EHIC use case - interoperability working group

# EHIC use case - interoperability working group ### Participants - Validated ID - Fraunhofer - SICPA ## Relevant links * eDIAS interop use case : https://gitlab.grnet.gr/essif-lab/interoperability/eidas-generic-use-case * VC http API swagger specs: https://w3c-ccg.github.io/vc-http-api/ * SICPA API https://essif.adaptivespace.io/api * SICPA websites https://essif.adaptivespace.io * Ehic vocab https://gitlab.grnet.gr/essif-lab/interoperability/eidas-generic-use-case/-/tree/master/ehic-vocab ## Summary Technical interoperability around a proposed generic use-case that outlines the issuance, presentation, and verification of verifiable credentials with different levels of assurance in an eIDAS compliant way. To do this, we envision combining: - An interoperable issuance and verification services - A web-based wallet holder - eIDAS bridge to enhance the legal certainty of the issued verifiable credential by incorporating the Issuer’s advanced or qualified electronic signature (if the Issuer is a natural person) or seal (if the Issuer is a legal person). - TRAIN (Trust Management Infrastructure) to allow for a flexible definition, consideration, and verification of Trust Schemes compliance (in our case LoA). ![](https://i.imgur.com/jvJtzZ1.jpg) ## Context * Train : https://gitlab.grnet.gr/essif-lab/infrastructure/fraunhofer/train_project_summary * SSI eIDAS Bridge : https://gitlab.grnet.gr/essif-lab/infrastructure/validated-id/seb_project_summary * SICPA bridge : https://gitlab.grnet.gr/essif-lab/infrastructure/sicpa/bridge_project_summary ## Scope We want to use the following emerging specifications for interoperability: - Use the Verifiable Credential HTTP open API https://w3c-ccg.github.io/vc-http-api/ as a base for the Issuance and Verification services. - Credential Handler API (https://w3c-ccg.github.io/credential-handler-api/) or DID-SIOP (https://identity.foundation/did-siop/) to have a generic way to integrate Identity Wallets into Issuance and Verification applications. - Decentralized Identifiers (https://www.w3.org/TR/did-core/) - Verifiable Credentials Data model (https://www.w3.org/TR/vc-data-model/) - JavaScript Object Notation for Linked Data (https://www.w3.org/TR/vc-data-model/#json-ld) and Linked Data proofs (https://w3c-ccg.github.io/ld-proofs/) - OIDC and SIOP ? ## TRAIN trust scheme membership integration :::danger Option A and B are already discarted ::: **A)** Addition of issuer `trust scheme membership hostname` as a claim of the credential schema or define an extended trust scheme membership vocabulary **B)** Add the `trust scheme membership hostname` as an extra sevice endpoint in the public did document of the issuer. **C)** include the DID of the issuer as part of the Trust List during enrollment. ### Option C A potential solution to create a link between the` issued credential - issuer - trust scheme