Currently, Section 8.6 (VP Token Validation) does not explicitly state whether the Verifier is required to validate that the vct of a returned SD-JWT VC matches one of the vct_values requested in the DCQL query. This could become an issue if vct inheritance is used, e.g., if a root certificate is used to issue document signer certificates for different vct values.
Section B.3.5 defines vct_values as follows:
vct_values: REQUIRED. A non-empty array of strings that specifies allowed values for the type of the requested Verifiable Credential. All elements in the array MUST be valid type identifiers as defined in [SD-JWT VC]. The Wallet MAY return Credentials that inherit from any of the specified types, following the inheritance logic defined in [SD-JWT VC].
Section 8.6 contains the following validation requirements:
Check the individual Presentations according to the specific Credential Format requested:
Validate that the returned Credential(s) meet all criteria defined in the query in the Authorization Request (e.g., Claims included in the presentation).
Check that the set of Presentations returned satisfies all requirements defined in the Verifier's request as described in Section 6.4.
If any of the checks related to an individual Presentation fail, the effected Presentation MUST be discarded. If any of the checks pertaining to the VP Token or the overall response fails, the VP Token MUST be rejected.
While the generic requirement to validate that returned credentials meet all query criteria could be interpreted as covering vct_values, there is currently no explicit statement that the Verifier must validate that the Credential's vct either:
- matches one of the requested
vct_values, or
- is a subtype thereof according to the SD-JWT VC inheritance rules.
Given that vct_values is the primary mechanism for requesting specific SD-JWT VC types, it may be beneficial to make this validation step explicit in Section 8.6, rather than relying on the reader to infer it from the more generic query-validation requirements. @jogu @c2bo @fkj @paulbastian
Currently, Section 8.6 (VP Token Validation) does not explicitly state whether the Verifier is required to validate that the
vctof a returned SD-JWT VC matches one of thevct_valuesrequested in the DCQL query. This could become an issue ifvctinheritance is used, e.g., if a root certificate is used to issue document signer certificates for differentvctvalues.Section B.3.5 defines
vct_valuesas follows:Section 8.6 contains the following validation requirements:
While the generic requirement to validate that returned credentials meet all query criteria could be interpreted as covering
vct_values, there is currently no explicit statement that the Verifier must validate that the Credential'svcteither:vct_values, orGiven that
vct_valuesis the primary mechanism for requesting specific SD-JWT VC types, it may be beneficial to make this validation step explicit in Section 8.6, rather than relying on the reader to infer it from the more generic query-validation requirements. @jogu @c2bo @fkj @paulbastian