Add version and request type to protocol identifier for DC API #381
Conversation
awoie
requested review from
jogu,
tlodderstedt,
timcappalli,
c2bo,
paulbastian,
Sakurann,
leecam and
hlozi
|
Is there any issue with setting the value to |
| @@ -1958,7 +1958,14 @@ And lastly, as part of the request, the Wallet is provided with information abou | |||
|
|
|||
| ## Protocol | |||
|
|
|||
| To use OpenID4VP over the DC API, the value of the exchange protocol used with the Digital Credentials API (DC API), is `openid4vp`. | |||
| To use OpenID4VP with the Digital Credentials API (DC API), the exchange protocol value has the following format: `urn:openid:protocol:oid4vp:<version>:<request-type>`. The `<version>` field adheres to semantic versioning, and `<request-type>` explicitly specifies the type of request. This approach eliminates the need for wallets to perform implicit parameter matching to accurately identify the version and the expected request and response parameters. | |||
There was a problem hiding this comment.
| To use OpenID4VP with the Digital Credentials API (DC API), the exchange protocol value has the following format: `urn:openid:protocol:oid4vp:<version>:<request-type>`. The `<version>` field adheres to semantic versioning, and `<request-type>` explicitly specifies the type of request. This approach eliminates the need for wallets to perform implicit parameter matching to accurately identify the version and the expected request and response parameters. | |
| To use OpenID4VP with the Digital Credentials API (DC API), the exchange protocol value has the following format: `urn:openid:protocol:openid4vp:<version>:<request-type>`. The `<version>` field adheres to semantic versioning, and `<request-type>` explicitly specifies the type of request. This approach eliminates the need for wallets to perform implicit parameter matching to accurately identify the version and the expected request and response parameters. |
There was a problem hiding this comment.
If there are no requirements, I would use the shortest version possible, e.g., urn:openid4vp:1.0:signed, urn:openid4vp:1.0:unsigned. What do you think @c2bo @timcappalli ?
There was a problem hiding this comment.
Fine with dropping "protocol" but I believe keeping the org name is common practice. If length is the concern, maybe just use "oidf"? So it would be urn:oidf:openid4vp:1.0:signed.
@selfissued should weigh in here.
There was a problem hiding this comment.
I am happy with either one.
Adding the oidf seems to be a bit cleaner in terms of namespacing, but I don't think it's likely to encounter a naming clash here, so I guess urn:openid4vp:1.0:signed would be fine as well if we need/want to optimize for size?
There was a problem hiding this comment.
so there is some OIDF precedent. CIBA defines a URN-based grant type that includes both the organization and the type (in this case params): urn:openid:params:grant-type:ciba. There's also urn:openid:params:jwt:claim:auth_req_id and urn:openid:params:jwt:claim:rt_hash.
So if we wanted to be consistent with other OIDF specs, I think we'd want it to be urn:openid:protocol:openid4vp:1.0:signed.
@selfissued @ve7jtb any comments on this?
There was a problem hiding this comment.
Current proposal is:
- Unsigned requests:
urn:openid:protocol:openid4vp:1.0:unsigned - Signed requests:
urn:openid:protocol:openid4vp:1.0:signed
Could you please elaborate this a bit further? I'm not sure if this is related to this PR. |
|
@hlozi I think from the perspective of processing rules in OpenID4VP, if the verifier signed the request, and the wallet cannot validate it, the wallet needs to abort the request. when the request is signed it's not wallet's choice to validate it or not, the wallet muct validate it |
Would agree here, aren't those always "protocols" that do into DC API? |
While I agree it seems unnecessary at face, isn't there value in being consistent with other OIDF URNs? |
| The following exchange protocol values are defined by this specification: | ||
|
|
||
| * Unsigned requests: `urn:openid:protocol:openid4vp:1.0:unsigned` | ||
| * Signed requests: `urn:openid:protocol:openid4vp:1.0:signed` |
There was a problem hiding this comment.
As a thought experiment, what happens when OpenID4VP v1.1 comes along and is compatible with v1.0 but not strictly v1.0?
There was a problem hiding this comment.
IMO, the version identifier does not have to match the OID4VP version. In this regards, we might have to think about if this PR should really set the version to 1.0 already or if we should start with 0.1 first.