membership` is to include the DID of the issuer as part of the Trust List during enrollment. It is important to take into consideration that Public DID's anchoring by Issuers will change very rarely otherwise the process of changing Issuer DIDs in Trust Lists could become cumbersome. ### TRAIN API for Verification Service * enables access to the TRAIN Infrastructure to verify the trust in the issuance service * extracted Hostname (Train Info) of the issuance service is sent to TRAIN by a GET REST API request * the format of GET Request is shown as follows: `GET | https://essif.iao.fraunhofer.de/atv/api/v1/scheme/{issuer_name}/{DID_Value}` * `issuer_name` = [string], e.g.: `issuanceservice1.essiflab-demo.example` * `DID_Value` = [string], e.g : `123456789abcdefghi` * TRAIN performs the trust verification and gives back the result to the Verifier * `200 OK {` `"verificationResult": "$string$",` `"result": $integer$,` `“claimed scheme”: $string$"` `…` `}` * `404 NOT FOUND { ... }` * Information flow: step-by-step 1. Verification Service extracts issuer name 2. Verification Service parses issuer name to TRAIN --> TRAIN provides the verification results with the details of Trust scheme membership claim 3. Verification Service parses the trust scheme membership claim to TRAIN --> TRAIN provides the DID_Value stored in the trust list 4. TRAIN compares the DID_Value from the trust list with the DID_Value stored in the credential --> Binding between the issuer_name and DID_Value is authenticated 5. TRAIN parses back the Verification result ## OIDC integration * Assumptions * We'll use VIDwallet * SICPA will create a front where the QR will be shown for the wallet to authenticate against * The RP will have a front and a back where the Wallet will post the authentication response * There are 2 flows, the issuance and the presentation. We can start with the presentation. * SIOP links * https://identity.foundation/did-siop/ * v2 OIDF spec: https://bitbucket.org/openid/connect/src/master/openid-connect-self-issued-v2-1_0.md * https://github.com/WebOfTrustInfo/rwot8-barcelona/blob/master/draft-documents/did-auth-oidc.md * Validated ID DID SIOP lib: https://www.npmjs.com/package/@validatedid/did-auth * Components: * OIDC-SIOP library: Validated Id has an implementation in a Typescript. * Repo: https://github.com/validatedid/did-auth-oidc-siop * Npm published library: https://www.npmjs.com/package/@validatedid/did-auth * Tasks: * extend support for other did methods, i.e.: `did:key` * add support for the OIDC Credential Request flow for both the RP and the OIDP * Draft specs to follow: https://mattrglobal.github.io/oidc-client-bound-assertions-spec/ * Wallet app: * Using Validated Id VIDWallet app. * Tasks: * Integrate OIDC-Credential-Issuer library and flow * Add support to `did:key` * Credential Issuer Entity: * To be developed. * Integrate OIDC-Credential-Issuer library and flow ### Presentation