From f38822e21acbd2530de6d31803476d7ed1dc1899 Mon Sep 17 00:00:00 2001 From: Marco Basili Date: Mon, 30 Sep 2024 17:00:06 +0200 Subject: [PATCH 1/6] feat: Added credential_status_detail in the status assertion --- docs/en/pid-eaa-entity-configuration.rst | 5 +++++ docs/en/revocation-lists.rst | 9 +++++++++ examples/ec-eaa.json | 14 ++++++++++++++ 3 files changed, 28 insertions(+) diff --git a/docs/en/pid-eaa-entity-configuration.rst b/docs/en/pid-eaa-entity-configuration.rst index f15444ce..94d4631b 100644 --- a/docs/en/pid-eaa-entity-configuration.rst +++ b/docs/en/pid-eaa-entity-configuration.rst @@ -118,7 +118,12 @@ The *openid_credential_issuer* metadata MUST contain the following claims. - **name**: String value of a display name for the claim. - **locale**: String value that identifies the language of this object represented as a language tag taken from values defined in *BCP47* :rfc:`5646`. There MUST be only one object for each language identifier. + * - **credential_status_detail_supported** + - JSON object that outlines the details of each validity status supported by the PID/(Q)EAA Provider related to the credentials issued. It contains ``Display`` array containing a list of states with the corresponding descriptions and language identifiers. The parameter that MUST be included are: + - **state**: String value of a credential status supported. + - **description**: String containing the description of the status related to this object. + - **locale**: String value that identifies the language of this object represented as a language tag taken from values defined in *BCP47* :rfc:`5646`. There MUST be only one object for each language identifier. * - **jwks** - JSON Web Key Set document, passed by value, containing the protocol specific keys for the Credential Issuer. See `OID-FED`_ Section 5.2.1 and `JWK`_. diff --git a/docs/en/revocation-lists.rst b/docs/en/revocation-lists.rst index 81cdfb5e..ab34253c 100644 --- a/docs/en/revocation-lists.rst +++ b/docs/en/revocation-lists.rst @@ -267,6 +267,9 @@ Below a non-normative example of a Revocation Assertion object in JWT format, wi "credential_hash": $CREDENTIAL-HASH, "credential_hash_alg": "sha-256", "credential_status_validity": false, + "credential_status_detail": { + "state": "invalid" + }, "cnf": { "jwk": { "kty": "EC", @@ -648,6 +651,9 @@ When the JWT format is used, the Revocation Assertion MUST contain the following * - **credential_status_validity** - Boolean value indicating the absolute validity of the Credential linked to the Status Assertion. It MUST be set with the value `false`. - `OAUTH-STATUS-ASSERTION`_. + * - **credential_status_detail** + - Object containing detailed information about the real status of the credential. IT MUST contains ``state`` claim that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. + - `OAUTH-STATUS-ASSERTION`_. Status Assertion @@ -699,6 +705,9 @@ When the JWT format is used, the Status Assertion MUST contain the following cla * - **credential_status_validity** - Boolean value indicating the absolute validity of the Credential linked to the Status Assertion. It is REQUIRED and it MUST be set with the value "false" or "true". - `OAUTH-STATUS-ASSERTION`_. + * - **credential_status_detail** + - REQUIRED if **credential_status_validity** is set to `false`. Object containing detailed information about the real status of the credential. IT MUST contains ``state`` claim that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. + - `OAUTH-STATUS-ASSERTION`_. * - **cnf** - JSON object containing confirmation methods. The sub-member contained within `cnf` member, such as `jwk` for JWT, MUST match with the one provided within the related Digital Credential. Other confirmation methods can be utilized when the referenced Digital Credential supports them, in accordance with the relevant standards. - `[RFC7800, Section 3.1] `_ and `[RFC8747, Section 3.1] `_. diff --git a/examples/ec-eaa.json b/examples/ec-eaa.json index babaf54a..e202b683 100644 --- a/examples/ec-eaa.json +++ b/examples/ec-eaa.json @@ -457,6 +457,20 @@ } } }, + "credential_status_detail_supported": { + "display": [ + { + "state": "Invalida", + "description": "La credenziale non è più utilizzabile in quanto è stata revocata. Questo stato è irreversibile", + "locale": "it-IT" + }, + { + "state": "Invalid", + "description": "The Credential is no longer usable as it has been revoked. This state is irreversible", + "locale": "en-US" + } + ] + }, "jwks": { "keys": [ { From 434c7aa7b8233614bb8f004534a972a496ce34e1 Mon Sep 17 00:00:00 2001 From: Marco Basili Date: Tue, 1 Oct 2024 12:20:20 +0200 Subject: [PATCH 2/6] feat: added description claim in the credential_status_detail --- docs/en/revocation-lists.