Upgrade to Pro — share decks privately, control downloads, hide ads and more …

iddance_lesson4.pdf

kg0r0
November 26, 2024
8

 iddance_lesson4.pdf

kg0r0

November 26, 2024
Tweet

Transcript

  1. Issuing authority infrastructure mDL interfaces (ISO/IEC 18013-5:2021) mDL mDL reader

    Issuing authority mDL holder mDL verifier Server retrieval Device retrieval (*out of scope in ISO/IEC 18013-5:2021)
  2. { version: '1.0', documents: [ { docType: 'org.iso.18013.5.1.mDL', issuerSigned: {

    // Returned data elements signed by the issuer nameSpaces: { 'org.iso.18013.5.1': [ . . . ] }, issuerAuth: [ // Contains the mobile security object (MSO) for issuer data authentication . . . ] } } ], status: 0 } mdoc data model family_name namespace give_name doctype (org.iso.18013.5.1mDL) MSO mdoc public key
  3. Credential Format / Exchange ▪ Credential Format ◦ W3C Verifiable

    Credentials Data Model ◦ ISO/IEC 18013-5 mdoc <- 今日主に話すやつ (EUDIW, Digital Credentials API, Verify with Wallet API な どでサポート) ◦ IETF SD-JWT VC ◦ etc. ▪ Credential Exchange ◦ OpenID for Verifiable Credential Issuance (OID4VCI) ◦ OpenID for Verifiable Presentations (OID4VP) <- 今日主に話すやつ (EUDIW, Digital Credentials APIなどでサポート) ◦ etc. Ref) https://github.com/decentralized-identity/interoperability/blob/master/assets/interoperability-mapping-exercise-10-12-20.pdf
  4. OID4VCI workflow overview Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html https://openid.net/wordpress-content/uploads/2022/06/OIDF-Whitepaper_OpenID-for-Verifiable-Credentials-V2_2022-06-23.pdf ▪ OpenID for Verifiable

    Credential Issuance ▪ Verifiable Credentials を発行する ための OAuth で保護された API ▪ クレデンシャルの形式は限定され ず、W3C Verifiable Credentials Data Mode、ISO mdoc [ISO.18013-5] などをサポート
  5. OID4VP workflow overview Ref) https://openid.net/wordpress-content/uploads/2022/06/OIDF-Whitepaper_OpenID-for-Verifiable-Credentials-V2_2022-06-23.pdf https://openid.net/specs/openid-4-verifiable-presentations-1_0.html ▪ OpenID for Verifiable

    Presentations ▪ Verifiable Credentials (VCs) を Verifiable Presentations (VPs) として提示するメカニ ズムを提供する ▪ VCs と VPs の形式限定されず、W3C Verifiable Credentials Data Mode、ISO mdoc [ISO.18013-5] などをサポート
  6. DIW (Digital Identity Wallet) ▪ 個人識別データやクレデンシャル、その他 の属性情報の安全な保管、管理、共有を 可能にするアプリケーション ▪ 少ない操作で特定の情報のみを提示する

    ことが可能 ▪ 基本的には物理的な財布のデジタル版の ようなイメージ Ref) https://www.edps.europa.eu/data-protection/technology-monitoring/techsonar/digital-identity-wallet_en
  7. EUDIW (EU Digital Identity Wallet) ▪ EUDIW は、欧州市民や企業が公共と民間の双 方でデジタル ID

    を使用して本人確認/属性証明 を行うための便利で安全な方法として設計され た DIW ▪ EU 域内および他の加盟国間での情報交換を促 進することも目的とされている Ref) https://ec.europa.eu/digital-building-blocks/sites/display/EUDIGITALIDENTITYWALLET/EU+Digital+Identity+Wallet+Home https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet-implementation
  8. EUDIW Interfaces and protocols ▪ European Digital Identity Wallet Architecture

    and Reference Framework (ARF) ◦ eIDAS 規制を実施するために欧州委員会が策定する技 術仕様、基準、手順を定義 ▪ OpenID4VCI ◦ Wallet Instance <-> Attestation Provider ◦ Wallet Instance <-> PID Provider ▪ OpenID4VP - ISO/IEC 18013-5 ◦ Wallet Instance <-> Relying Party Instance Ref) https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/arf.md#421-interfaces-and-protocols
  9. Available standardised formats ▪ ISO/IEC 18013-5 mdoc ▪ Selective Disclosure

