Skip to content

7. Party Credential

The Party Credential is based upon the Verifiable Credentials Data Model v2.0 and is the basement for all IAA Parties such as Natural Persons(wallets, private keypair), Services, Legal Persons, other Participants, Web Sites etc etc, in fact this general purpose credential is intended to be extended into specialized Credentials(see Party Credential Specializations)

This is how Party Credential will be defined by the following attributes

Attribute Type.Value/Voc Mandatory Comment
gx:holder URI Yes A resolvable link to the holder verificationMethod to be used to uniquely identify ONE and ONLY key pair
odrl:hasPolicy policy[] in ODRL No A list of policy expressed using ODRL
gx:identityAttributes String[] No A list of literals representing Identity Attributes to be used in a ABAC context
gx:identityRoles String[] No A list of literals representing Identity Roles to be used in a RBAC context

VERY IMPORTANT NOTE

The credentialSubject.id must identify the DID Document that contains the verificationMethod(keypair) referenced by gx:holder property that belong to/is controlled by the Credential Holder, with this solution the PartyCredential VC can be publicly published in case contains no sensitive data or keep private in case contains PII - Personal Identifiable Information.

7.1 Private Party Credentials

All the Party Credential containing PII are not considered to be published and reachable via their id to everybody, instead they are intended to be stored in secure storage such as Wallet, Device Secure Storage, Vault, etc. As an example of this kind of credential let’s consider a NaturalPersonCredential issued by a Legal Participant to one of his users that contains Name, Surname, identityAttributes, Roles, etc etc, MUST NOT be published as the other Credentials(e.g. ServiceOffering) with the purpose of entitling a Natural Person to interact with Relying Parties(RP) in a certain ecosystem. In this scenario, it makes sense also consider “selective disclosure” during interacting with other RP and whether or not to submit it to the compliance engine.

7.2 Public Party Credentials

All Party Credential that contains data that can publicly be accessed and queried by everybody. As an example for this kind of credential let’s consider a MembershipCredential issued by a LegalParticipant who run an Ecosystem to another Participant to attestates his Membeship status.

In the example below the issued party credential id is not public and the credentialSubject.id is a did:key referencing a keypair owned by the Holder

party_credential.json
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://registry.gaia-x.eu/v1/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#"
  ],
  "id": "did:web:did.actor:alice:credentials:private#1222331234",
  "type": ["VerifiableCredential"],
  "issuer": "did:web:did.actor:alice",
  "validFrom": "2023-08-28T23:00:00Z",
  "credentialSubject": {
    "id": "did:key:z4MXj1wBzi9jUstyPMS4jQqB6KdJaiatPkAtVtGc6bQEQEEsKTic4G7Rou3iBf9vPmT5dbkm9qsZsuVNjq8HCuW1w24nhBFGkRE4cd2Uf2tfrB3N7h4mnyPp1BF3ZttHTYv3DLUPi1zMdkULiow3M1GfXkoC6DoxDUm1jmN6GBj22SjVsr6dxezRVQc7aj9TxE7JLbMH1wh5X3kA58H3DFW8rnYMakFGbca5CB2Jf6CnGQZmL7o5uJAdTwXfy2iiiyPxXEGerMhHwhjTA1mKYobyk2CpeEcmvynADfNZ5MBvcCS7m3XkFCMNUYBS9NQ3fze6vMSUPsNa6GVYmKx2x6JrdEjCk3qRMMmyjnjCMfR4pXbRMZa3i",
    "type": "gx:PartyCredential",
    "odrl:hasPolicy": [],
    "gx:holder": "did:key:z4MXj1wBzi9jUstyPMS4jQqB6KdJaiatPkAtVtGc6bQEQEEsKTic4G7Rou3iBf9vPmT5dbkm9qsZsuVNjq8HCuW1w24nhBFGkRE4cd2Uf2tfrB3N7h4mnyPp1BF3ZttHTYv3DLUPi1zMdkULiow3M1GfXkoC6DoxDUm1jmN6GBj22SjVsr6dxezRVQc7aj9TxE7JLbMH1wh5X3kA58H3DFW8rnYMakFGbca5CB2Jf6CnGQZmL7o5uJAdTwXfy2iiiyPxXEGerMhHwhjTA1mKYobyk2CpeEcmvynADfNZ5MBvcCS7m3XkFCMNUYBS9NQ3fze6vMSUPsNa6GVYmKx2x6JrdEjCk3qRMMmyjnjCMfR4pXbRMZa3i",
    "gx:identityAttributes": ["IdAttributeOne","IdAttributeTwo"],
    "gx:identityRoles": ["IdRoleOne","IdRoleTwo"],
  },
  "credentialStatus": {
    "id": "https://did.actor/alice/credentials/status/3#94567",
    "type": "StatusList2021Entry",
    "statusPurpose": "revocation",
    "statusListIndex": "94567",
    "statusListCredential": "https://did.actor/alice/credentials/status/3"
  },
  "proof": {
    "type": "JsonWebSignature2020",
    "created": "2023-08-28T13:25:35.827Z",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "did:web:did.actor:alice#JWK2020",
    "jws": "eyJhbGciOiJQUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..Sq5VJHCFuIP-cC86EknRnB91WQxNI5X4QtI0mMR3Xzl8VY5bYfOAtpEsejYeDUbi3Oed0VwQBRCqd11HL7NFF-KH02D9I97nHBftBaXo8e0uWQTRk6TA8xq9oQRuNdnm15eR2zudOzKlH4ArXcBo-hUxUH6EH7YimT0Uu5NbsofN-5C2ovksogbugl-NkW3MKrGkAYzsyaEcgh-vSiRwSl4vwE55sDkn16QgMtsccwo9PR0kzECHp8KQZTM3Nwnv4jNN-F3zP-3Vn0B-cm-UgHPz1RYX6uKrc3A4TlJvk9rxQNfLbNot8ZaQBPoLMnd98bV6giNaGIbekVOUuBxUKg"
  }  
}

