iddance_lesson4.pdf

Transcript

1. EUDIW Reference Implementation iddance lesson4 @kg0r0

2. Agenda ▪ 関連技術仕様の概要 ▪ EUDIW Reference Implementation ▪ Demo ▪

   Demo のフロー解説 ▪ おわりに

3. Verifiable Credentials Data Model Roles Ref) https://www.w3.org/TR/vc-data-model/

4. Credentials Ref) https://www.w3.org/TR/vc-data-model/

5. Issuing authority infrastructure mDL interfaces (ISO/IEC 18013-5:2021) mDL mDL reader

   Issuing authority mDL holder mDL verifier Server retrieval Device retrieval (*out of scope in ISO/IEC 18013-5:2021)

6. { version: '1.0', documents: [ { docType: 'org.iso.18013.5.1.mDL', issuerSigned: {

   // Returned data elements signed by the issuer nameSpaces: { 'org.iso.18013.5.1': [ . . . ] }, issuerAuth: [ // Contains the mobile security object (MSO) for issuer data authentication . . . ] } } ], status: 0 } mdoc data model family_name namespace give_name doctype (org.iso.18013.5.1mDL) MSO mdoc public key

7. Credential Format / Exchange ▪ Credential Format ◦ W3C Verifiable

   Credentials Data Model ◦ ISO/IEC 18013-5 mdoc <- 今日主に話すやつ (EUDIW, Digital Credentials API, Verify with Wallet API な どでサポート) ◦ IETF SD-JWT VC ◦ etc. ▪ Credential Exchange ◦ OpenID for Verifiable Credential Issuance (OID4VCI) ◦ OpenID for Verifiable Presentations (OID4VP) <- 今日主に話すやつ (EUDIW, Digital Credentials APIなどでサポート) ◦ etc. Ref) https://github.com/decentralized-identity/interoperability/blob/master/assets/interoperability-mapping-exercise-10-12-20.pdf

8. OID4VCI workflow overview Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html https://openid.net/wordpress-content/uploads/2022/06/OIDF-Whitepaper_OpenID-for-Verifiable-Credentials-V2_2022-06-23.pdf ▪ OpenID for Verifiable

   Credential Issuance ▪ Verifiable Credentials を発行する ための OAuth で保護された API ▪ クレデンシャルの形式は限定され ず、W3C Verifiable Credentials Data Mode、ISO mdoc [ISO.18013-5] などをサポート

9. OID4VP workflow overview Ref) https://openid.net/wordpress-content/uploads/2022/06/OIDF-Whitepaper_OpenID-for-Verifiable-Credentials-V2_2022-06-23.pdf https://openid.net/specs/openid-4-verifiable-presentations-1_0.html ▪ OpenID for Verifiable

   Presentations ▪ Verifiable Credentials (VCs) を Verifiable Presentations (VPs) として提示するメカニ ズムを提供する ▪ VCs と VPs の形式限定されず、W3C Verifiable Credentials Data Mode、ISO mdoc [ISO.18013-5] などをサポート

10. DIW (Digital Identity Wallet) ▪ 個人識別データやクレデンシャル、その他 の属性情報の安全な保管、管理、共有を 可能にするアプリケーション ▪ 少ない操作で特定の情報のみを提示する

    ことが可能 ▪ 基本的には物理的な財布のデジタル版の ようなイメージ Ref) https://www.edps.europa.eu/data-protection/technology-monitoring/techsonar/digital-identity-wallet_en

11. EUDIW (EU Digital Identity Wallet) ▪ EUDIW は、欧州市民や企業が公共と民間の双 方でデジタル ID

    を使用して本人確認/属性証明 を行うための便利で安全な方法として設計され た DIW ▪ EU 域内および他の加盟国間での情報交換を促 進することも目的とされている Ref) https://ec.europa.eu/digital-building-blocks/sites/display/EUDIGITALIDENTITYWALLET/EU+Digital+Identity+Wallet+Home https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet-implementation

