slides: https://cvs.data.kit.edu/talks/2404-gn-di-cred-flow/
SD-JWT
- JWT for Selective Disclosure. https://www.ietf.org/archive/id/draft-fett-oauth-selective-disclosure-jwt-02.html
- Flow:
- Issuer passes two objects to the holder:
- SD-JWT (signed JWT, contains CLAIMs, HASHES OF VALUES, and a signature)
- SD-JWT-SVC (Salt Value Container, contains CLAIMs, SALTS, and JSON-Encoded VALUES)
- Holder
- creates SD-JWT-R (unsigned subset of the SD-JWT-SVC) i.e. holder can see the values of the claims that are released.
- passes SD-JWT and SD-JWT-R to the verifier
- Verifier
- Uses salts to verify hashes
- Can then trust the SD-JWT
- Issuer passes two objects to the holder:
- Extensions allow for "holder binding" to eliminate replay attacks.
- Pros:
- User sees values that are passed on
- User is in charge of the selection of claims
- Cons:
- Breaks existing JWT flows
ELM-V3
- European Learning Model https://htmlpreview.github.io/?https://github.com/european-commission-empl/European-Learning-Model/blob/master/rdf/ap/edc/documentation/EDC-generic-no-cv.html#evidence
- Extensive (
extremely overly complicated) model to define all kinds of learning: over 480 properties to capture and validate all types of learning - Based on
- JSON-LD
- Verifiable Credentials: https://www.w3.org/2018/credentials/
OpenBadges-2.0
- https://www.imsglobal.org/sites/default/files/Badges/OBv2p0Final
- json-ld specification: https://openbadgespec.org/v2/context.json
- Less complex than ELM
- Focussed on learning, attesting an achievement
- Signed (is it a JWT?)
- Typical quote:
- "The Assertion issuer is authorized to award Assertions of the declared BadgeClass (typically by being the issuer of the BadgeClass.)"
"Additional checks may ensure that: The issuer Profile awarding the Assertion is trusted to have declared accurate information about its identity (typically via Endorsement)."
- => freely translated by Marcus: "We do not have a trust model yet"
Trust Modelling
- Nice read: https://medium.com/@leifj/trust-does-not-scale-94bab5b67f5c
- eduGAIN
- EBSI
- OID-Fed
- ToIP Whitepaper
- Intermediaries (as in Federated Identities) are bad: "Trust Gap" from scaling up
- Intermediaries (as in DI) are good
- Describes the trust between Issuer and Verifier
- Pretty much a "cloudy" kind of thing => This is where (IMO) eduGAIN and OID-Fed have strongest points
- New concept: Holder Binding