    for JWTs (SD-JWT) ▪ W3C Verifiable Credentials Data Model v1.1 [W3C VC DM v1.1] ▪ SD-JWT-based Verifiable Credentials (SD-JWT VC) Ref) https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/arf.md#52-available-standardised-formats
  10. EUDIW Reference Implementation • Issuer https://github.com/eu-digital-identity-wallet/.github/blob/main/profile/reference-im plementation.md#issuing-apps-and-services • Holder https://github.com/eu-digital-identity-wallet/.github/blob/main/profile/reference-im

    plementation.md#wallet-ui-app-and-demo-app-for-android-and-ios • Verifier https://github.com/eu-digital-identity-wallet/.github/blob/main/profile/reference-im plementation.md#verifier-apps-and-services
  11. Issuer ▪ Installation https://github.com/eu-digital-identity-wallet/eudi-srv-web-issuing-eudiw-py/blob/main/install.md ◦ How to run the EUDIW

    Issuer? ▪ Configuration https://github.com/eu-digital-identity-wallet/eudi-srv-web-issuing-eudiw-py/blob/main/api_docs/add_cr edential.md ◦ Metadata Configuration ◦ Service Configuration ◦ Configuration of Countries supported by the EUDIW Issuer
  12. Holder ▪ iOS https://github.com/eu-digital-identity-wallet/eudi-app-ios-wallet-ui ◦ Building the Reference apps to

    interact with issuing and verifying services. https://github.com/eu-digital-identity-wallet/eudi-app-ios-wallet-ui/blob/main/wiki/how_to _build.md ▪ Android https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui ◦ Building the Reference apps to interact with issuing and verifying services. https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui/blob/main/wiki/ho w_to_build.md
  13. Verifier ▪ Frontend https://github.com/eu-digital-identity-wallet/eudi-web-verifier ◦ How to run for development

    ▪ Backend https://github.com/eu-digital-identity-wallet/eudi-srv-web-verifier-endpoint-23220-4-kt ◦ How to build and run ◦ Presentation Flows https://github.com/eu-digital-identity-wallet/eudi-srv-web-verifier-endpoint-23220-4-kt?tab =readme-ov-file#presentation-flows ◦ Endpoints
  14. Grant Type • Authorization Code Grant (authorization_code) • Pre-Authorization Code

    Grant (urn:ietf:params:oauth:gra nt-type:pre-authorized_cod e)
  15. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)
  16. (1a) End-User selects Credential (1b) Credential Offer (credential type) (2)

    Obtains Issuer’s Credential Issuer metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)
  17. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)
  18. (1b) Credential Offer (credential type) Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1 'openid-credential-offer://credential_offer? credential_offer={ "credential_issuer":

    "https://issuer.eudiw.dev", "credential_configuration_ids": ["eu.europa.ec.eudi.pid_jwt_vc_json", "eu.europa.ec.eudi.mdl_jwt_vc_json"%2C "eu.europa.ec.eudi.pid_mdoc"%2C "eu.europa.ec.eudi.mdl_mdoc"], "grants": {"authorization_code": {}} }'
  19. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)
  20. $ curl -X GET https://desired-grouper-reliably.ngrok-free.app/.well-known/openid-credential-issuer | jq { "batch_credential_endpoint": "https://desired-grouper-reliably.ngrok-free.app/batch_credential",

    "credential_configurations_supported": { . . . }, "credential_endpoint": "https://desired-grouper-reliably.ngrok-free.app/credential", "credential_issuer": "https://desired-grouper-reliably.ngrok-free.app", "deferred_credential_endpoint": "https://desired-grouper-reliably.ngrok-free.app/deferred_credential", "notification_endpoint": "https://desired-grouper-reliably.ngrok-free.app/notification" } (2) Obtains Issuer’s Credential Issuer metadata Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-10
  21. (3) Authorization Request (type(s) of Credentials to be issued) (1b)

    Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)
  22. (3) Authorization Request (type(s) of Credentials to be issued) Ref)

    https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1 "GET /authorization? redirect_uri=eudi-openid4ci://authorize& response_type=code& scope=org.iso.18013.5.1.mDL%20openid& client_id=wallet-dev& request_uri=urn:uuid:22be7242-602a-4184-9a70-02b1db29df7e HTTP/1.1" 200 -
  23. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)
  24. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)
  25. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)
  26. (2) Credential Offer (Pre-Authorized Code) Authorization Server Pre-Authorized Code Flow