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/en/revocation-lists.rst b/docs/en/revocation-lists.rst index ab34253c..5c857ef8 100644 --- a/docs/en/revocation-lists.rst +++ b/docs/en/revocation-lists.rst @@ -268,7 +268,8 @@ Below a non-normative example of a Revocation Assertion object in JWT format, wi "credential_hash_alg": "sha-256", "credential_status_validity": false, "credential_status_detail": { - "state": "invalid" + "state": "invalid", + "description": "The Credential is no longer usable as it has been revoked. This state is irreversible" }, "cnf": { "jwk": { @@ -652,7 +653,7 @@ When the JWT format is used, the Revocation Assertion MUST contain the following - Boolean value indicating the absolute validity of the Credential linked to the Status Assertion. It MUST be set with the value `false`. - `OAUTH-STATUS-ASSERTION`_. * - **credential_status_detail** - - Object containing detailed information about the real status of the credential. IT MUST contains ``state`` claim that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. + - Object containing detailed information about the real status of the credential. IT MUST contains ``state`` and related ``description`` claims that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. - `OAUTH-STATUS-ASSERTION`_. @@ -706,7 +707,7 @@ When the JWT format is used, the Status Assertion MUST contain the following cla - Boolean value indicating the absolute validity of the Credential linked to the Status Assertion. It is REQUIRED and it MUST be set with the value "false" or "true". - `OAUTH-STATUS-ASSERTION`_. * - **credential_status_detail** - - REQUIRED if **credential_status_validity** is set to `false`. Object containing detailed information about the real status of the credential. IT MUST contains ``state`` claim that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. + - REQUIRED if **credential_status_validity** is set to `false`. Object containing detailed information about the real status of the credential. IT MUST contains ``state`` and related ``description`` claims that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. - `OAUTH-STATUS-ASSERTION`_. * - **cnf** - JSON object containing confirmation methods. The sub-member contained within `cnf` member, such as `jwk` for JWT, MUST match with the one provided within the related Digital Credential. Other confirmation methods can be utilized when the referenced Digital Credential supports them, in accordance with the relevant standards. From 3bbf6ac8c08a2eda02651e77c47bf6df17700654 Mon Sep 17 00:00:00 2001 From: m-basili Date: Tue, 1 Oct 2024 17:06:22 +0200 Subject: [PATCH 3/6] Apply suggestions from code review Co-authored-by: Giuseppe De Marco --- docs/en/pid-eaa-entity-configuration.rst | 2 +- docs/en/revocation-lists.rst | 4 ++-- examples/ec-eaa.json | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/en/pid-eaa-entity-configuration.rst b/docs/en/pid-eaa-entity-configuration.rst index 94d4631b..eb0f3558 100644 --- a/docs/en/pid-eaa-entity-configuration.rst +++ b/docs/en/pid-eaa-entity-configuration.rst @@ -121,7 +121,7 @@ The *openid_credential_issuer* metadata MUST contain the following claims. * - **credential_status_detail_supported** - JSON object that outlines the details of each validity status supported by the PID/(Q)EAA Provider related to the credentials issued. It contains ``Display`` array containing a list of states with the corresponding descriptions and language identifiers. The parameter that MUST be included are: - - **state**: String value of a credential status supported. + - **state**: String value of a Credential status supported. - **description**: String containing the description of the status related to this object. - **locale**: String value that identifies the language of this object represented as a language tag taken from values defined in *BCP47* :rfc:`5646`. There MUST be only one object for each language identifier. * - **jwks** diff --git a/docs/en/revocation-lists.rst b/docs/en/revocation-lists.rst index 5c857ef8..eb39f30d 100644 --- a/docs/en/revocation-lists.rst +++ b/docs/en/revocation-lists.rst @@ -653,7 +653,7 @@ When the JWT format is used, the Revocation