of a JSON Web Encryption (JWE) to ensure confidentiality through encryption. + +#### Verifiable Credentials using JWTs (JWT-VC) +JWT VCs are often issued with a digital signature (JWS) for verification. They are popular in ecosystems using OAuth2 or OpenID Connect. It provides a structure for encoding credentials and can be used with a variety of cryptographic methods. + +Credential format identifiers: +* `jwt_vc_json` +* `jwt_vc_json-ld` + +#### Selective Disclosure for JWTs (SD-JWT) +Selective Disclosure (SD-JWT) format is an extension of JSON Web Tokens (JWT) that enables users to selectively disclose specific claims within a credential, revealing only the necessary information while keeping other details private. This format enhances privacy in credential sharing by allowing holders to disclose minimal, relevant data in a secure and verifiable way. + +Credential format identifiers: +* `vc+sd-jwt` +* `vcdm+sd-jwt` + +#### Verifiable Credentials using LDP (LDP-VC) +A Linked Data Proof Verifiable Credential (LDP-VC) is a format for expressing verifiable credentials using Linked Data Proofs as the signature mechanism. The credentials are structured as JSON-LD documents, with claims about a subject signed using cryptographic signature suites. This format supports selective disclosure with one of the following algorisms: BBS, CL-Signatures (CL) or Short Randomizable Signatures (ps-sig). + +Credential format identifiers: +* `ldp_vc` + +#### Mobile Document (mdoc) +A Mobile Document (mdoc) is a digitally signed, standardised electronic document. It uses the CBOR formatting defined in [RFC 8949]. CBOR uses binary encoding which features a small footprint (especially compared to JSON) and is, therefore, ideal for bandwidth constrained environments. Similar to other formats it can be used for both online and proximity use cases, although it is a better fit for the latter. These documents are designed to securely replace physical credentials including, but not limited to IDs, driving licences, passports, or medical records. + +##### Mobile Driver’s Licences (mDLs) +Mobile Driver’s Licences (mDLs) are a type of mdoc. SVX supports the issuance of mDL (and other document types) through OpenID 4 Verifiable Credential Issuance (OID4VCI). + +SVX now supports ISO/IEC TS 18013-7 using OpenID 4 Verifiable presentation (OID4VP), which enables the presentation of mdocs to a reader (verifier) over the internet. + +Credential format identifiers: +* `mso_mdoc` + +#### X.509 Certificates +Traditional digital certificates that can be adapted for use as verifiable credentials. X.509 certificates are commonly used in public-key infrastructure (PKI) systems and can work with verifiable credentials by incorporating the VC Data Model. + +#### Open Badges +Open Badges is a format for digital badges, designed to represent and share achievements or credentials. Open Badges can be made cryptographically verifiable, and its core vocabulary allows issuers to express claims in a structured JSON-LD format. + +## Comparative Matrix +This matrix compares key features the different credential formats offer. +| | jwt_vc_json | vc+sd-jwt | jwt_vc_json-ld | vcdm+sd-jwt | ldp_vc | mso_mdoc | +|----------------------------|:----------------:|:------------------------:|:----------------------------------------:|:----------------------------------------:|:----------------------------------------:|:---------------------------------------------------------------:| +| **Platform Supported** | Supported [VCDM] | Supported [SD-JWT-VC] v3 | Not supported To consider in the future. | Not supported To consider in the future. | Not supported To consider in the future. | Online: Supported Offline: Supported via third party technology | +| Credential Format | JWT-VC | SD-JWT-VC | JWT-VC | SD-JWT-VC | LDP-VC | CBOR | +| Data Format | JSON | JSON | JSON-LD | JSON | JSON-LD | CBOR | +| Encoding | Base64 | | | | | Binary | +| Selective Disclosure (Y/N) | N | Y | N | Y | Y | Y | +| SDO | W3C | IETF | W3C | W3C | W3C | ISO/IEC 18013-5 | +| Best Use Case | Online use cases | | | | | Bandwidth constrained environments | + +## Additional Information +### Privacy-Enhancing Cryptographic Methods for Verifiable Credentials +#### BBS Signatures +Allows the holder to selectively disclose parts of the credential without revealing all information. This cryptographic method is commonly used in privacy-focused applications. + +#### Zero-Knowledge Proofs (ZKPs) +Enable proving certain attributes of a credential without disclosing the actual data (e.g., proving age without revealing birthdate). + +### Holder Binding +#### Decentralized Identifier (DID) Authenticated Credentials +This format combines verifiable credentials with decentralized identifiers (DIDs) to verify identity without relying on centralized authorities. The VC Data Model supports DID-based VCs. + +#### Proof-of-Possession Key Semantics for JWT +By including the cnf (confirmation) claim in a JWT, the issuer binds the