1. OpenID for Verifiable Credentials
The next generation of OpenID
Kristina Yasuda, Microsoft
Oliver Terbu, Spruce,
Tobias Looker, Mattr,
Dr. Torsten Lodderstedt, yes.com
2. 2
What is it?
OpenID for Verifiable Credential Issuance
(Issuance of verifiable credentials)
Issuer
(Website)
Verifier
(Website)
Holder
(Digital Wallet)
Can be hosted locally on the user’s
device, have cloud components, or be
entirely hosted in the cloud
Issue Credentials
Present
Credentials
Self-Issued OP v2 (authentication using identifiers
not namespaced to a third-party identity provider)
OpenID for Verifiable Presentations
(Presentation of verifiable credentials)
3. 3
Credential
Issuer
Wallet
OP
Alice
Stored
Verifiable Credentials
⓪ Wallet requests & User
authorizes credential issuance
③ Credential is issued
① access token(, refresh token)
② Wallet requests credential issuance
Credential issuance via simple OAuth-authorized API
OpenID for Verifiable Credential Issuance
4. 4
- RP can request credentials by format*,
type and select claims for selective
disclosure, e.g
○ format: “ldp_vc”
type: “IDCredential”
claims: “given_name” & “last_name”
○ format: “mso_mdoc”
doctype: “org.iso.18013.5.1.mDL”
claims: “driving_privileges”
OpenID for Verifiable Presentations
Website or App
(RP)
Wallet
OP
Alice
⓪ User tries to get
access to a resource
Stored Verifiable Credentials
② Wallet issues Verifiable
Presentation(s) in VP Token
① RP requests
Credential(s)
- Verifiable Presentations* are
returned in the so-called VP
Token (one or more)
5. 5
OpenID4VCs allows variety of choices in the VC tech stack
Component Implementer’s choices when using OpenID4VP
Format of
VCs/PID/(Q)EAA
Any format (W3C VCs, ISO mDL, SD-JWT, AnonCreds, …)
Method to obtain
Public Keys
Any DID method, raw keys, or X.509 certs
Cryptography Any crypto suite (EdDSA, ES256K, etc.)
Revocation Any mechanism (Status List 2021, etc.)
Trust Management Any mechanism for managing trusted Issuers, Wallets and Relying Parties
(EU Trusted List, OpenID Connect Federation, TRAIN, …)
6. 6
Working Group Updates Since Last Workshop – May 2022
■ Renamed from “OpenID Connect 4 SSI” to
“OpenID 4 Verifiable Credentials”
■ OpenID 4 VCs is a new kind of OpenID
■ Started comprehensive security threat analysis
■ Conformance Test (1st revision)
■ New sub page https://openid.net/openid4vc/
8. 8
OpenID 4 Verifiable Presentations
● Changed base protocol to OAuth 2.0
● Replaced “claims” parameter by following options:
▪ scope (definition left to spec or deployment)
▪ presentation definition (by value or by reference)
● Started to move SIOP v2 pieces to make OpenID4VPs
self-contained
▪ cross device flow
▪ client metadata
9. 9
SIOP v2
● SIOP “just” means “iss” == “sub”
● id_token_types_supported
▪ subject_signed: self-issued id token, i.e. the id token is
signed with key material under the end-user's control.
▪ attester_signed: signed by the OP
, classical ID Token
● SIOP now supports all OpenID Connect flows
10. 10
Other standards bodies & non profits & government activities
■ Incorporated OpenID4VCs into ISO drafts
(18013-7/mDL & 23220-3&4/eID)
■ The European Blockchain Services
Infrastructure (EBSI) adopted OpenID4VCs
■ EU eIDAS v2
● Presented to EU eIDAS expert group
● OpenID4VCs was added to short list
■ Established liaison with ETSi
■ Working on BLE mode with MOSIP
12. 12
Working Group Issues to be Addressed
■ More implementers feedback (preparing IDs for all spec)
■ Overall trust model and security considerations draft
■ Issuance: issuer metadata path & file content, issuer
identification by DID, anonymous & externally managed
clients
■ Offline support (BLE) - first non-WG draft ->
■ Conformance Testing