Assertion MUST contain the following - Boolean value indicating the absolute validity of the Credential linked to the Status Assertion. It MUST be set with the value `false`. - `OAUTH-STATUS-ASSERTION`_. * - **credential_status_detail** - - Object containing detailed information about the real status of the credential. IT MUST contains ``state`` and related ``description`` claims that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. + - Object containing detailed information about the real status of the Credential. It MUST contains ``state`` and related ``description`` claims that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. - `OAUTH-STATUS-ASSERTION`_. @@ -707,7 +707,7 @@ When the JWT format is used, the Status Assertion MUST contain the following cla - Boolean value indicating the absolute validity of the Credential linked to the Status Assertion. It is REQUIRED and it MUST be set with the value "false" or "true". - `OAUTH-STATUS-ASSERTION`_. * - **credential_status_detail** - - REQUIRED if **credential_status_validity** is set to `false`. Object containing detailed information about the real status of the credential. IT MUST contains ``state`` and related ``description`` claims that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. + - REQUIRED if **credential_status_validity** is set to `false`. Object containing detailed information about the real status of the Credential. IT MUST contains ``state`` and related ``description`` claims that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. - `OAUTH-STATUS-ASSERTION`_. * - **cnf** - JSON object containing confirmation methods. The sub-member contained within `cnf` member, such as `jwk` for JWT, MUST match with the one provided within the related Digital Credential. Other confirmation methods can be utilized when the referenced Digital Credential supports them, in accordance with the relevant standards. diff --git a/examples/ec-eaa.json b/examples/ec-eaa.json index e202b683..b81380be 100644 --- a/examples/ec-eaa.json +++ b/examples/ec-eaa.json @@ -461,7 +461,7 @@ "display": [ { "state": "Invalida", - "description": "La credenziale non è più utilizzabile in quanto è stata revocata. Questo stato è irreversibile", + "description": "La Credenziale non è più utilizzabile in quanto è stata revocata. Questo stato è irreversibile", "locale": "it-IT" }, { From 471d65f76a196445cb3446b353193911532f627e Mon Sep 17 00:00:00 2001 From: m-basili Date: Tue, 1 Oct 2024 17:07:46 +0200 Subject: [PATCH 4/6] Update docs/en/pid-eaa-entity-configuration.rst Co-authored-by: Giuseppe De Marco --- docs/en/pid-eaa-entity-configuration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/pid-eaa-entity-configuration.rst b/docs/en/pid-eaa-entity-configuration.rst index eb0f3558..db261702 100644 --- a/docs/en/pid-eaa-entity-configuration.rst +++ b/docs/en/pid-eaa-entity-configuration.rst @@ -119,7 +119,7 @@ The *openid_credential_issuer* metadata MUST contain the following claims. - **name**: String value of a display name for the claim. - **locale**: String value that identifies the language of this object represented as a language tag taken from values defined in *BCP47* :rfc:`5646`. There MUST be only one object for each language identifier. * - **credential_status_detail_supported** - - JSON object that outlines the details of each validity status supported by the PID/(Q)EAA Provider related to the credentials issued. It contains ``Display`` array containing a list of states with the corresponding descriptions and language identifiers. The parameter that MUST be included are: + - JSON object that outlines the details of each validity status supported by the PID/(Q)EAA Provider related to the Credentials issued. It contains ``Display`` array containing a list of states with the corresponding descriptions and language identifiers. The parameter that MUST be included are: - **state**: String value of a Credential status supported. - **description**: String containing the description of the status related to this object. From 41ef9790f36f389a8cef06a54148ac55f9d507be Mon Sep 17 00:00:00 2001 From: m-basili Date: Wed, 2 Oct 2024 11:16:48 +0200 Subject: [PATCH 5/6] Apply suggestions from code review Co-authored-by: Giuseppe De Marco --- docs/en/revocation-lists.