credential to the holder using cryptographic key binding. The verifier can then confirm possession of the key using the method specified in [RFC7800]. + +## References +[RFC7519](https://datatracker.ietf.org/doc/html/rfc7519) Jones, M., Bradley, J., Sakimura, N., “JSON Web Token (JWT)”, May 2015, RFC 7519: JSON Web Token (JWT). + +[RFC7800](https://www.rfc-editor.org/rfc/rfc7800.html) Jones, M., Bradley, J., Tschofenig, H., “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)”, April 2016,Information on RFC 7800 » RFC Editor. + +[RFC8259](https://datatracker.ietf.org/doc/html/rfc8259) Bray, Ed., T., “The JavaScript Object Notation (JSON) Data Interchange Format”, December 2017, RFC 8259: The JavaScript Object Notation (JSON) Data Interchange Format. + +[RFC8949](https://www.rfc-editor.org/rfc/rfc8949.html) C. Bormann, P. Hoffman, “Concise Binary Object Representation (CBOR)”, December 2020, RFC 8949: Concise Binary Object Representation (CBOR). + +[ISO.18013-5](https://www.iso.org/standard/69084.html) ISO/IEC JTC 1/SC 17 Cards and security devices for personal identification, "ISO/IEC 18013-5:2021 Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application", 2021, ISO/IEC 18013-5:2021 . + +[JSON-LD](https://www.w3.org/TR/json-ld11/) Kellogg, G., Sporny, M., Longley, D., Lanthaler, M., Champin, P., and N. Lindström, "JSON-LD 1.1: A JSON-based Serialization for Linked Data.", 16 July 2020, JSON-LD 1.1 . + +[OPEN BADGES](https://openbadges.org/) Home | IMS Open Badges. + +[SD JWT](https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-14.html) Terbu, O., Fett, D., and B. Campbell, "SD-JWT-based Verifiable Credentials (SD-JWT VC)", Work in Progress, Internet-Draft, draft-ietf-oauth-sd-jwt-vc-18, 15 November 2024, +Selective Disclosure for JWTs (SD-JWT) . + +[SD-JWT-VC](https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html) Terbu, O., Fett, D., and B. Campbell, "SD-JWT-based Verifiable Credentials (SD-JWT VC)", Work in Progress, Internet-Draft, draft-ietf-oauth-sd-jwt-vc-08, 3 December 2024, +SD-JWT-based Verifiable Credentials (SD-JWT VC) . + +[SD-JWT-VC-DM](https://github.com/danielfett/sd-jwt-vc-dm) Fett, D., “SD-JWT VC DM Credential Format”, GitHub - danielfett/sd-jwt-vc-dm: SD-JWT VC Data Model is a credential format that combines the best of both worlds from SD-JWT VC and W3C VCDM . + +[VC JOSE COSE](https://www.w3.org/TR/vc-jose-cose/) Jones, M., Prorock, M., Cohen, G., “Securing Verifiable Credentials using JOSE and COSE”, 20 March 2025, Securing Verifiable Credentials using JOSE and COSE . + +[VC DATA](https://www.w3.org/TR/vc-data-model/) Sporny, M., Noble, G., Longley, D., Burnett, D. C., Zundel, B., and K. D. Hartog, "Verifiable Credentials Data Model 1.1", 3 March 2022, Verifiable Credentials Data Model v1.1 . + +[VC DATA 2.0](https://www.w3.org/TR/vc-data-model-2.0/) Sporny, M., Jr, T. T., Herman, I., Jones, M. B., and G. Cohen, "Verifiable Credentials Data Model 2.0", 27 December 2023, Verifiable Credentials Data Model v2.0 . \ No newline at end of file From 847c00acd1ab8c315085e19819e0518539d48b0f Mon Sep 17 00:00:00 2001 From: Sozai83 Date: Fri, 2 May 2025 09:00:42 +1000 Subject: [PATCH 2/6] added reference links and modify format matrix table --- .../credential-service/credential-formats.md | 39 +++++++++---------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/platform/credential-service/credential-formats.md b/platform/credential-service/credential-formats.md index 8fbaf1b6..f85c6598 100644 --- a/platform/credential-service/credential-formats.md +++ b/platform/credential-service/credential-formats.md @@ -1,4 +1,4 @@ -# Verifiable Credentials +# Credential Formats Verifiable credentials (VCs) are digital credentials that use cryptographic methods to prove authenticity and integrity. Different formats for verifiable credentials exist to meet varying needs for security, privacy, interoperability, and implementation contexts: @@ -11,17 +11,17 @@ These variations help verifiable credentials serve diverse applications - from d ## Formats Summarised ### Data (Serialisation) Formats #### JSON -JavaScript Object Notation (JSON) is a text-based format used for the serialisation of structured data as defined in [RFC8259]. It is human-readable and represents data as key-value pairs, utilising JavaScript's object literal syntax. +JavaScript Object Notation (JSON) is a text-based format used for the serialisation of structured data as defined in [RFC8259](https://datatracker.ietf.org/doc/html/rfc8259). It is human-readable and represents data as key-value pairs, utilising JavaScript's object literal syntax. #### JSON-LD JSON-LD is a lightweight Linked Data format built on the JSON specification, defned by W3C. It is a machine-readable format that enables applications to start with a single piece of Linked Data and follow embedded links to access related data hosted across different sites on the Web. #### CBOR -CBOR (Concise Binary Object Representation) [RFC8949] is a compact, binary