Dear JOSE & OAuth WG,

Sorry for cross-posting, but this seems to be a topic that would fit both WGs 
and cross-posting seemed to be the best way.

I have submitted a new ID that proposes a digital credential format building on 
top of JSON Web Proofs, SD-JWT VC, and blind BBS Signatures:
Datatracker: https://datatracker.ietf.org/doc/draft-bormann-jwp-modular-bbs/  - 
GitHub: https://github.com/c2bo/draft-bormann-jwp-modular-bbs 

   This document defines a digital credential format that uses JSON Web
   Proofs (JWP) as its container format and Blind BBS Signatures as its
   signature scheme combined with a modular framework for attaching
   zero-knowledge sub-proofs.  This allows a Holder to reveal some
   attributes directly while proving predicates such as range or
   equality over the ones they keep hidden.  A credential can
   additionally be bound to an ECDSA P-256 device key, with possession
   of the key proven in every presentation without revealing the public
   key.  The credential type definition and data model follow SD-JWT VC
   [I-D.ietf-oauth-sd-jwt-vc].

The core idea behind this draft is to enable a credential format that functions 
similar to SD-JWT VC, but powered by a modular Anonymous Credentials framework.
Instead of building on top of JWS/JWT, the container format is JWP (currently 
JSON / compact serialisation only) and the core data model & credential type 
system
of SD-JWT VC are re-used. The core signature mechanism is BBS, specifically the 
blind BBS draft, since it adds committed disclosure - fresh Pedersen commitments
to hidden messages at presentation time.

The proposed construction allows for a digital credential format with 
unlinkable presentations where each claim/value can individually be

- hidden
- disclosed
- committed 

Commitments can then be used as inputs to chained sub-proofs (also called 
Commit-and-Prove). This allows for sub-proofs like a range proof over
issuance or expiration time (proving that the credential is not expired instead 
of disclosing the expiration time), or equality proofs (e.g., proving two 
credentials
contain the same name without disclosing the value). The draft introduces a 
registry and a few core sub-proofs, with one important sub-proof allowing for a 
key
binding to a P-256 public key where a Zero Knowledge Proof of Knowledge over a 
valid signature replaces the KB-JWT of SD-JWT.
The concrete constructions for these sub-proofs will be leveraged from existing 
work (e.g., for range proofs) and the key binding sub-proof is expected to be a
separate draft in CFRG: 
https://datatracker.ietf.org/doc/draft-cllz-cfrg-ecdsa-pop/. 

The general idea for such a construction has been discussed for some time in 
the context of EU Digital Identity Wallets / eIDAS and the draft roughly 
follows the concepts of:

- 
https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/blob/main/docs/technical-specifications/ts14-zkps-from-mms.md
- https://eprint.iacr.org/2025/1981 (Vision: A Modular Framework for Anonymous 
Credential Systems) 

This is a rough first draft and especially the sub-proof parts definitely need 
further work, but I’d love to get some feedback on the draft and the general 
concept.

Given the reliance on JWP for serialisation, I thought JOSE would be a natural 
home, but since some parts of SD-JWT VC are re-used, there definitely
is an argument to be made for OAuth as well. Are people interested in this kind 
of work and if so where should it happen?

Happy to present the draft in Vienna if possible / still fits into the agenda.

Best Regards,
Christian
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to