Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merging credential_response_encryption parameters into a single object #136

Merged
merged 7 commits into from
Dec 14, 2023
Merged

Merging credential_response_encryption parameters into a single object #136

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0e7a731
merging credential_response_encryption parameters into a single object
paulbastian Dec 8, 2023
6dbdd46
Update openid-4-verifiable-credential-issuance-1_0.md
paulbastian Dec 9, 2023
83fcc4c
Apply suggestions from code review
paulbastian Dec 11, 2023
5bf8617
Update openid-4-verifiable-credential-issuance-1_0.md
paulbastian Dec 13, 2023
c7cb200
Update openid-4-verifiable-credential-issuance-1_0.md
paulbastian Dec 13, 2023
02d6bbf
Update openid-4-verifiable-credential-issuance-1_0.md
paulbastian Dec 13, 2023
3d2cd67
add hstory
paulbastian Dec 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions openid-4-verifiable-credential-issuance-1_0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -716,9 +716,10 @@ A Client makes a Credential Request to the Credential Endpoint by sending the fo
* `proof`: OPTIONAL. Object containing the proof of possession of the cryptographic key material the issued Credential would be bound to. The `proof` object MUST contain a following claim:
* `proof_type`: REQUIRED. String denoting the key proof type. The value of this claim determines other claims in the key proof object and its respective processing rules. Key proof types defined in this specification can be found in (#proof_types).
* `credential_identifier`: REQUIRED when `credential_identifier` was returned from the Token Response. MUST NOT be used otherwise. String that identifies a Credential that is being requested to be issued. When this parameter is used, the `format` parameter and any other Credential format specific set of parameters such as those defined in (#format_profiles) MUST NOT be present.
* `credential_encryption_jwk`: OPTIONAL. An object containing a single public key as a JWK used for encrypting the Credential Response.
* `credential_response_encryption_alg`: OPTIONAL. JWE [@!RFC7516] `alg` algorithm [@!RFC7518] REQUIRED for encrypting Credential and/or Batch Credential Responses. If omitted, no encryption is intended to be performed. When the `credential_response_encryption_alg` is present, the `credential_encryption_jwk` MUST be present.
* `credential_response_encryption_enc`: OPTIONAL. JWE [@!RFC7516] `enc` algorithm [@!RFC7518] REQUIRED for encrypting Credential Responses. If `credential_response_encryption_alg` is specified, the default for this value is `A256GCM`. When `credential_response_encryption_enc` is included, `credential_response_encryption_alg` MUST also be provided.
* `credential_response_encryption`: OPTIONAL. Object containing information for encrypting the Credential Response. If omitted, no encryption is intended to be performed.
paulbastian marked this conversation as resolved.
Show resolved Hide resolved
* `jwk`: REQUIRED. Object containing a single public key as a JWK used for encrypting the Credential Response.
* `alg`: OPTIONAL. JWE [@!RFC7516] `alg` algorithm [@!RFC7518] for encrypting Credential Responses. The default value is `xxx`.
paulbastian marked this conversation as resolved.
Show resolved Hide resolved
awoie marked this conversation as resolved.
Show resolved Hide resolved
* `enc`: OPTIONAL. JWE [@!RFC7516] `enc` algorithm [@!RFC7518] for encrypting Credential Responses. The default value is `A256GCM`.
paulbastian marked this conversation as resolved.
Show resolved Hide resolved
paulbastian marked this conversation as resolved.
Show resolved Hide resolved
awoie marked this conversation as resolved.
Show resolved Hide resolved

The `proof_type` claim is an extension point that enables the use of different types of proofs for different cryptographic schemes.

Expand Down Expand Up @@ -872,7 +873,7 @@ Credential Response can be immediate or deferred. The Credential Issuer MAY be a

In other cases, the Credential Issuer MAY NOT be able to immediately issue a requested Credential and would want to send a `transaction_id` parameter to the Client to be used later to receive a Credential when it is ready. The HTTP status code MUST be 202 (section 10.2.3 of [@!RFC2616]).

If the Client requested encrypted responses, the Credential Issuer MUST encode the information in the Credential Reponse as a JWT with `credential_response_encryption_alg` and `credential_response_encryption_enc`. The JWT MUST be encrypted using the public key specified by `credential_encryption_jwk` in the Credential Request. If the Credential Response is encrypted, the media type of the response MUST bet set to `application/jwt`. If encryption was negotiated in the Credential Request and the Credential Response is not encrypted, the Client SHOULD reject the Credential Response.
If the Client requested encrypted responses, the Credential Issuer MUST encode the information in the Credential Response as a JWT with `alg`, `enc` and using the public key specified by `jwk` from the `credential_response_encryption` object in the Credential Request. If the Credential Response is encrypted, the media type of the response MUST bet set to `application/jwt`. If encryption was negotiated in the Credential Request and the Credential Response is not encrypted, the Client SHOULD reject the Credential Response.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean that the the response is an encrypted json and not a Netsted JWT, signed and then encrypted?
I would give more clarification, as OIDC with the userinfo response (or id token) made:

If the UserInfo Response is signed and/or encrypted, then the Claims are returned in a JWT and the content-type MUST be application/jwt. The response MAY be encrypted without also being signed. If both signing and encryption are requested, the response MUST be signed then encrypted, with the result being a Nested JWT, as defined in [JWT].

@sakimura @selfissued ^

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is about encryption only, this is how I read it

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peppelinux i think here we are trying to talk about the case when response is only encrypted and not signed. and that probably can be made clearer.

paulbastian marked this conversation as resolved.
Show resolved Hide resolved

If the Credential Response is not encrypted, the media type of the response MUST be set to `application/json`.

Expand Down