There was a problem hiding this comment.
The version in the protocol identifier will need to be mapped back to a specification in the registry, so the version needs to at a minimum be defined somewhere in the spec, if its not going to the be the spec version itself.
There was a problem hiding this comment.
Or, and hear me out, having that level of specificity in the identifier is not a good idea.
There was a problem hiding this comment.
In this thread please comment which option you support ie "+1 to 1 and B" etc.
agreement that there is a need to differentiate major versions (not differentiating minor versions like 1.1, 1.2, etc.).
- version is part of URN, i.e.,
:1.0 - version is part of protocol part, i.e.
:openid4vpand:openid4vp2or something - not a URN, but just
openid4vpandopenid4vp2
no agreement to differentiate signed/unsigned in the URN
A. signed is part of URN, i.e., :signed, :unsigned
B. no indication of signed/unsigned in the URN
There was a problem hiding this comment.
I think the questions are:
- Should version number be in the protocol identifier? (y/n)
- What specificity should the version number be? (major, minor / just major)
- Should the request type (e.g.
signedorunsigned) be included in the protocol identifier (y/n) - What format should the protocol identifier be? ( urn, unstructured string)
There was a problem hiding this comment.
agreement that there is a need to differentiate major versions (not differentiating minor versions like 1.1, 1.2, etc.).
- version is part of URN, i.e.,
:1.0
based on that agreement, bullet 1 should be just :1 or :v1
There was a problem hiding this comment.
Answers to @timcappalli questions
- Yes
- Major
- Yes
- urn
| To use OpenID4VP with the Digital Credentials API (DC API), the exchange protocol value has the following format: `urn:openid:protocol:openid4vp:<version>:<request-type>`. The `<version>` field adheres to semantic versioning, and `<request-type>` explicitly specifies the type of request. This approach eliminates the need for wallets to perform implicit parameter matching to accurately identify the version and the expected request and response parameters. | ||
|
|
||
| The value `1.0` MUST be used for the `<version>` field to indicate the request and response conform to this version of the specification. For `<request-type>`, unsigned requests, as defined in (#unsigned_request), MUST use `unsigned`, and signed requests, as defined in (#signed_request), MUST use `signed`. | ||
|
|
||
| The following exchange protocol values are defined by this specification: | ||
|
|
||
| * Unsigned requests: `urn:openid:protocol:openid4vp:1.0:unsigned` | ||
| * Signed requests: `urn:openid:protocol:openid4vp:1.0:signed` |
There was a problem hiding this comment.
it increasingly seems better long-term not to include both version and signed/unsigned in the protocol identifier:
- no version, because for 1.0, we know there will be backward compatible 1.1, 1.2, etc. and having to maintain those most likely will turn out to be an unnecessary maintenance overhead.
- no signed/unsigned because wallets already need to differentiate signed/unsigned requests and is not worth the complexity of asking the platforms to support both.
| To use OpenID4VP with the Digital Credentials API (DC API), the exchange protocol value has the following format: `urn:openid:protocol:openid4vp:<version>:<request-type>`. The `<version>` field adheres to semantic versioning, and `<request-type>` explicitly specifies the type of request. This approach eliminates the need for wallets to perform implicit parameter matching to accurately identify the version and the expected request and response parameters. | |
| The value `1.0` MUST be used for the `<version>` field to indicate the request and response conform to this version of the specification. For `<request-type>`, unsigned requests, as defined in (#unsigned_request), MUST use `unsigned`, and signed requests, as defined in (#signed_request), MUST use `signed`. | |
| The following exchange protocol values are defined by this specification: | |
| * Unsigned requests: `urn:openid:protocol:openid4vp:1.0:unsigned` | |
| * Signed requests: `urn:openid:protocol:openid4vp:1.0:signed` | |
| To use OpenID4VP over the DC API, the value of the exchange protocol used with the Digital Credentials API (DC API), is `urn:openid:protocol:openid4vp`. |
There was a problem hiding this comment.
Seems much better for a wallet to not even to have to start parsing a request if it knows it cannot support the options being presented, rather than to always have to parse requests it subsequently finds out it cannot support
|
This has been discussed extensively in both groups and consensus was reached. Why the sudden change? |
This PR adds version and request type to the protocol identifier for DC API.
Fixes #326, fixes #363