Flow using SIOP (note the VIDchain API will be used by the VIDwallet only) <br> ![](https://i.imgur.com/5RDlAHC.png) * Presentation with SIOP integration example * On the VIDchain repo there is an example on how to use the did-auth lib * [QR generation](https://) * [call to lib to generate Authentication Request](https://github.com/validatedid/VIDchain-demo-v2/blob/bf4e47a47eabd7ed389a287272adb83c2ed24922/implementations/vidchain-airline/vidchain-airline-backend/src/auth/auth.service.ts#L41) * did-auth lib repo + doc, [using Web2App flow](https://github.com/validatedid/did-auth-oidc-siop#desktop-web-2-app-authentication-flow-with-vidcredentials-api) ### Credential Issuer Flow Using Credential request flow directly between app and RP (SIOP) ![](https://i.imgur.com/2IWNWN5.png) * Steps for Issuing a Credential (TBD) * [Issue a Credential Flow] * User clicks a button on the Entity Web to start the process, displays a QR, and the user scans the QR code with her wallet app. * User sends an OIDC Credential Request directly to the Entity (acting as an "OIDP"). * Entity initiates an OIDC-SIOP Authentication Request to a user (Wallet) via OIDP and SIOP, diplaying a QR with the Request. * Wallet validates the Request, returns with an Authentication Response. * Entity validates the Response and then, it has the user DID after the authentication process * Entity generates a Verifiable Credential and sends to the user via OIDC Credential Response, displaying a QR. * User reads the QR and stores the VC. ### step 1, user scans QR QR embeds a deeplink and url (`client_id`) where the application needs to send a response and a request JWT ``` vidchain://did-auth?openid://? response_type=id_token client_id=https://essif.adaptivespace.io/api/oidc/didauthresponse/32b2b1c0-3c67-451c-8ec2-fef3e55934a8 scope=openid did_authn state=9c30823f10cb41cd868a1093 nonce=BI6SS4BW-YlduYbTkkc2XUlfJz9jPiviAcAKHOUWp3s request=[JWT] client_name=Ministry of Social Security and Inclusion ``` JWT body embedded in did-auth request. The requested VC type is specified in `claims` ``` { "iat": 1623918709, "exp": 1623919009, "iss": "did:key:z6MkecF8knCM4SXhMp6xku3xFi4EkuvFv3MUQCe1xUg1XgcB", "scope": "openid did_authn", "registration": { "jwks": { "kid": "#z6MkecF8knCM4SXhMp6xku3xFi4EkuvFv3MUQCe1xUg1XgcB", "kty": "EC", "crv": "secp256k1", "x": "UaMybNU7e0yoJaOs-oUhdQ1ITZo8EU69Fx7aRdaY7vk", "y": "rH6VcezbWPFswHjG2edK5r2_C6bL3GIbpCW18Y16PU4" } }, "client_id": "https://essif.adaptivespace.io/api/oidc/didauthresponse/32b2b1c0-3c67-451c-8ec2-fef3e55934a8", "nonce": "BI6SS4BW-YlduYbTkkc2XUlfJz9jPiviAcAKHOUWp3s", "state": "9c30823f10cb41cd868a1093", "response_type": "id_token", "response_mode": "form_post", "response_context": "wallet", "claims": { "vc": { "VerifiableIdCredential": { "essential": true } } } } ``` Wallet verifies JWT request and responds with a Verifiable credential embedded into the response ``` { "iat": 