12. EUDIW Interfaces and protocols ▪ European Digital Identity Wallet Architecture

    and Reference Framework (ARF) ◦ eIDAS 規制を実施するために欧州委員会が策定する技 術仕様、基準、手順を定義 ▪ OpenID4VCI ◦ Wallet Instance <-> Attestation Provider ◦ Wallet Instance <-> PID Provider ▪ OpenID4VP - ISO/IEC 18013-5 ◦ Wallet Instance <-> Relying Party Instance Ref) https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/arf.md#421-interfaces-and-protocols

13. Available standardised formats ▪ ISO/IEC 18013-5 mdoc ▪ Selective Disclosure

    for JWTs (SD-JWT) ▪ W3C Verifiable Credentials Data Model v1.1 [W3C VC DM v1.1] ▪ SD-JWT-based Verifiable Credentials (SD-JWT VC) Ref) https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/arf.md#52-available-standardised-formats

14. EUDIW Reference Implementation

15. EUDIW Reference Implementation • Issuer https://github.com/eu-digital-identity-wallet/.github/blob/main/profile/reference-im plementation.md#issuing-apps-and-services • Holder https://github.com/eu-digital-identity-wallet/.github/blob/main/profile/reference-im

    plementation.md#wallet-ui-app-and-demo-app-for-android-and-ios • Verifier https://github.com/eu-digital-identity-wallet/.github/blob/main/profile/reference-im plementation.md#verifier-apps-and-services

16. Issuer ▪ Installation https://github.com/eu-digital-identity-wallet/eudi-srv-web-issuing-eudiw-py/blob/main/install.md ◦ How to run the EUDIW

    Issuer? ▪ Configuration https://github.com/eu-digital-identity-wallet/eudi-srv-web-issuing-eudiw-py/blob/main/api_docs/add_cr edential.md ◦ Metadata Configuration ◦ Service Configuration ◦ Configuration of Countries supported by the EUDIW Issuer

17. Issuer

18. Holder ▪ iOS https://github.com/eu-digital-identity-wallet/eudi-app-ios-wallet-ui ◦ Building the Reference apps to

    interact with issuing and verifying services. https://github.com/eu-digital-identity-wallet/eudi-app-ios-wallet-ui/blob/main/wiki/how_to _build.md ▪ Android https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui ◦ Building the Reference apps to interact with issuing and verifying services. https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui/blob/main/wiki/ho w_to_build.md

19. Holder

20. Verifier ▪ Frontend https://github.com/eu-digital-identity-wallet/eudi-web-verifier ◦ How to run for development

    ▪ Backend https://github.com/eu-digital-identity-wallet/eudi-srv-web-verifier-endpoint-23220-4-kt ◦ How to build and run ◦ Presentation Flows https://github.com/eu-digital-identity-wallet/eudi-srv-web-verifier-endpoint-23220-4-kt?tab =readme-ov-file#presentation-flows ◦ Endpoints

21. Verifier

22. Demo

23. Issue credential

24. Grant Type • Authorization Code Grant (authorization_code) • Pre-Authorization Code

    Grant (urn:ietf:params:oauth:gra nt-type:pre-authorized_cod e)

25. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)

26. (1a) End-User selects Credential (1b) Credential Offer (credential type) (2)

    Obtains Issuer’s Credential Issuer metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)

27. (1a) End-User selects Credential

28. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)

29. (1b) Credential Offer (credential type) Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1 'openid-credential-offer://credential_offer? credential_offer={ "credential_issuer":

    "https://issuer.eudiw.dev", "credential_configuration_ids": ["eu.europa.ec.eudi.pid_jwt_vc_json", "eu.europa.ec.eudi.mdl_jwt_vc_json"%2C "eu.europa.ec.eudi.pid_mdoc"%2C "eu.europa.ec.eudi.mdl_mdoc"], "grants": {"authorization_code": {}} }'

30. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)

31. $ curl -X GET https://desired-grouper-reliably.ngrok-free.app/.well-known/openid-credential-issuer | jq { "batch_credential_endpoint": "https://desired-grouper-reliably.ngrok-free.app/batch_credential",

