refactor HAIP and add details for mdoc profile of OID4VP over the Browser API

openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.md

@@ -1,13 +1,13 @@
 %%%
-title = "OpenID4VC High Assurance Interoperability Profile with SD-JWT VC - draft 01"
-abbrev = "openid4vc-high-assurance-interoperability-profile-sd-jwt-vc"
+title = "OpenID4VC High Assurance Interoperability Profile - draft 01"
+abbrev = "openid4vc-high-assurance-interoperability-profile"
 ipr = "none"
 workgroup = "Digital Credentials Protocols"
-keyword = ["security", "openid4vc", "sd-jwt", "sd-jwt-vc"]
+keyword = ["security", "openid4vc", "sd-jwt", "sd-jwt-vc", "mdoc"]
 
 [seriesInfo]
 name = "Internet-Draft"
-value = "openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0-01"
+value = "openid4vc-high-assurance-interoperability-profile-1_0-01"
 status = "standard"
 
 [[author]]
@@ -30,7 +30,7 @@ organization="sprind.org"
 
 .# Abstract
 
-This document defines a profile of OpenID for Verifiable Credentials in combination with the credential format SD-JWT VC. The aim is to select features and to define a set of requirements for the existing specifications to enable interoperability among Issuers, Wallets and Verifiers of Credentials where a high level of security and privacy is required. The profiled specifications include OpenID for Verifiable Credential Issuance [@!OIDF.OID4VCI], OpenID for Verifiable Presentations [@!OIDF.OID4VP], Self-Issued OpenID Provider v2 [@!OIDF.SIOPv2], and SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc].
+This document defines a profile of OpenID for Verifiable Credentials in combination with the credential format SD-JWT VC and mdoc. The aim is to select features and to define a set of requirements for the existing specifications to enable interoperability among Issuers, Wallets and Verifiers of Credentials where a high level of security and privacy is required. The profiled specifications include OpenID for Verifiable Credential Issuance [@!OIDF.OID4VCI], OpenID for Verifiable Presentations [@!OIDF.OID4VP], Self-Issued OpenID Provider v2 [@!OIDF.SIOPv2], IETF SD-JWT VC [@!I-D.ietf-oauth-sd-jwt-vc], and ISO mdoc [@!ISO.18013-5].
 
 {mainmatter}
 
@@ -40,7 +40,7 @@ This document defines a set of requirements for the existing specifications to e
 
 This document is not a specification, but a profile. It refers to the specifications required for implementations to interoperate among each other and for the optionalities mentioned in the referenced specifications, defines the set of features to be mandatory to implement.
 
-The profile uses OpenID for Verifiable Credential Issuance [@!OIDF.OID4VCI] and OpenID for Verifiable Presentations [@!OIDF.OID4VP] as the base protocols for issuance and presentation of Credentials, respectively. The credential format used is SD-JWT VC as specified in [@!I-D.ietf-oauth-sd-jwt-vc]. Additionally, considerations are given on how deployments can perform a combined issuance of credentials in both SD-JWT VC and ISO mdoc [@ISO.18013-5] formats.
+The profile uses OpenID for Verifiable Credential Issuance [@!OIDF.OID4VCI] and OpenID for Verifiable Presentations [@!OIDF.OID4VP] as the base protocols for issuance and presentation of Credentials, respectively. The credential format used is SD-JWT VC as specified in [@!I-D.ietf-oauth-sd-jwt-vc] and ISO mdoc [@!ISO.18013-5]. Additionally, considerations are given on how deployments can perform a combined issuance of credentials in both SD-JWT VC and ISO mdoc [@ISO.18013-5] formats.
 
 A full list of the open standards used in this profile can be found in Overview of the Open Standards Requirements (reference).
 