data serialisation format optimised for extremely small code size, efficient message size, and extensibility without requiring version negotiation. +CBOR (Concise Binary Object Representation) [RFC8949](https://www.rfc-editor.org/rfc/rfc8949.html) is a compact, binary data serialisation format optimised for extremely small code size, efficient message size, and extensibility without requiring version negotiation. ### Credential Formats #### JSON Web Token (JWT) -JWT [RFC7519] is for encoding verifiable credentials in a compact, URL-safe way. The claims in a JWT are encoded as a JSON object, which can be included as the payload of a JSON Web Signature (JWS) to provide digital signing or integrity protection, or as the plaintext of a JSON Web Encryption (JWE) to ensure confidentiality through encryption. +JWT [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519) is for encoding verifiable credentials in a compact, URL-safe way. The claims in a JWT are encoded as a JSON object, which can be included as the payload of a JSON Web Signature (JWS) to provide digital signing or integrity protection, or as the plaintext of a JSON Web Encryption (JWE) to ensure confidentiality through encryption. #### Verifiable Credentials using JWTs (JWT-VC) JWT VCs are often issued with a digital signature (JWS) for verification. They are popular in ecosystems using OAuth2 or OpenID Connect. It provides a structure for encoding credentials and can be used with a variety of cryptographic methods. @@ -44,12 +44,11 @@ Credential format identifiers: * `ldp_vc` #### Mobile Document (mdoc) -A Mobile Document (mdoc) is a digitally signed, standardised electronic document. It uses the CBOR formatting defined in [RFC 8949]. CBOR uses binary encoding which features a small footprint (especially compared to JSON) and is, therefore, ideal for bandwidth constrained environments. Similar to other formats it can be used for both online and proximity use cases, although it is a better fit for the latter. These documents are designed to securely replace physical credentials including, but not limited to IDs, driving licences, passports, or medical records. +A Mobile Document (mdoc) is a digitally signed, standardised electronic document. It uses the CBOR formatting defined in [RFC 8949](https://www.rfc-editor.org/rfc/rfc8949.html). CBOR uses binary encoding which features a small footprint (especially compared to JSON) and is, therefore, ideal for bandwidth constrained environments. Similar to other formats it can be used for both online and proximity use cases, although it is a better fit for the latter. These documents are designed to securely replace physical credentials including, but not limited to IDs, driving licences, passports, or medical records. ##### Mobile Driver’s Licences (mDLs) -Mobile Driver’s Licences (mDLs) are a type of mdoc. SVX supports the issuance of mDL (and other document types) through OpenID 4 Verifiable Credential Issuance (OID4VCI). - -SVX now supports ISO/IEC TS 18013-7 using OpenID 4 Verifiable presentation (OID4VP), which enables the presentation of mdocs to a reader (verifier) over the internet. +Mobile Driver’s Licences (mDLs) are a type of mdoc. +Our platform supports the issuance of mDL (and other document types) through OpenID 4 Verifiable Credential Issuance (OID4VCI). We also support ISO/IEC TS 18013-7 using OpenID 4 Verifiable presentation (OID4VP), which enables the presentation of mdocs to a reader (verifier) over the internet. Credential format identifiers: * `mso_mdoc` @@ -64,13 +63,13 @@ Open Badges is a format for digital badges, designed to represent and share achi This matrix compares key features the different credential formats offer. | | jwt_vc_json | vc+sd-jwt | jwt_vc_json-ld | vcdm+sd-jwt | ldp_vc | mso_mdoc | |----------------------------|:----------------:|:------------------------:|:----------------------------------------:|:----------------------------------------:|:----------------------------------------:|:---------------------------------------------------------------:| -| **Platform Supported** | Supported [VCDM] | Supported [SD-JWT-VC] v3 | Not supported To consider in the future. | Not supported To consider in the future. | Not supported To consider in the future. | Online: Supported Offline: Supported via third party technology | -| Credential Format | JWT-VC | SD-JWT-VC | JWT-VC | SD-JWT-VC | LDP-VC | CBOR | -| Data Format | JSON | JSON | JSON-LD | JSON | JSON-LD | CBOR | -| Encoding | Base64 | | | | | Binary | -| Selective Disclosure (Y/N) | N | Y | N | Y | Y | Y | -| SDO | W3C | IETF | W3C | W3C | W3C | ISO/IEC 18013-5 | -| Best Use Case | Online use cases | | | | | Bandwidth constrained environments | +| **Platform Supported** | Supported [VC DATA](https://www.w3.org/TR/vc-data-model/) | Supported [SD-JWT-VC v3](https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-03.html) | Not supported To consider in the future. | Not supported To consider in the future. | Not supported