8. Party Credential lifecycle

  • expired if the expiration datetime is older than current datetime or the certificate containing the key used to sign the claim has expired.
  • revoked
  • if the key used to sign the array is revoked.
  • if the credentialStatus has the statusPurpose property set to “revocation” and the value of status at position credentialIndex is true
  • suspended if the credentialStatus has the statusPurpose property set to “suspension” and the value of status at position credentialIndex is true
  • deprecated if another verifiable credential with the same identifier and the same signature issuer has a newer issuance datetime.
  • active only if none of the above.

9. Party Credential Status

Verifiable Credentials is a fundamental component of secure data and identity systems, enabling the issuance and presentation of trustworthy and tamper-proof credentials. However, in dynamic and evolving environments, it is crucial to establish mechanisms for the timely revocation or suspension of these credentials in case of compromised or outdated information.

The use of Credential Status Lists (CSL), specifically the W3C Verifiable Credentials Status List v2021, addresses this need by providing a standardized approach to manage and communicate the revocation status of verifiable Credentials.

When a Verifiable Credential is issued, the issuer has the option to embed a reference to the Credential Status List (CSL) entry associated with the credential. This reference, often in the form of a Uniform Resource Identifier (URI), enables relying parties (commonly verifiers) to promptly determine the current status of the credential’s validity.

To validate a presented Verifiable Credential, the relying party retrieves the referenced Credential Status List entry using the provided URI. This entry contains information about the revocation status of the credential, allowing the relying party to check if the credential is still valid, has been revoked/suspended, or has any other relevant status.

Relying parties can periodically update their local copy of the Credential Status List from trusted sources to ensure they possess the most current revocation status information. This practice prevents reliance on outdated or incorrect information, enhancing the overall security of the ecosystem.

party_credential_revocation.json
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://registry.gaia-x.eu/v1/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#"
    "https://w3id.org/vc/status-list/2021/v1"
  ],
  "id": "https://did.actor/alice/credentials/status/3",
  "type": ["VerifiableCredential", "StatusList2021Credential"],
  "issuer": "did:web:did.actor:alice",
  "issued": "2021-04-05T14:27:40Z",
  "credentialSubject": {
    "id": "https://example.com/status/3#list",
    "type": "StatusList2021",
    "statusPurpose": "revocation",
    "encodedList": "H4sIAAAAAAAAA-3BMQEAAADCoPVPbQwfoAAAAAAAAAAAAAAAAAAAAIC3AYbSVKsAQAAA"
  },
  "proof": { ... }
}

10. Party Credential Specializations

Here are defined some of the possible Party Credential specializations.

10.1 Natural Person Party Credential

This credential is issued by a Participant to entitle a natural person(usually one of his users) to interact with other Relying Parties belonging to other Participants

This is how Natural Person Party Credential will be defined by the following attributes in addition to Party Credential attributes

Attribute Type.Value/Voc Mandatory Comment
gx:givenName String Yes Name of the natural person
gx:surname String Yes Surname of the natural person

This credential is issued by a Legal Person Participant to entitle another legal person(usually one of his users) to interact with other Relying Parties belonging to other Participants in behalf of

This is how Legal Person Party Credential will be defined by the following attributes in addition to Party Credential attributes

Attribute Type.Value/Voc Mandatory Comment
gx:organizationIdentifier String Yes Organization Identifier used in the eIDAS rules

10.3 Service Party Credential

This credential is issued by a Participant to entitle a automated service(usually automated process that perform task ) to interact with other Relying Parties belonging to other Participants

This is how Service Party Credential will be defined by the following attributes in addition to Party Credential attributes

Attribute Type.Value/Voc Mandatory Comment
gx:baseURL URI Yes The base URL endpoint where the service is accessible
Suggest a modification