@@ -56,17 +56,22 @@ This specification uses the terms "Holder", "Issuer", "Verifier", and "Verifiabl
 
 The following aspects are in scope of this interoperability profile:
 
-* Protocol for issuance of the Verifiable Credentials (can be both remote and in-person) (OID4VCI)
-* Protocol for online presentation of Verifiable Credentials (can be both remote and in-person) (OID4VP)
+* Profile of OID4VCI to issue IETF SD-JWT VCs (can be both remote and in-person), including
+  * Wallet Attestation
+* Profile of OID4VP to present IETF SD-JWT VCs
+* Profile of OID4VP over the W3C Digital Credentials API [@w3c.digital_credentials_api] to present 
+  * IETF SD-JWT VCs 
+  * ISO mdocs
 * Protocol for User Authentication by the Wallet at a Verifier (SIOP v2)
-* Wallet Attestation (during Credential issuance)
-* Credential Format (SD-JWT VC)
-* Status Management of the Credentials, including revocation
-* Cryptographic Holder Binding
-* Issuer key resolution
-* Issuer identification (as prerequisite for trust management)
+* Profile of IETF SD-JWT VC that includes the following aspects
+  * Status Management of the Credentials, including revocation
+  * Cryptographic Holder Binding
+  * Issuer key resolution
+  * Issuer identification (as prerequisite for trust management)
 * Crypto Suites
 
+Note that when OID4VP is used, the Wallet and the Verifier can either be remote or in-person.
+
 Assumptions made are the following:
 
 * The issuers and verifiers cannot pre-discover wallet’s capability
@@ -79,6 +84,9 @@ The following items are out of scope for the current version of this document, b
 
 * Trust Management, i.e. authorization of an issuer to issue certain types of credentials, authorization of the Wallet to be issued certain types of credentials, authorization of  the Verifier to receive certain types of credentials.
 * Protocol for presentation of Verifiable Credentials for offline use-cases, e.g. over BLE.
+* Profile of OID4VCI to issue ISO mdocs is defined in [@!ISO.23220-3].
+* Profile of OID4VP without using W3C Digital Credentials API to present ISO mdocs is 
+defined in [@!ISO.18013-7]. For more details, also see Annex B.3 in [@!OIDF.OID4VP].
 
 ## Scenarios/Business Requirements
 
@@ -88,14 +96,14 @@ The following items are out of scope for the current version of this document, b
 
 ## Standards Requirements
 
-Unless explicitly stated, all normative requirements apply to all participating entities: Issuers, Wallets and Verifiers.
+This specification enable interoperable implementation of the following four flows:
+
+* Issuance of IETF SD-JWT VC using OpenID4VCI
+* Presentation of IETF SD-JWT VC using OpenID4VP
+* Presentation of IETF SD-JWT VC using OpenID4VP over W3C Digital Credentials API
+* Presentation of ISO mdocs using OpenID4VP over W3C Digital Credentials API
 
-| (as defined in this profile) | Issuer | Wallet | Verifier |
-|:--- |:--- |:--- |:--- |
-|OID4VP| N/A |MUST|MUST|
-|OID4VCI| MUST|MUST|N/A|
-|SIOPv2|N/A|MUST|SHOULD|
-|SD-JWT VC profile as defined in (#sd-jwt-vc) |MUST|MUST|MUST|
+Implementations of this specification do not have to implement all of the four flows, but they MUST be compliant to all of the requirements for a particular flow they chose to implement.
 
 # OpenID for Verifiable Credential Issuance
 
@@ -198,7 +206,7 @@ This is an example of a Wallet Instance Attestation:
 
 * The Credential Issuer MUST publish a mapping of every Credential Type it supports to a scope value.
 
-# OpenID for Verifiable Presentations
+# OpenID for Verifiable Presentations without using W3C Digital Credentials API
 
    * MUST support protocol extensions for SD-JWT VC credential format profile as defined in this specification (#vc_sd_jwt_profile).
    * As a way to invoke the Wallet, at least a custom URL scheme `haip://` MUST be supported. Implementations MAY support other ways to invoke the wallets as agreed by trust frameworks/ecosystems/jurisdictions, not limited to using other custom URL schemes.
@@ -215,6 +223,57 @@ This is an example of a Wallet Instance Attestation:
     * In the `input-descriptors` object, `id`, `name`, `purpose`, `group`, `format`, and `constraints` properties MUST be supported. In the `constraints` object, `limit_disclosure`, and `fields` properties MUST be supported. In the `fields` object, `path` and `filter` properties MUST be supported. A `path` MUST contain exactly one entry with a static path to a certain claim. A `filter` MUST only contain `type` elements of value `string` and `const` elements.
     * In the `submission_requirements` object, `name`, `rule (`pick` only)`, `count`, `from` properties MUST be supported.
 