To consider in the future. | Online: Supported Offline: Supported via third party technology | +| Credential Format | JWT-VC | SD-JWT | JWT-VC | SD-JWT | LDP-VC | CBOR | +| Data Format | JSON | JSON | JSON-LD | JSON | JSON-LD | CBOR | +| Encoding | Base64 | Base64 | Base64 | Base64 | Base64 | Binary | +| Selective Disclosure (Y/N) | N | Y | N | Y | Y | Y | +| SDO | W3C | IETF | W3C | W3C | W3C | ISO/IEC 18013-5 | +| Best Use Case | Online use cases | Online use cases | Online use cases | Online use cases | Online use cases | Bandwidth constrained environments | ## Additional Information ### Privacy-Enhancing Cryptographic Methods for Verifiable Credentials @@ -85,7 +84,7 @@ Enable proving certain attributes of a credential without disclosing the actual This format combines verifiable credentials with decentralized identifiers (DIDs) to verify identity without relying on centralized authorities. The VC Data Model supports DID-based VCs. #### Proof-of-Possession Key Semantics for JWT -By including the cnf (confirmation) claim in a JWT, the issuer binds the credential to the holder using cryptographic key binding. The verifier can then confirm possession of the key using the method specified in [RFC7800]. +By including the cnf (confirmation) claim in a JWT, the issuer binds the credential to the holder using cryptographic key binding. The verifier can then confirm possession of the key using the method specified in [RFC7800](https://www.rfc-editor.org/rfc/rfc7800.html). ## References [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519) Jones, M., Bradley, J., Sakimura, N., “JSON Web Token (JWT)”, May 2015, RFC 7519: JSON Web Token (JWT). @@ -100,7 +99,7 @@ By including the cnf (confirmation) claim in a JWT, the issuer binds the credent [JSON-LD](https://www.w3.org/TR/json-ld11/) Kellogg, G., Sporny, M., Longley, D., Lanthaler, M., Champin, P., and N. Lindström, "JSON-LD 1.1: A JSON-based Serialization for Linked Data.", 16 July 2020, JSON-LD 1.1 . -[OPEN BADGES](https://openbadges.org/) Home | IMS Open Badges. +[VC DATA](https://www.w3.org/TR/vc-data-model/) Sporny, M., Noble, G., Longley, D., Burnett, D. C., Zundel, B., and K. D. Hartog, "Verifiable Credentials Data Model 1.1", 3 March 2022, Verifiable Credentials Data Model v1.1 . [SD JWT](https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-14.html) Terbu, O., Fett, D., and B. Campbell, "SD-JWT-based Verifiable Credentials (SD-JWT VC)", Work in Progress, Internet-Draft, draft-ietf-oauth-sd-jwt-vc-18, 15 November 2024, Selective Disclosure for JWTs (SD-JWT) . @@ -108,10 +107,10 @@ Selective Disclosure for JWTs (SD-JWT) . [SD-JWT-VC](https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html) Terbu, O., Fett, D., and B. Campbell, "SD-JWT-based Verifiable Credentials (SD-JWT VC)", Work in Progress, Internet-Draft, draft-ietf-oauth-sd-jwt-vc-08, 3 December 2024, SD-JWT-based Verifiable Credentials (SD-JWT VC) . -[SD-JWT-VC-DM](https://github.com/danielfett/sd-jwt-vc-dm) Fett, D., “SD-JWT VC DM Credential Format”, GitHub - danielfett/sd-jwt-vc-dm: SD-JWT VC Data Model is a credential format that combines the best of both worlds from SD-JWT VC and W3C VCDM . +[VC DATA 2.0](https://www.w3.org/TR/vc-data-model-2.0/) Sporny, M., Jr, T. T., Herman, I., Jones, M. B., and G. Cohen, "Verifiable Credentials Data Model 2.0", 27 December 2023, Verifiable Credentials Data Model v2.0 . [VC JOSE COSE](https://www.w3.org/TR/vc-jose-cose/) Jones, M., Prorock, M., Cohen, G., “Securing Verifiable Credentials using JOSE and COSE”, 20 March 2025, Securing Verifiable Credentials using JOSE and COSE . -[VC DATA](https://www.w3.org/TR/vc-data-model/) Sporny, M., Noble, G., Longley, D., Burnett, D. C., Zundel, B., and K. D. Hartog, "Verifiable Credentials Data Model 1.1", 3 March 2022, Verifiable Credentials Data Model v1.1 . +[SD-JWT-VC-DM](https://github.com/danielfett/sd-jwt-vc-dm) Fett, D., “SD-JWT VC DM Credential Format”, GitHub - danielfett/sd-jwt-vc-dm: SD-JWT VC Data Model is a credential format that combines the best of both worlds from SD-JWT VC and W3C VCDM . -[VC DATA 2.0](https://www.w3.org/TR/vc-data-model-2.0/) Sporny, M., Jr, T. T., Herman, I., Jones, M. B., and G. Cohen, "Verifiable Credentials Data Model 2.0", 27 December 2023, Verifiable Credentials Data Model v2.0 . \ No newline at end of file +[OPEN BADGES](https://openbadges.org/) Home | IMS Open Badges. \ No newline at end of file From 64740bbab8687af81fa09831dbee5aa81913b104 Mon Sep 17 00:00:00 2001 From: YVLopez <103016720+YVLopez@users.noreply.github.com> Date: Thu, 15 May 2025 14:34:48 +0930 Subject: [PATCH 3/6] Update credential-formats.md Minor formatting and grammatical edits. --- .../credential-service/credential-formats.