Technical Specifications
Attestation Formats

Attestation Formats

SD-JWT VC

SD-JWT VC (opens in a new tab) is one of the attestation formats required in the Architecture Reference Framework for issuance of PIDs and (Q)EAAs.

A Company Passport solution MUST support draft 03 of SD-JWT VC.

The Architecture Reference Framework currently refers to SD-JWT VC as the required SD-JWT specification. However, in a future version of the ARF this will likely be updated to a version of SD-JWT VC DM (opens in a new tab).

Due to the experimental stage of SD-JWT VC DM Company Passport will for now follow the requirements set forth in the Architecture Reference Framework.

Cryptographic Algorithms

For signing of the SD-JWT VC and the Key Binding JWT, at least the signing algorithm alg value ES256 in combination with the elliptic curve crv value P-256 MUST be supported according to Cryptographic Algorithms.

For digests of disclosures the _sd_alg value of sha-256 MUST be supported according to the SD-JWT VC specification and Cryptographic Algorithms.

Issuer Identification and Key Resolution

The Attestation Provider of an SD-JWT VC MUST include a verifiable identifier as the value of iss payload claim. At least DID Document Resolution, JWT VC Issuer Metadata, and X509 Certificates according to Identifiers and section 3.5 of SD-JWT VC (opens in a new tab) MUST be supported.

Key Binding

When cryptographic Key Binding is to be supported the cnf claim MUST contain a confirmation method identifying a proof of possession key.

At least the jwk confirmation method MUST be supported according to Identifiers and Section 3.2 in RFC 7800 (opens in a new tab).

When a SD-JWT VC is to be bound to a key within a DID Document, the kid confirmation method SHALL be used with a value consisting of a DID URL (opens in a new tab) that points to a specific key within the DID Document. Depending on requirements, a verifier MAY choose to accept another key in the DID Document as valid proof of possession in the Key Binding JWT.

Discussion is still ongoing (opens in a new tab) on how a DID URL should be conveyed as confirmation method. Possibly a new did confirmation method will be introduced. Since kid has been a widely used method to convey DID URLs, it will be used as confirmation method for DID URLs until the did confirmation method has been standardized.

Revocation

When a SD-JWT VC needs to support revocation, the Token Status List revocation method should be used, as defined in Attestation Revocation and Section 3.2.2.2 of SD JWT VC (opens in a new tab).

ISO/IEC 18013-5 mDL

TODO

W3C Verifiable Credential

TODO

Attestation RevocationWallet Instance Attestations