Dear JOSE & OAuth WG,
Sorry for cross-posting, but this seems to be a topic that would fit both WGs
and cross-posting seemed to be the best way.
I have submitted a new ID that proposes a digital credential format building on
top of JSON Web Proofs, SD-JWT VC, and blind BBS Signatures:
Datatracker: https://datatracker.ietf.org/doc/draft-bormann-jwp-modular-bbs/ -
GitHub: https://github.com/c2bo/draft-bormann-jwp-modular-bbs
This document defines a digital credential format that uses JSON Web
Proofs (JWP) as its container format and Blind BBS Signatures as its
signature scheme combined with a modular framework for attaching
zero-knowledge sub-proofs. This allows a Holder to reveal some
attributes directly while proving predicates such as range or
equality over the ones they keep hidden. A credential can
additionally be bound to an ECDSA P-256 device key, with possession
of the key proven in every presentation without revealing the public
key. The credential type definition and data model follow SD-JWT VC
[I-D.ietf-oauth-sd-jwt-vc].
The core idea behind this draft is to enable a credential format that functions
similar to SD-JWT VC, but powered by a modular Anonymous Credentials framework.
Instead of building on top of JWS/JWT, the container format is JWP (currently
JSON / compact serialisation only) and the core data model & credential type
system
of SD-JWT VC are re-used. The core signature mechanism is BBS, specifically the
blind BBS draft, since it adds committed disclosure - fresh Pedersen commitments
to hidden messages at presentation time.
The proposed construction allows for a digital credential format with
unlinkable presentations where each claim/value can individually be
- hidden
- disclosed
- committed
Commitments can then be used as inputs to chained sub-proofs (also called
Commit-and-Prove). This allows for sub-proofs like a range proof over
issuance or expiration time (proving that the credential is not expired instead
of disclosing the expiration time), or equality proofs (e.g., proving two
credentials
contain the same name without disclosing the value). The draft introduces a
registry and a few core sub-proofs, with one important sub-proof allowing for a
key
binding to a P-256 public key where a Zero Knowledge Proof of Knowledge over a
valid signature replaces the KB-JWT of SD-JWT.
The concrete constructions for these sub-proofs will be leveraged from existing
work (e.g., for range proofs) and the key binding sub-proof is expected to be a
separate draft in CFRG:
https://datatracker.ietf.org/doc/draft-cllz-cfrg-ecdsa-pop/.
The general idea for such a construction has been discussed for some time in
the context of EU Digital Identity Wallets / eIDAS and the draft roughly
follows the concepts of:
-
https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/blob/main/docs/technical-specifications/ts14-zkps-from-mms.md
- https://eprint.iacr.org/2025/1981 (Vision: A Modular Framework for Anonymous
Credential Systems)
This is a rough first draft and especially the sub-proof parts definitely need
further work, but I’d love to get some feedback on the draft and the general
concept.
Given the reliance on JWP for serialisation, I thought JOSE would be a natural
home, but since some parts of SD-JWT VC are re-used, there definitely
is an argument to be made for OAuth as well. Are people interested in this kind
of work and if so where should it happen?
Happy to present the draft in Vienna if possible / still fits into the agenda.
Best Regards,
Christian
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]