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/platform/credential-service/credential-formats.md b/platform/credential-service/credential-formats.md index f85c6598..652334c3 100644 --- a/platform/credential-service/credential-formats.md +++ b/platform/credential-service/credential-formats.md @@ -2,10 +2,10 @@ Verifiable credentials (VCs) are digital credentials that use cryptographic methods to prove authenticity and integrity. Different formats for verifiable credentials exist to meet varying needs for security, privacy, interoperability, and implementation contexts: -1. Security and Cryptographic Methods: Different formats support various cryptographic methods, like JSON Web Tokens (JWT) for compact encoding and Linked Data Proofs (LDP) for integrity through digital signatures. -2. Privacy Requirements: Privacy-focused formats, such as SD-JWT, enable selective disclosure, allowing users to share only specific information without revealing all credential data. -3. Ecosystem Compatibility: Some formats, like JWT, are designed to integrate smoothly with existing systems (e.g., OAuth2, OpenID Connect), while others like DIDs support decentralised ecosystems. -4. International and Legal Standards: Formats like the ISO/IEC 18013-5 (for mobile driver’s licenses) and X.509 certificates are used in regulatory contexts, ensuring that credentials meet specific industry standards. +1. **Security and Cryptographic Methods**: Different formats support various cryptographic methods, such as JSON Web Tokens (JWT) for compact encoding and Linked Data Proofs (LDP) for integrity through digital signatures. +2. **Privacy Requirements**: Privacy-focused formats, such as SD-JWT, enable selective disclosure, allowing users to share only specific information without revealing all credential data. +3. **Ecosystem Compatibility**: Some formats, like JWT, are designed to integrate smoothly with existing systems (e.g., OAuth2, OpenID Connect), while others like DIDs support decentralised ecosystems. +4. **International and Legal Standards**: Formats such as the ISO/IEC 18013-5 (for mobile driver’s licenses) and X.509 certificates are used in regulatory contexts, ensuring that credentials meet specific industry standards. These variations help verifiable credentials serve diverse applications - from decentralised identity verification to government-issued credentials. ## Formats Summarised @@ -14,7 +14,7 @@ These variations help verifiable credentials serve diverse applications - from d JavaScript Object Notation (JSON) is a text-based format used for the serialisation of structured data as defined in [RFC8259](https://datatracker.ietf.org/doc/html/rfc8259). It is human-readable and represents data as key-value pairs, utilising JavaScript's object literal syntax. #### JSON-LD -JSON-LD is a lightweight Linked Data format built on the JSON specification, defned by W3C. It is a machine-readable format that enables applications to start with a single piece of Linked Data and follow embedded links to access related data hosted across different sites on the Web. +JSON-LD is a lightweight Linked Data format built on the JSON specification, defined by W3C. It is a machine-readable format that enables applications to start with a single piece of Linked Data and follow embedded links to access related data hosted across different sites on the Web. #### CBOR CBOR (Concise Binary Object Representation) [RFC8949](https://www.rfc-editor.org/rfc/rfc8949.html) is a compact, binary data serialisation format optimised for extremely small code size, efficient message size, and extensibility without requiring version negotiation. @@ -63,13 +63,13 @@ Open Badges is a format for digital badges, designed to represent and share achi This matrix compares key features the different credential formats offer. | | jwt_vc_json | vc+sd-jwt | jwt_vc_json-ld | vcdm+sd-jwt | ldp_vc | mso_mdoc | |----------------------------|:----------------:|:------------------------:|:----------------------------------------:|:----------------------------------------:|:----------------------------------------:|:---------------------------------------------------------------:| -| **Platform Supported** | Supported [VC DATA](https://www.w3.org/TR/vc-data-model/) | Supported [SD-JWT-VC v3](https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-03.html) | Not supported To consider in the future. | Not supported To consider in the future. | Not supported To consider in the future. | Online: Supported Offline: Supported via third party technology | +| **Platform Supported** | Supported [VC DATA](https://www.w3.org/TR/vc-data-model/) | Supported [SD-JWT-VC v3](https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-03.html) | Not supported To consider in the future. | Not supported. To consider in the future. | Not supported. To consider in the future. | Online: Supported Offline: Supported via third party technology | | Credential Format | JWT-VC | SD-JWT | JWT-VC | SD-JWT | LDP-VC | CBOR | | Data Format | JSON | JSON | JSON-LD | JSON | JSON-LD | CBOR | | Encoding | Base64 | Base64 | Base64 | Base64 | Base64 | Binary | | Selective Disclosure (Y/N) | N | Y | N | Y | Y | Y | | SDO | W3C | IETF | W3C | W3C | W3C | ISO/IEC 18013-5 | -| Best Use Case | Online use cases | Online use cases | Online use cases | Online use cases | Online use cases | Bandwidth constrained environments | +| Suitable Use Cases | Online use cases | Online use cases | Online use cases | Online use cases | Online use cases | Bandwidth constrained environments | ## Additional Information ### Privacy-Enhancing Cryptographic Methods for Verifiable Credentials @@ -113,4 +113,4 @@ SD-JWT-based Verifiable Credentials (SD-JWT VC) . [SD-JWT-VC-DM](https://github.com/danielfett/sd-jwt-vc-dm) Fett, D., “SD-JWT VC DM Credential Format”, GitHub - danielfett/sd-jwt-vc-dm: SD-JWT VC Data Model is a credential format that combines the best of both worlds from SD-JWT VC and W3C VCDM . -[OPEN BADGES](https://openbadges.org/) Home | IMS Open Badges. \ No newline at end of file +[OPEN BADGES](https://openbadges.org/) Home | IMS Open Badges. From fa1b5a7f2146f9b4bb3ed3639b218ea657664604 Mon Sep 17 00:00:00 2001 From: YVLopez <103016720+YVLopez@users.noreply.github.com> Date: Thu, 15 May 2025 14:41:16 +0930 Subject: [PATCH 4/6] Update SUMMARY.md Updating nested page. --- SUMMARY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SUMMARY.md b/SUMMARY.md index 93aff562..add97390 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -21,7 +21,7 @@ * [Secure Value Exchange](platform/README.md) * [Authorisation, Tenant & Organisation Manager (ATOM)](platform/atom.md) * [Credential Service](platform/credential-service/README.md) - * [Credential Formats](platform/credential-service/credential-formats.md) + * [Credential Formats](platform/credential-service/credential-formats.md) * [Decentralised Identifiers (DIDs)](platform/did.md) * [Keys](platform/keys.md) * [Tenants, Organisations, and End-Users](platform/tenants-organisations-and-end-users.md) From d83e1ccff8f24edebbeb20358c6545d57fa08981 Mon Sep 17 00:00:00 2001 From: Jan Vereecken Date: Sat, 17 May 2025 10:07:02 +0200 Subject: [PATCH 5/6] Move new page under concepts --- SUMMARY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SUMMARY.md b/SUMMARY.md index add97390..4e208ab1 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -14,6 +14,7 @@ * [Selective Disclosure / ZKP](concepts/selective-disclosure.md) * [Tokens and Tokenisation](concepts/tokens-and-tokenisation.md) * [Verifiable Credentials](concepts/verifiable-credentials.md) +* [Credential Formats](platform/credential-service/credential-formats.md) * [Terminology](concepts/terminology.md) ## Platform @@ -21,7 +22,6 @@ * [Secure Value Exchange](platform/README.md) * [Authorisation, Tenant & Organisation Manager (ATOM)](platform/atom.md) * [Credential Service](platform/credential-service/README.md) - * [Credential Formats](platform/credential-service/credential-formats.md) * [Decentralised Identifiers (DIDs)](platform/did.md) * [Keys](platform/keys.md) * [Tenants, Organisations, and End-Users](platform/tenants-organisations-and-end-users.md) From 3070152e12ba2add0b166f36d9c65772d72ebb11 Mon Sep 17 00:00:00 2001 From: Shiori Chiku Date: Mon, 23 Jun 2025 15:11:44 +1000 Subject: [PATCH 6/6] revised some parts and removed vcdm+sd-jwt --- .../credential-service/credential-formats.md | 61 ++++++++++--------- 1 file changed, 31 insertions(+), 30 deletions(-) diff --git a/platform/credential-service/credential-formats.md b/platform/credential-service/credential-formats.md index 652334c3..5e1b24f7 100644 --- a/platform/credential-service/credential-formats.md +++ b/platform/credential-service/credential-formats.md @@ -11,47 +11,47 @@ These variations help verifiable credentials serve diverse applications - from d ## Formats Summarised ### Data (Serialisation) Formats #### JSON -JavaScript Object Notation (JSON) is a text-based format used for the serialisation of structured data as defined in [RFC8259](https://datatracker.ietf.org/doc/html/rfc8259). It is human-readable and represents data as key-value pairs, utilising JavaScript's object literal syntax. +JavaScript Object Notation (JSON) is a text-based format used for the serialisation of structured data as defined in [[RFC8259]](https://datatracker.ietf.org/doc/html/rfc8259). +It is human-readable and represents data as key-value pairs, utilising JavaScript's object literal syntax. #### JSON-LD -JSON-LD is a lightweight Linked Data format built on the JSON specification, defined by W3C. It is a machine-readable format that enables applications to start with a single piece of Linked Data and follow embedded links to access related data hosted across different sites on the Web. +JSON-LD is a lightweight Linked Data format built on the JSON specification, defined by W3C. +It is a machine-readable format that enables applications to start with a single piece of Linked Data and follow embedded links to access related data hosted across different sites on the Web. #### CBOR -CBOR (Concise Binary Object Representation) [RFC8949](https://www.rfc-editor.org/rfc/rfc8949.html) is a compact, binary data serialisation format optimised for extremely small code