Hi,
I would like to understand the relationship between OID4VCI Credential Issuer Metadata and ISO mdoc issuer identification during verification.
In SD-JWT VC or W3C VC, a verifier can usually start from an issuer identifier contained in the credential, such as iss or issuer, and use the corresponding format-specific discovery/trust mechanism.
For ISO mdoc, however, the credential is verified using the IssuerAuth and the certificate chain in the COSE x5chain, where the Document Signer certificate chains to a trusted IACA. The mdoc itself does not seem to provide a standardized credential_issuer URL or a standardized way to derive the OID4VCI Credential Issuer Metadata URL from the Document Signer certificate or IACA.
My questions are:
- Is the OID4VCI credential_issuer identifier intended to be discoverable by a verifier from an already-issued ISO mdoc?
- Is there any standard binding between:
- the OID4VCI credential_issuer identifier / metadata, and
- the ISO mdoc Document Signer certificate, IACA, docType, or issuingAuthority?
The practical use case is a verifier that receives ISO mdoc credentials issued by different countries or ecosystems and wants to display trusted issuer metadata, such as issuer name, logo, supported credential types, claims, or policy information, without relying on an ad hoc mapping.
Thanks!
Hi,
I would like to understand the relationship between OID4VCI Credential Issuer Metadata and ISO mdoc issuer identification during verification.
In SD-JWT VC or W3C VC, a verifier can usually start from an issuer identifier contained in the credential, such as iss or issuer, and use the corresponding format-specific discovery/trust mechanism.
For ISO mdoc, however, the credential is verified using the IssuerAuth and the certificate chain in the COSE x5chain, where the Document Signer certificate chains to a trusted IACA. The mdoc itself does not seem to provide a standardized credential_issuer URL or a standardized way to derive the OID4VCI Credential Issuer Metadata URL from the Document Signer certificate or IACA.
My questions are:
The practical use case is a verifier that receives ISO mdoc credentials issued by different countries or ecosystems and wants to display trusted issuer metadata, such as issuer name, logo, supported credential types, claims, or policy information, without relying on an ad hoc mapping.
Thanks!