+# OpenID for Verifiable Presentations over W3C Digital Credentials API
+
+* MUST support Annex A in [@!OIDF.OID4VP] that defines how to use OID4VP over the W3C Digital Credentials API.
+  * Annex A.3.1. in [@!OIDF.OID4VP] MUST NOT be used. OID4VP requests over the W3C Digital Credentials API MUST be signed.
+* Wallet Invocation is done via the W3C Digital Credentials API or an equivalent platform API. Custom URL schemes MUST NOT be used.
+* Response Mode MUST be `w3c_dc_api.jwt`. Encryption of the response is mandatory.
+* MUST support Transaction Data defined in Sections 5.4 and 7.4 of [@!OIDF.OID4VP].
+* The DQCL query and response as defined in Section 6 of [@!OIDF.OID4VP] MUST be used. Presentation Exchange as defined in Sections 5.4 and 5.5 of [@!OIDF.OID4VP] MUST NOT be used. Below is the list of features in the DQCL query and response that MUST be supported:
+  * tbd
+
+## ISO mdoc specific requirements for OpenID for Verifiable Presentations over W3C Digital Credentials API
+
+  * The Credential format identifier MUST be `mso_mdoc`.
+  * mdoc Credential Format specific DCQL parameters as defined in Section 6.4.2. of [@!OIDF.OID4VP] MUST be used.
+  * Verifier MAY request more than one credential in the same request.
+  * DeviceResponse in the VP Token MUST contain only one mdoc. Therefore, when multiple mdocs are being returned, each mdoc should be returned in a separate DeviceResponse, each matching to a respective DCQL query.
+  * Response encryption MUST be done as defined in Section B.4.3.3.2 in [@!ISO.18013-7].
+
+### Session Transcript
+
+The SessionTranscript as defined in [@ISO.18013-5] shall be used with the following changes:
+
+* DeviceEngagementBytes MUST be null.
+* EReaderKeyBytes MUST ne null
+
+The Handover element is defined as following:
+
+```
+Handover = OID4VPDCAPIHandover
+OID4VPDCAPIHandover = [
+  "OID4VPDCAPIHandover"
+  clientId
+  origin
+  nonce
+]
+
+clientId = tstr
+origin = tstr
+nonce = tstr
+```
+
+* `clientId` and `nonce` parameters in the Handover MUST be the `client_id` and `nonce` parameters included in the Request from the Verifier.
+* `origin` in the Handover is the origin of the Verifer, obtained from the Web-platform and/or app platform.
+
+## IETF SD-JWT VC specific requirements for OpenID for Verifiable Presentations over W3C Digital Credentials API
+
+  * The Credential format identifier MUST be `dc+sd-jwt`.
+  * IETF SD-JWT VC Credential Format specific DCQL parameters as defined in Section 6.4.1. of [@!OIDF.OID4VP] MUST be used.
+  * When Key Binding JWT is used, `aud` value in it MUST be the origin of the Verifer, obtained from the Web-platform and/or app platform, and not `client_id` received in the Request.
+
+
 # Self-Issued OP v2
 
 To authenticate the user, subject identifier in a Self-Issued ID Token MUST be used as defined in [@!OIDF.SIOPv2].
@@ -384,6 +443,28 @@ Note: When using this profile with other cryptosuites, it is recommended to be e
         </front>
 </reference>
 
+<reference anchor="ISO.18013-7" target="https://www.iso.org/standard/82772.html">
+        <front>
+          <title>ISO/IEC DTS 18013-7 Personal identification — ISO-compliant driving license — Part 7: Mobile driving license (mDL) add-on functions</title>
+          <author>
+            <organization> ISO/IEC JTC 1/SC 17 Cards and security devices for personal identification</organization>
+          </author>
+          <date year="2024"/>
+        </front>
+</reference>
+
+<reference anchor="w3c.digital_credentials_api" target="https://wicg.github.io/digital-credentials/">
+        <front>
+          <title>Digital Credentials API</title>
+		  <author fullname="Marcos Caceres">
+            <organization>Apple Inc.</organization>
+          </author>
+          <author fullname="Sam Goto">
+            <organization>Google</organization>
+          </author>
+        </front>
+</reference>
+
 <reference anchor="VC-DATA" target="https://www.w3.org/TR/vc-data-model-2.0/">
         <front>
         <title>Verifiable Credentials Data Model v2.0</title>