size, efficient message size, and extensibility without requiring version negotiation. +CBOR (Concise Binary Object Representation) [[RFC8949]](https://www.rfc-editor.org/rfc/rfc8949.html) is a compact, binary data serialisation format optimised for extremely small code size, efficient message size, and extensibility without requiring version negotiation. ### Credential Formats -#### JSON Web Token (JWT) -JWT [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519) is for encoding verifiable credentials in a compact, URL-safe way. The claims in a JWT are encoded as a JSON object, which can be included as the payload of a JSON Web Signature (JWS) to provide digital signing or integrity protection, or as the plaintext of a JSON Web Encryption (JWE) to ensure confidentiality through encryption. - #### Verifiable Credentials using JWTs (JWT-VC) -JWT VCs are often issued with a digital signature (JWS) for verification. They are popular in ecosystems using OAuth2 or OpenID Connect. It provides a structure for encoding credentials and can be used with a variety of cryptographic methods. +JWT VCs use JSON Web Tokens [[RFC7519]](https://datatracker.ietf.org/doc/html/rfc7519) with claims encoded in a signed JWT (JWS). They are popular in ecosystems using OAuth2 or OpenID Connect. +They follow the VC-JOSE-COSE specification and support various signing algorithms (e.g., RS256, ES256). Credential format identifiers: -* `jwt_vc_json` -* `jwt_vc_json-ld` +* `jwt_vc_json`: Defined by W3C. Uses JSON. +* `jwt_vc_json-ld`: Defined by W3C. Uses JSON-LD. #### Selective Disclosure for JWTs (SD-JWT) -Selective Disclosure (SD-JWT) format is an extension of JSON Web Tokens (JWT) that enables users to selectively disclose specific claims within a credential, revealing only the necessary information while keeping other details private. This format enhances privacy in credential sharing by allowing holders to disclose minimal, relevant data in a secure and verifiable way. +Selective Disclosure (SD-JWT) format is an extension of JSON Web Tokens (JWT) that enables users to selectively disclose specific claims within a credential, revealing only the necessary information while keeping other details private. +This format enhances privacy in credential sharing by allowing holders to disclose minimal, relevant data in a secure and verifiable way. Credential format identifiers: -* `vc+sd-jwt` -* `vcdm+sd-jwt` +* `vc+sd-jwt`: Defined by IETF. Based on SD-JWT VC. #### Verifiable Credentials using LDP (LDP-VC) -A Linked Data Proof Verifiable Credential (LDP-VC) is a format for expressing verifiable credentials using Linked Data Proofs as the signature mechanism. The credentials are structured as JSON-LD documents, with claims about a subject signed using cryptographic signature suites. This format supports selective disclosure with one of the following algorisms: BBS, CL-Signatures (CL) or Short Randomizable Signatures (ps-sig). +A Linked Data Proof Verifiable Credential (LDP-VC) is a format for expressing verifiable credentials using Linked Data Proofs as the signature mechanism. The credentials are structured as JSON-LD documents, with claims about a subject signed using cryptographic signature suites. +This format supports selective disclosure with one of the following algorisms: BBS, CL-Signatures (CL) or Short Randomizable Signatures (ps-sig). Credential format identifiers: -* `ldp_vc` +* `ldp_vc`: Defined by W3C. #### Mobile Document (mdoc) -A Mobile Document (mdoc) is a digitally signed, standardised electronic document. It uses the CBOR formatting defined in [RFC 8949](https://www.rfc-editor.org/rfc/rfc8949.html). CBOR uses binary encoding which features a small footprint (especially compared to JSON) and is, therefore, ideal for bandwidth constrained environments. Similar to other formats it can be used for both online and proximity use cases, although it is a better fit for the latter. These documents are designed to securely replace physical credentials including, but not limited to IDs, driving licences, passports, or medical records. +A Mobile Document (mdoc) is a digitally signed, standardised electronic document. It uses the CBOR formatting defined in [[RFC 8949]](https://www.rfc-editor.org/rfc/rfc8949.html). CBOR uses binary encoding which features a small footprint (especially compared to JSON) and is, therefore, ideal for bandwidth constrained environments. +It can be used for both online and proximity use cases. The Mobile Driving Licence (mDL) is one of the most popular types of mdoc, defined by [[ISO/IEC 18013-5]](https://www.iso.org/standard/69084.html). This format supports salted hash-based selective disclosure of claims. -##### Mobile Driver’s Licences (mDLs) -Mobile Driver’s Licences (mDLs) are a type of mdoc. -Our platform supports the issuance of mDL (and other document types) through OpenID 4 Verifiable Credential Issuance (OID4VCI). We also support ISO/IEC TS 18013-7 using OpenID 4 Verifiable presentation (OID4VP), which