    End-User Wallet Credential Issuer (1) End-User provides information required for the issuance of certain Credential (3) Obtains Issuer’s Credential Issuer metadata interacts (4) Token Request (Pre-Authorized Code, tx_code) Token Response (access_token) (5) Credential Request Credential Response (Credential(s)) Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html
  27. (2) Credential Offer (Pre-Authorized Code) Authorization Server Pre-Authorized Code Flow

    End-User Wallet Credential Issuer (1) End-User provides information required for the issuance of certain Credential (3) Obtains Issuer’s Credential Issuer metadata interacts (4) Token Request (Pre-Authorized Code, tx_code) Token Response (access_token) (5) Credential Request Credential Response (Credential(s)) Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html
  28. (2) Credential Offer (Pre-Authorized Code) Authorization Server Pre-Authorized Code Flow

    End-User Wallet Credential Issuer (1) End-User provides information required for the issuance of certain Credential (3) Obtains Issuer’s Credential Issuer metadata interacts (4) Token Request (Pre-Authorized Code, tx_code) Token Response (access_token) (5) Credential Request Credential Response (Credential(s)) Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html
  29. (1) Authorization Request (Presentation Definition) (2) Authorization Response (VP Token

    with Verifiable Presentation(s)) Wallet Same Device Flow End-User Verifier Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent
  30. (1) Authorization Request (Presentation Definition) (2) Authorization Response (VP Token

    with Verifiable Presentation(s)) Wallet Same Device Flow End-User Verifier Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent
  31. (1) Authorization Request (Presentation Definition) (2) Authorization Response (VP Token

    with Verifiable Presentation(s)) Wallet Same Device Flow End-User Verifier Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent
  32. Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1 https://identity.foundation/presentation-exchange/ Authorization Request (Presentation Definition) { "type": "vp_token",

    "presentation_definition": { "id": "9833f76e-73c8-47e4-9dcc-81f3c4e9b9ca", "input_descriptors": [ { "id": "org.iso.18013.5.1.mDL", "name": "Mobile Driving Licence (MDL)", "purpose": "", "format": { "mso_mdoc": {"alg": [ "ES256", "ES384", "ES512" ]}}, "constraints": { "fields": [{"path": ["$['org.iso.18013.5.1']['family_name']"], "intent_to_retain": false}]} } ] }, "nonce": "d333b361-0f88-4a5f-8609-b94a2128f185" }
  33. (1) Authorization Request (Presentation Definition) (2) Authorization Response (VP Token

    with Verifiable Presentation(s)) Wallet Same Device Flow End-User Verifier Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent
  34. (2) Authorization Response (VP Token with Verifiable Presentation(s)) (1) Authorization

    Request (Presentation Definition) Wallet Same Device Flow End-User Verifier Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent
  35. Ref) https://identity.foundation/presentation-exchange/#presentation-submission https://github.com/eu-digital-identity-wallet/eudi-srv-web-verifier-endpoint-23220-4-kt/tree/main?tab=readme-ov-file#send-wallet-response { "vp_token": [ "o2d2ZXJzaW9uYzE …" ], "presentation_submission":

    { "id": "5FC050D7-6411-4302-93A9-08AFBDA39246", "definition_id": "7db603f2-0d15-4415-b6b4-aaf085f1ef13", "descriptor_map": [ { "id": "org.iso.18013.5.1.mDL", "format": "mso_mdoc", "path": "$" } ] } } (2) Authorization Response (VP Token with Verifiable Presentation(s))
  36. (2) Request the Request Object (2.5) Respond with the Request

    Object (Presentation Definition) Cross Device Flow End-User Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent Verifier (device A) Wallet (device B) (1) Authorization Request (Request URI) (3) Authorization Response as HTTP POST (VP Token with Verifiable Presentation(s))
  37. おわりに Ref) https://developer.apple.com/wallet/get-started-with-verify-with-wallet/ https://developer.chrome.com/blog/digital-credentials-api-origin-trial?hl=ja ▪ DIW を使った一連の実装を試すことができ、実際に導 入されつつある状況 ▪ 標準的な仕様に沿って実装されており将来的な相互

    運用性にも期待 ▪ Browser API 経由 (Digital Credentials API) や OS の API 経由 (Verify with Wallet API) で DIW を呼び 出す技術も登場 ▪ それらに採用されている技術も含めてウォッチしていく のが良さそう