    "credential_configurations_supported": { . . . }, "credential_endpoint": "https://desired-grouper-reliably.ngrok-free.app/credential", "credential_issuer": "https://desired-grouper-reliably.ngrok-free.app", "deferred_credential_endpoint": "https://desired-grouper-reliably.ngrok-free.app/deferred_credential", "notification_endpoint": "https://desired-grouper-reliably.ngrok-free.app/notification" } (2) Obtains Issuer’s Credential Issuer metadata Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-10

32. (3) Authorization Request (type(s) of Credentials to be issued) (1b)

    Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)

33. (3) Authorization Request (type(s) of Credentials to be issued) Ref)

    https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1 "GET /authorization? redirect_uri=eudi-openid4ci://authorize& response_type=code& scope=org.iso.18013.5.1.mDL%20openid& client_id=wallet-dev& request_uri=urn:uuid:22be7242-602a-4184-9a70-02b1db29df7e HTTP/1.1" 200 -

34. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)

35. eudi-openid4ci://authorize? state=Y8SR...& scope=openid& code=Z0FBQUFB...& iss=https%3A%2F%2Fdesired-grouper-reliably.ngrok-free.app& client_id=wallet-dev Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1 (4) Authorization

    Response (code)

36. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)

37. Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1 (5) Token Request { "redirect_uri":"eudi-openid4ci://authorize", "grant_type":"authorization_code", "client_id":"wallet-dev", "code_verifier":"dd2LstZ1rnUv-AnNzLGrUgnT3b95Y2QD_DC851YVTfp",

    "code":"Z0FBQU…” }

38. { "token_type":"Bearer", "scope":"org.iso.18013.5.1.mDL openid", "access_token":"eyJhbGciO…”, "expires_in":3600, "refresh_token":"Z0FBQ…”, "id_token":"eyJhbGciOiJFU…” } Ref)

    https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1 (5) Token Response

39. (1b) Credential Offer (credential type) (2) Obtains Issuer’s Credential Issuer

    metadata Authorization Server Authorization Code Flow End-User Wallet Credential Issuer (3) Authorization Request (type(s) of Credentials to be issued) (1a) End-User selects Credential (5) Token Request (code) (4) Authorization Response (code) (5) Credential Request (Access Token, proof(s)) Credential Response with Credential(s) OR Transaction ID Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Token Response (Access Token)

40. Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-7.2 (5) Credential Request { "doctype":"org.iso.18013.5.1.mDL", "format":"mso_mdoc", "proof":{ "jwt":"eyJ0eXA…”,

    "proof_type":"jwt" } }

41. Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-7.2 (5) Credential Response { "credential":"omppc3N1ZXJ…”, "c_nonce":"b0A6-0bD12D7xljyaeaxmA", "c_nonce_expires_in":86400, "notification_id":"p1OKLtR5y18YJXuHtKL9Ng"

    }

42. Success!

43. (2) Credential Offer (Pre-Authorized Code) Authorization Server Pre-Authorized Code Flow

    End-User Wallet Credential Issuer (1) End-User provides information required for the issuance of certain Credential (3) Obtains Issuer’s Credential Issuer metadata interacts (4) Token Request (Pre-Authorized Code, tx_code) Token Response (access_token) (5) Credential Request Credential Response (Credential(s)) Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html

44. (2) Credential Offer (Pre-Authorized Code) Authorization Server Pre-Authorized Code Flow

    End-User Wallet Credential Issuer (1) End-User provides information required for the issuance of certain Credential (3) Obtains Issuer’s Credential Issuer metadata interacts (4) Token Request (Pre-Authorized Code, tx_code) Token Response (access_token) (5) Credential Request Credential Response (Credential(s)) Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html

45. (1) End-User provides information required for the issuance of certain

    Credential

46. (2) Credential Offer (Pre-Authorized Code) Authorization Server Pre-Authorized Code Flow

    End-User Wallet Credential Issuer (1) End-User provides information required for the issuance of certain Credential (3) Obtains Issuer’s Credential Issuer metadata interacts (4) Token Request (Pre-Authorized Code, tx_code) Token Response (access_token) (5) Credential Request Credential Response (Credential(s)) Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html

47. (4) Token Request (Pre-Authorized Code, tx_code)

48. (4) Token Request (Pre-Authorized Code, tx_code)