enables the presentation of mdocs to a reader (verifier) over the internet. +Our platform supports the issuance of mDL (and other document types) through OpenID 4 Verifiable Credential Issuance (OID4VCI). We also support [[ISO/IEC TS 18013-7]](https://www.iso.org/standard/91154.html) using OpenID 4 Verifiable presentation (OID4VP), which enables the presentation of mdoc VCs to a reader (verifier) over the internet. This format supports salted hash-based selective disclosure of claims. Credential format identifiers: -* `mso_mdoc` +* `mso_mdoc`: Defined by ISO. #### X.509 Certificates Traditional digital certificates that can be adapted for use as verifiable credentials. X.509 certificates are commonly used in public-key infrastructure (PKI) systems and can work with verifiable credentials by incorporating the VC Data Model. @@ -61,15 +61,16 @@ Open Badges is a format for digital badges, designed to represent and share achi ## Comparative Matrix This matrix compares key features the different credential formats offer. -| | jwt_vc_json | vc+sd-jwt | jwt_vc_json-ld | vcdm+sd-jwt | ldp_vc | mso_mdoc | -|----------------------------|:----------------:|:------------------------:|:----------------------------------------:|:----------------------------------------:|:----------------------------------------:|:---------------------------------------------------------------:| -| **Platform Supported** | Supported [VC DATA](https://www.w3.org/TR/vc-data-model/) | Supported [SD-JWT-VC v3](https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-03.html) | Not supported To consider in the future. | Not supported. To consider in the future. | Not supported. To consider in the future. | Online: Supported Offline: Supported via third party technology | -| Credential Format | JWT-VC | SD-JWT | JWT-VC | SD-JWT | LDP-VC | CBOR | -| Data Format | JSON | JSON | JSON-LD | JSON | JSON-LD | CBOR | -| Encoding | Base64 | Base64 | Base64 | Base64 | Base64 | Binary | -| Selective Disclosure (Y/N) | N | Y | N | Y | Y | Y | -| SDO | W3C | IETF | W3C | W3C | W3C | ISO/IEC 18013-5 | -| Suitable Use Cases | Online use cases | Online use cases | Online use cases | Online use cases | Online use cases | Bandwidth constrained environments | +| | jwt_vc_json | jwt_vc_json-ld | dc+sd-jwt | ldp_vc | mso_mdoc | +|----------------------------|:-----------:|:----------------------------:|:---------------:|:--------------------------:|:-----------------------------------:| +| Platform Supported | Supported [VCDM](https://www.w3.org/TR/vc-data-model/) | Not supported. To consider in the future. | Supported [SD-JWT-VC v8](https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html) | Not supported. To consider in the future. | Online: Supported. Offline: Supported via third-party technology | +| Credential Format | JWT-VC | JWT-VC | SD-JWT |LDP-VC | CBOR | +| Data Format | JSON | JSON-LD | JSON | JSON-LD | CBOR | +| Encoding | Base64 | Base64 | Base64 | Base64 | Binary | +| Selective Disclosure (Y/N)| N | N | Y | Y | Y | +| SDO | W3C | W3C | IETF | W3C | ISO/IEC 18013-5 | +| Best Use Case | Online use cases | Online use cases | Online use cases | Online use cases | Bandwidth-constrained environments | + ## Additional Information ### Privacy-Enhancing Cryptographic Methods for Verifiable Credentials @@ -97,6 +98,8 @@ By including the cnf (confirmation) claim in a JWT, the issuer binds the credent [ISO.18013-5](https://www.iso.org/standard/69084.html) ISO/IEC JTC 1/SC 17 Cards and security devices for personal identification, "ISO/IEC 18013-5:2021 Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application", 2021, ISO/IEC 18013-5:2021 . +[ISO.18013-7](https://www.iso.org/standard/69084.html) ISO/IEC JTC 1/SC 17 Cards and security devices for personal identification, "ISO/IEC TS 18013-7:2025 Personal identification — ISO-compliant driving licence — Part 7: Mobile driving licence (mDL) add-on functions", 2025, ISO/IEC 18013-7:2025 . + [JSON-LD](https://www.w3.org/TR/json-ld11/) Kellogg, G., Sporny, M., Longley, D., Lanthaler, M., Champin, P., and N. Lindström, "JSON-LD 1.1: A JSON-based Serialization for Linked Data.", 16 July 2020, JSON-LD 1.1 . [VC DATA](https://www.w3.org/TR/vc-data-model/) Sporny, M., Noble, G., Longley, D., Burnett, D. C., Zundel, B., and K. D. Hartog, "Verifiable Credentials Data Model 1.1", 3 March 2022, Verifiable Credentials Data Model v1.1 . @@ -111,6 +114,4 @@ SD-JWT-based Verifiable Credentials (SD-JWT VC) . [VC JOSE COSE](https://www.w3.org/TR/vc-jose-cose/) Jones, M., Prorock, M., Cohen, G., “Securing Verifiable Credentials using JOSE and COSE”, 20 March 2025, Securing Verifiable Credentials using JOSE and COSE . -[SD-JWT-VC-DM](https://github.com/danielfett/sd-jwt-vc-dm) Fett, D., “SD-JWT VC DM Credential Format”, GitHub - danielfett/sd-jwt-vc-dm: SD-JWT VC Data Model is a credential format that combines the best of both worlds from SD-JWT VC and W3C VCDM . - [OPEN BADGES](https://openbadges.org/) Home | IMS Open Badges.