> Are you using DPoP at issuance of the credential and embedding the public key as the means to verify the subject? Exactly. We are using "client credentials" as grant type. The credential used as grant is client's public key and we are using DPoP to prove possession. Then the public key is embedded in the VC (which is encoded as a JWT).
> Are you going so far as using DPoP in lieu of Verifiable Presentation wrappers? Yes. Since our VCs are encoded in JWT, they are included in the Authorization header of HTTP requests and we are using DPoP to prove possession. So we do not use Verifiable Presentations at all. Best, Nikos > On Sep 30, 2021, at 12:47 AM, Nikos Fotiou <[email protected]> wrote: > > FYI, this is exactly what we are doing in [1] to manage Verifiable Credentials using OAuth2.0. The AS issues a verifiable credential that stays (for long time) in the client. The client uses DPoP to prove ownership of the credential. We just started a new project funded by essif [2] that will further develop this idea and provide implementations. > > Best, > Nikos > > [1] N. Fotiou, V.A. Siris, G.C. Polyzos, "Capability-based access > control for multi-tenant systems using Oauth 2.0 and Verifiable > Credentials," Proc. 30th International Conference on Computer > Communications and Networks (ICCCN), Athens, Greece, July 2021 > (https://mm.aueb.gr/publications/0a8b37c5-c814-4056-88a7-19556221728c. > pdf) > [2]https://essif-lab.eu > -- > Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou Researcher - Mobile > Multimedia Laboratory Athens University of Economics and Business > https://mm.aueb.gr
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