1623917809, "iss": "https://self-issued.me", "sub": "jKMGDUriyIftAZ_B0lq2uOPUhgLGVKtZMW5ovl_XHM0", "nonce": "MIyX49zB30QWfu_O1UaCEkMFpbFCFbh0zuR4UDkSMo4", "aud": "https://essif.adaptivespace.io/api/oidc/didauthresponse/fd459490-66f3-4b6d-9dd1-3a8de36f3eb8", "sub_jwk": { "kty": "EC", "crv": "secp256k1", "x": "e083416a6e83f254fb73262735052a6495e9880180f33e189e553e071d36b11f", "y": "190a0c1075f80e1a255e1aa94f8450a9c4b73f286e6c7ec1cb2b9e733237d9c3", "kid": "njfLsbqSJJH3HdYSBcYmEPiwVJRrhmjDHFB5dd1NsbA=" }, "did": "did:vid:0x8A2724b56Af74BCE926eED55ECc62528523cdd7D", "vp": { "@context": [ "https://www.w3.org/2018/credentials/v1" ], "type": "VerifiablePresentation", "verifiableCredential": [ { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://api.vidchain.net/credentials/vid-google/v1" ], "id": "https://api.vidchain.net/api/v1/schemas/2393", "type": [ "VerifiableCredential", "VerifiableIdCredential", "VidGoogleCredential" ], "issuer": "did:vid:0xC2CFd7346A1aC535687f1354257B7950c39267cC", "issuanceDate": "2021-06-16T15:07:27.000Z", "credentialSubject": { "id": "did:vid:0x8A2724b56Af74BCE926eED55ECc62528523cdd7D", "name": "Victor", "lastName": "Martinez", "email": "victormartinezjurado@gmail.com", "image": "https://lh3.googleusercontent.com/a-/AOh14Gg9NdzjTSG-mIhV4zHg4BbHDz-uxFLxglapN1lZ3dc=s240-c" }, "proof": { "type": "EcdsaSecp256k1Signature2019", "created": "2021-06-16T15:07:27.000Z", "proofPurpose": "assertionMethod", "verificationMethod": "did:vid:0xC2CFd7346A1aC535687f1354257B7950c39267cC#keys-1", "jws": "eyJhbGciOiJFUzI1NksiLCJ0eXAiOiJKV1QiLCJraWQiOiJkaWQ6dmlkOjB4QzJDRmQ3MzQ2QTFhQzUzNTY4N2YxMzU0MjU3Qjc5NTBjMzkyNjdjQyNrZXlzLTEifQ.eyJpYXQiOjE2MjM4NTYwNDcsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIiwiaHR0cHM6Ly9hcGkudmlkY2hhaW4ubmV0L2NyZWRlbnRpYWxzL3ZpZC1nb29nbGUvdjEiXSwiaWQiOiJodHRwczovL2FwaS52aWRjaGFpbi5uZXQvYXBpL3YxL3NjaGVtYXMvMjM5MyIsInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJWZXJpZmlhYmxlSWRDcmVkZW50aWFsIiwiVmlkR29vZ2xlQ3JlZGVudGlhbCJdLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDp2aWQ6MHg4QTI3MjRiNTZBZjc0QkNFOTI2ZUVENTVFQ2M2MjUyODUyM2NkZDdEIiwibmFtZSI6IlZpY3RvciIsImxhc3ROYW1lIjoiTWFydGluZXoiLCJlbWFpbCI6InZpY3Rvcm1hcnRpbmV6anVyYWRvQGdtYWlsLmNvbSIsImltYWdlIjoiaHR0cHM6Ly9saDMuZ29vZ2xldXNlcmNvbnRlbnQuY29tL2EtL0FPaDE0R2c5TmR6alRTRy1tSWhWNHpIZzRCYkhEei11eEZMeGdsYXBOMWxaM2RjPXMyNDAtYyJ9LCJpc3N1ZXIiOiJkaWQ6dmlkOjB4QzJDRmQ3MzQ2QTFhQzUzNTY4N2YxMzU0MjU3Qjc5NTBjMzkyNjdjQyJ9LCJpc3MiOiJkaWQ6dmlkOjB4QzJDRmQ3MzQ2QTFhQzUzNTY4N2YxMzU0MjU3Qjc5NTBjMzkyNjdjQyJ9.J0B2dTA0907IPwFbxdZg8Sj9NfcvbDLDNHpYyjgzwG7I29cZMwFLaTJ_Y4BFn6OaAQutPLwixMONmhdhlzSNdA" } } ], "proof": { "type": "EcdsaSecp256k1Signature2019", "created": "2021-06-17T08:16:49.000Z", "proofPurpose": "assertionMethod", "verificationMethod": "did:vid:0x8A2724b56Af74BCE926eED55ECc62528523cdd7D#key-1", "jws": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NkstUiJ9.eyJpYXQiOjE2MjM5MTc4MDksInZwIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sInR5cGUiOiJWZXJpZmlhYmxlUHJlc2VudGF0aW9uIiwidmVyaWZpYWJsZUNyZWRlbnRpYWwiOlt7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIiwiaHR0cHM6Ly9hcGkudmlkY2hhaW4ubmV0L2NyZWRlbnRpYWxzL3ZpZC1nb29nbGUvdjEiXSwiaWQiOiJodHRwczovL2FwaS52aWRjaGFpbi5uZXQvYXBpL3YxL3NjaGVtYXMvMjM5MyIsInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJWZXJpZmlhYmxlSWRDcmVkZW50aWFsIiwiVmlkR29vZ2xlQ3JlZGVudGlhbCJdLCJpc3N1ZXIiOiJkaWQ6dmlkOjB4QzJDRmQ3MzQ2QTFhQzUzNTY4N2YxMzU0MjU3Qjc5NTBjMzkyNjdjQyIsImlzc3VhbmNlRGF0ZSI6IjIwMjEtMDYtMTZUMTU6MDc6MjcuMDAwWiIsImNyZWRlbnRpYWxTdWJqZWN0Ijp7ImlkIjoiZGlkOnZpZDoweDhBMjcyNGI1NkFmNzRCQ0U5MjZlRUQ1NUVDYzYyNTI4NTIzY2RkN0QiLCJuYW1lIjoiVmljdG9yIiwibGFzdE5hbWUiOiJNYXJ0aW5leiIsImVtYWlsIjoidmljdG9ybWFydGluZXpqdXJhZG9AZ21haWwuY29tIiwiaW1hZ2UiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vYS0vQU9oMTRHZzlOZHpqVFNHLW1JaFY0ekhnNEJiSER6LXV4Rkx4Z2xhcE4xbFozZGM9czI0MC1jIn0sInByb29mIjp7InR5cGUiOiJFY2RzYVNlY3AyNTZrMVNpZ25hdHVyZTIwMTkiLCJjcmVhdGVkIjoiMjAyMS0wNi0xNlQxNTowNzoyNy4wMDBaIiwicHJvb2ZQdXJwb3NlIjoiYXNzZXJ0aW9uTWV0aG9kIiwidmVyaWZpY2F0aW9uTWV0aG9kIjoiZGlkOnZpZDoweEMyQ0ZkNzM0NkExYUM1MzU2ODdmMTM1NDI1N0I3OTUwYzM5MjY3Y0Mja2V5cy0xIiwiandzIjoiZXlKaGJHY2lPaUpGVXpJMU5rc2lMQ0owZVhBaU9pSktWMVFpTENKcmFXUWlPaUprYVdRNmRtbGtPakI0UXpKRFJtUTNNelEyUVRGaFF6VXpOVFk0TjJZeE16VTBNalUzUWpjNU5UQmpNemt5TmpkalF5TnJaWGx6TFRFaWZRLmV5SnBZWFFpT2pFMk1qTTROVFl3TkRjc0luWmpJanA3SWtCamIyNTBaWGgwSWpwYkltaDBkSEJ6T2k4dmQzZDNMbmN6TG05eVp5OHlNREU0TDJOeVpXUmxiblJwWVd4ekwzWXhJaXdpYUhSMGNITTZMeTloY0drdWRtbGtZMmhoYVc0dWJtVjBMMk55WldSbGJuUnBZV3h6TDNacFpDMW5iMjluYkdVdmRqRWlYU3dpYVdRaU9pSm9kSFJ3Y3pvdkwyRndhUzUyYVdSamFHRnBiaTV1WlhRdllYQnBMM1l4TDNOamFHVnRZWE12TWpNNU15SXNJblI1Y0dVaU9sc2lWbVZ5YVdacFlXSnNaVU55WldSbGJuUnBZV3dpTENKV1pYSnBabWxoWW14bFNXUkRjbVZrWlc1MGFXRnNJaXdpVm1sa1IyOXZaMnhsUTNKbFpHVnVkR2xoYkNKZExDSmpjbVZrWlc1MGFXRnNVM1ZpYW1WamRDSTZleUpwWkNJNkltUnBaRHAyYVdRNk1IZzRRVEkzTWpSaU5UWkJaamMwUWtORk9USTJaVVZFTlRWRlEyTTJNalV5T0RVeU0yTmtaRGRFSWl3aWJtRnRaU0k2SWxacFkzUnZjaUlzSW14aGMzUk9ZVzFsSWpvaVRXRnlkR2x1WlhvaUxDSmxiV0ZwYkNJNkluWnBZM1J2Y20xaGNuUnBibVY2YW5WeVlXUnZRR2R0WVdsc0xtTnZiU0lzSW1sdFlXZGxJam9pYUhSMGNITTZMeTlzYURNdVoyOXZaMnhsZFhObGNtTnZiblJsYm5RdVkyOXRMMkV0TDBGUGFERTBSMmM1VG1SNmFsUlRSeTF0U1doV05IcElaelJDWWtoRWVpMTFlRVpNZUdkc1lYQk9NV3hhTTJSalBYTXlOREF0WXlKOUxDSnBjM04xWlhJaU9pSmthV1E2ZG1sa09qQjRRekpEUm1RM016UTJRVEZoUXpVek5UWTROMll4TXpVME1qVTNRamM1TlRCak16a3lOamRqUXlKOUxDSnBjM01pT2lKa2FXUTZkbWxrT2pCNFF6SkRSbVEzTXpRMlFURmhRelV6TlRZNE4yWXhNelUwTWpVM1FqYzVOVEJqTXpreU5qZGpReUo5LkowQjJkVEEwOTA3SVB3RmJ4ZFpnOFNqOU5mY3ZiRExETkhwWXlqZ3p3RzdJMjljWk13RkxhVEpfWTRCRm42T2FBUXV0UEx3aXhNT05taGRobHpTTmRBIn19XX0sImlzcyI6ImRpZDp2aWQ6MHg4QTI3MjRiNTZBZjc0QkNFOTI2ZUVENTVFQ2M2MjUyODUyM2NkZDdEIn0.eY3g2Z162-_gc1pGdq8r5ZRAeBvMKZN3L-LsAMdDbCjqoToBEleljuawkvR224LwjV8BWMDSAGToJbR5MdPPWAE" } } } ``` ## Credential Vocabulary https://gitlab.grnet.gr/essif-lab/interoperability/eidas-generic-use-case/-/tree/master/ehic-vocab