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/en/revocation-lists.rst b/docs/en/revocation-lists.rst index eb39f30d..92193d16 100644 --- a/docs/en/revocation-lists.rst +++ b/docs/en/revocation-lists.rst @@ -653,7 +653,7 @@ When the JWT format is used, the Revocation Assertion MUST contain the following - Boolean value indicating the absolute validity of the Credential linked to the Status Assertion. It MUST be set with the value `false`. - `OAUTH-STATUS-ASSERTION`_. * - **credential_status_detail** - - Object containing detailed information about the real status of the Credential. It MUST contains ``state`` and related ``description`` claims that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. + - Object containing detailed information about the real status of the Credential. It MUST contains ``state`` and related ``description`` parameters that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer metadata. - `OAUTH-STATUS-ASSERTION`_. @@ -707,7 +707,7 @@ When the JWT format is used, the Status Assertion MUST contain the following cla - Boolean value indicating the absolute validity of the Credential linked to the Status Assertion. It is REQUIRED and it MUST be set with the value "false" or "true". - `OAUTH-STATUS-ASSERTION`_. * - **credential_status_detail** - - REQUIRED if **credential_status_validity** is set to `false`. Object containing detailed information about the real status of the Credential. IT MUST contains ``state`` and related ``description`` claims that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer Metadata. + - REQUIRED if **credential_status_validity** is set to `false`. Object containing detailed information about the real status of the Credential. IT MUST contains ``state`` and related ``description`` parameters that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer metadata. - `OAUTH-STATUS-ASSERTION`_. * - **cnf** - JSON object containing confirmation methods. The sub-member contained within `cnf` member, such as `jwk` for JWT, MUST match with the one provided within the related Digital Credential. Other confirmation methods can be utilized when the referenced Digital Credential supports them, in accordance with the relevant standards. From f7596368231a20a35ae0b1d9343ea405f5de85fe Mon Sep 17 00:00:00 2001 From: Marco Basili Date: Thu, 10 Oct 2024 13:53:30 +0200 Subject: [PATCH 6/6] feat: update credential_status_validity e credential_status_detail --- docs/en/pid-eaa-entity-configuration.rst | 6 ------ docs/en/revocation-lists.rst | 20 +++++++++++++------- examples/ec-eaa.json | 14 -------------- 3 files changed, 13 insertions(+), 27 deletions(-) diff --git a/docs/en/pid-eaa-entity-configuration.rst b/docs/en/pid-eaa-entity-configuration.rst index db261702..9d9e7e0e 100644 --- a/docs/en/pid-eaa-entity-configuration.rst +++ b/docs/en/pid-eaa-entity-configuration.rst @@ -118,12 +118,6 @@ The *openid_credential_issuer* metadata MUST contain the following claims. - **name**: String value of a display name for the claim. - **locale**: String value that identifies the language of this object represented as a language tag taken from values defined in *BCP47* :rfc:`5646`. There MUST be only one object for each language identifier. - * - **credential_status_detail_supported** - - JSON object that outlines the details of each validity status supported by the PID/(Q)EAA Provider related to the Credentials issued. It contains ``Display`` array containing a list of states with the corresponding descriptions and language identifiers. The parameter that MUST be included are: - - - **state**: String value of a Credential status supported. - - **description**: String containing the description of the status related to this object. - - **locale**: String value that identifies the language of this object represented as a language tag taken from values defined in *BCP47* :rfc:`5646`. There MUST be only one object for each language identifier. * - **jwks** - JSON Web Key Set document, passed by value, containing the protocol specific keys for the Credential Issuer. See `OID-FED`_ Section 5.2.1 and `JWK`_. diff --git a/docs/en/revocation-lists.rst b/docs/en/revocation-lists.rst index 92193d16..e43cc210 100644 --- a/docs/en/revocation-lists.rst +++ b/docs/en/revocation-lists.rst @@ -250,7 +250,7 @@ The ``revocation_assertion_responses`` object MUST contain the following mandato - the Revocation Assertions and or the Revocation Assertion Errors related to the request made by the Wallet Instance. - `OAUTH-STATUS-ASSERTION`_. -The Revocation Assertion object MUST contain the parameter ``credential_status_validity`` with the value set to ``false``. +The Revocation Assertion object MUST contain the parameter ``credential_status_validity`` with the value set to ``1``. Below a non-normative example of a Revocation Assertion object in JWT format, with the headers and payload represented in JSON and without applying the signature. .. code:: @@ -266,7 +266,7 @@ Below a non-normative example of a Revocation Assertion object in JWT format, wi "jti": "6f204f7e-e453-4dfd-814e-9d155319408c" "credential_hash": $CREDENTIAL-HASH, "credential_hash_alg": "sha-256", - "credential_status_validity": false, + "credential_status_validity": 1, "credential_status_detail": { "state": "invalid", "description": "The Credential is no longer usable as it has been revoked. This state is irreversible" @@ -411,7 +411,7 @@ A non-normative example of Credential Proof of Possession is provided :ref:`in t "exp": 1504785536, "credential_hash": $CREDENTIAL-HASH, "credential_hash_alg": "sha-256", - "credential_status_validity": true, + "credential_status_validity": 0, "cnf": { "jwk": {...} } @@ -650,10 +650,13 @@ When the JWT format is used, the Revocation Assertion MUST contain the following - Unique identifier for the JWT. - :rfc:`7519#section-4.1.7`. * - **credential_status_validity** - - Boolean value indicating the absolute validity of the Credential linked to the Status Assertion. It MUST be set with the value `false`. + - Numerical value indicating the validity of the Credential linked to the Status Assertion describing its state, mode, condition or stage. It MUST be set with `1` (INVALID status). - `OAUTH-STATUS-ASSERTION`_. * - **credential_status_detail** - - Object containing detailed information about the real status of the Credential. It MUST contains ``state`` and related ``description`` parameters that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer metadata. + - Object containing detailed information about the real status of the Credential. IT MUST contains: + + - **state**: String value of the Credential status, + - **description**: String containing the description of the Credential status. - `OAUTH-STATUS-ASSERTION`_. @@ -704,10 +707,13 @@ When the JWT format is used, the Status Assertion MUST contain the following cla - The Algorithm used for hashing the Credential to which the Status Assertion is bound. The value SHOULD be set to ``S256``. - `OAUTH-STATUS-ASSERTION`_. * - **credential_status_validity** - - Boolean value indicating the absolute validity of the Credential linked to the Status Assertion. It is REQUIRED and it MUST be set with the value "false" or "true". + - Numerical value indicating the validity of the Credential linked to the Status Assertion describing its state, mode, condition or stage. It MUST be set with values from 0 to 2 with the following meaning: 0-VALID, 1-INVALID, 2-SUSPENDED. - `OAUTH-STATUS-ASSERTION`_. * - **credential_status_detail** - - REQUIRED if **credential_status_validity** is set to `false`. Object containing detailed information about the real status of the Credential. IT MUST contains ``state`` and related ``description`` parameters that MUST be set with one of the values defined in the *credential_status_detail_supported* mapped in the Credential Issuer metadata. + - REQUIRED if **credential_status_validity** is not set to `0`. Object containing detailed information about the real status of the Credential. IT MUST contains: + + - **state**: String value of the Credential status, + - **description**: String containing the description of the Credential status. - `OAUTH-STATUS-ASSERTION`_. * - **cnf** - JSON object containing confirmation methods. The sub-member contained within `cnf` member, such as `jwk` for JWT, MUST match with the one provided within the related Digital Credential. Other confirmation methods can be utilized when the referenced Digital Credential supports them, in accordance with the relevant standards. diff --git a/examples/ec-eaa.json b/examples/ec-eaa.json index b81380be..babaf54a 100644 --- a/examples/ec-eaa.json +++ b/examples/ec-eaa.json @@ -457,20 +457,6 @@ } } }, - "credential_status_detail_supported": { - "display": [ - { - "state": "Invalida", - "description": "La Credenziale non è più utilizzabile in quanto è stata revocata. Questo stato è irreversibile", - "locale": "it-IT" - }, - { - "state": "Invalid", - "description": "The Credential is no longer usable as it has been revoked. This state is irreversible", - "locale": "en-US" - } - ] - }, "jwks": { "keys": [ {