49. Success!

50. { "grant_type":"urn:ietf:params:oauth:grant-type:pre-authorized_code", "client_id":"wallet-dev", "tx_code":"97273", "pre-authorized_code":"93e26dfc-5d47-41c3-920c-84d1a7a6911b" } Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1 Pre-Authorized Token

    Request Payload

51. Verify credential

52. Flow • Same Device Flow • Cross Device Flow

53. (1) Authorization Request (Presentation Definition) (2) Authorization Response (VP Token

    with Verifiable Presentation(s)) Wallet Same Device Flow End-User Verifier Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent

54. (1) Authorization Request (Presentation Definition) (2) Authorization Response (VP Token

    with Verifiable Presentation(s)) Wallet Same Device Flow End-User Verifier Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent

55. Interacts

56. (1) Authorization Request (Presentation Definition) (2) Authorization Response (VP Token

    with Verifiable Presentation(s)) Wallet Same Device Flow End-User Verifier Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent

57. Ref) https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1 https://identity.foundation/presentation-exchange/ Authorization Request (Presentation Definition) { "type": "vp_token",

    "presentation_definition": { "id": "9833f76e-73c8-47e4-9dcc-81f3c4e9b9ca", "input_descriptors": [ { "id": "org.iso.18013.5.1.mDL", "name": "Mobile Driving Licence (MDL)", "purpose": "", "format": { "mso_mdoc": {"alg": [ "ES256", "ES384", "ES512" ]}}, "constraints": { "fields": [{"path": ["$['org.iso.18013.5.1']['family_name']"], "intent_to_retain": false}]} } ] }, "nonce": "d333b361-0f88-4a5f-8609-b94a2128f185" }

58. (1) Authorization Request (Presentation Definition) (2) Authorization Response (VP Token

    with Verifiable Presentation(s)) Wallet Same Device Flow End-User Verifier Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent

59. End-User Authentication / Consent

60. End-User Authentication / Consent

61. (2) Authorization Response (VP Token with Verifiable Presentation(s)) (1) Authorization

    Request (Presentation Definition) Wallet Same Device Flow End-User Verifier Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent

62. Ref) https://identity.foundation/presentation-exchange/#presentation-submission https://github.com/eu-digital-identity-wallet/eudi-srv-web-verifier-endpoint-23220-4-kt/tree/main?tab=readme-ov-file#send-wallet-response { "vp_token": [ "o2d2ZXJzaW9uYzE …" ], "presentation_submission":

    { "id": "5FC050D7-6411-4302-93A9-08AFBDA39246", "definition_id": "7db603f2-0d15-4415-b6b4-aaf085f1ef13", "descriptor_map": [ { "id": "org.iso.18013.5.1.mDL", "format": "mso_mdoc", "path": "$" } ] } } (2) Authorization Response (VP Token with Verifiable Presentation(s))

63. Success!

64. (2) Request the Request Object (2.5) Respond with the Request

    Object (Presentation Definition) Cross Device Flow End-User Ref) https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-3.1 Interacts End-User Authentication / Consent Verifier (device A) Wallet (device B) (1) Authorization Request (Request URI) (3) Authorization Response as HTTP POST (VP Token with Verifiable Presentation(s))

65. Cross Device Flow

66. おわりに Ref) https://developer.apple.com/wallet/get-started-with-verify-with-wallet/ https://developer.chrome.com/blog/digital-credentials-api-origin-trial?hl=ja ▪ DIW を使った一連の実装を試すことができ、実際に導 入されつつある状況 ▪ 標準的な仕様に沿って実装されており将来的な相互

    運用性にも期待 ▪ Browser API 経由 (Digital Credentials API) や OS の API 経由 (Verify with Wallet API) で DIW を呼び 出す技術も登場 ▪ それらに採用されている技術も含めてウォッチしていく のが良さそう

67. References • https://github.com/eu-digital-identity-wallet/.github/blob/main/profile/refe rence-implementation.md • https://www.iso.org/standard/69084.html • https://www.iso.org/standard/82772.html • https://openid.net/openid-foundation-publishes-openid-for-verifiable-crede

    ntials-whitepaper/ • https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html • https://openid.net/specs/openid-4-verifiable-presentations-1_0.html