From 5846457c2c5fec009615f816fcf35b88474181aa Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Tue, 27 Jan 2026 18:00:38 +0100 Subject: [PATCH 01/23] fix: resolved merge conflicts --- 1.0/openid-4-verifiable-credential-issuance-1_0.md | 8 ++++++-- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 10 ++++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/1.0/openid-4-verifiable-credential-issuance-1_0.md b/1.0/openid-4-verifiable-credential-issuance-1_0.md index fb375b9f..7f53bf2b 100644 --- a/1.0/openid-4-verifiable-credential-issuance-1_0.md +++ b/1.0/openid-4-verifiable-credential-issuance-1_0.md @@ -77,6 +77,9 @@ This specification also defines the following terms. In the case where a term ha Credential Dataset: : A set of one or more claims about a subject, provided by a Credential Issuer. +Credential Dataset Identifier +: A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. + Credential (or Verifiable Credential (VC)): : An instance of a Credential Configuration with a particular Credential Dataset, that is signed by an Issuer and can be cryptographically verified. An Issuer may provide multiple Credentials as separate instances of the same Credential Configuration and Credential Dataset but with different cryptographic values. In this specification, the term "Verifiable Credential" is also referred to as "Credential". It's important to note that the use of the term "Credential" here differs from its usage in [@!OpenID.Core] and [@!RFC6749]. In this context, "Credential" specifically does not encompass other meanings such as passwords used for login credentials. @@ -996,7 +999,7 @@ Cache-Control: no-store } ``` -Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with an additional `notification_id` parameter: +Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with an additional `notification_id` and `credential_dataset_id` parameter: ``` HTTP/1.1 200 OK @@ -1011,7 +1014,8 @@ Content-Type: application/json "credential": "YXNkZnNhZGZkamZqZGFza23....29tZTIzMjMyMzIzMjMy" } ], - "notification_id": "3fwe98js" + "notification_id": "3fwe98js", + "credential_data_set_id": "Jk0eOt4CXQe1NXK" } ``` diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index e6395379..48f97533 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -73,6 +73,9 @@ This specification also defines the following terms. In the case where a term ha Credential Dataset: : A set of one or more claims about a subject, provided by a Credential Issuer. +Credential Dataset Identifier +: A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. + Credential (or Verifiable Credential (VC)): : An instance of a Credential Configuration with a particular Credential Dataset, that is signed by an Issuer and can be cryptographically verified. An Issuer may provide multiple Credentials as separate instances of the same Credential Configuration and Credential Dataset but with different cryptographic values. In this specification, the term "Verifiable Credential" is also referred to as "Credential". It's important to note that the use of the term "Credential" here differs from its usage in [@!OpenID.Core] and [@!RFC6749]. In this context, "Credential" specifically does not encompass other meanings such as passwords used for login credentials. @@ -1382,6 +1385,7 @@ The following parameters are used in the JSON-encoded Credential Response body: * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. +* `credential_dataset_id`: OPTIONAL. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. @@ -1523,7 +1527,7 @@ A Deferred Credential Response may either contain the requested Credentials or f * If the Credential Issuer is able to issue the requested Credentials, the Deferred Credential Response MUST use the `credentials` parameter as defined in (#credential-response) and MUST respond with the HTTP status code 200 (see Section 15.3.3 of [@!RFC9110]). * If the Credential Issuer still requires more time, the Deferred Credential Response MUST use the `interval` and `transaction_id` parameters as defined in (#credential-response) and it MUST respond with the HTTP status code 202 (see Section 15.3.3 of [@!RFC9110]). The value of `transaction_id` MUST be same as the value of `transaction_id` in the Deferred Credential Request. -The Deferred Credential Response MAY use the `notification_id` parameter as defined in (#credential-response). +The Deferred Credential Response MAY use the `notification_id` and the `credential_dataset_id` parameter as defined in (#credential-response). Additional Deferred Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. @@ -1547,7 +1551,8 @@ Content-Type: application/json "credential": "YXNkZnNhZGZkamZqZGFza23....29tZTIzMjMyMzIzMjMy" } ], - "notification_id": "3fwe98js" + "notification_id": "3fwe98js", + "credential_data_set_id": "Jk0eOt4CXQe1NXK" } ``` @@ -3609,3 +3614,4 @@ The technology described in this specification was made available from contribut * use derived origin for `expected_origins` in IAE flow * add require_interactive_authorization_request to AS metadata * add interactive_authorization_endpoint to AS metadata section + * add cerdential dataset identifier From 13804874d977f6b3ec381cb08a29e8e1f05f048d Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Tue, 27 Jan 2026 18:02:11 +0100 Subject: [PATCH 02/23] fix: removed credential data set id from 1.0 --- 1.0/openid-4-verifiable-credential-issuance-1_0.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/1.0/openid-4-verifiable-credential-issuance-1_0.md b/1.0/openid-4-verifiable-credential-issuance-1_0.md index 7f53bf2b..fb375b9f 100644 --- a/1.0/openid-4-verifiable-credential-issuance-1_0.md +++ b/1.0/openid-4-verifiable-credential-issuance-1_0.md @@ -77,9 +77,6 @@ This specification also defines the following terms. In the case where a term ha Credential Dataset: : A set of one or more claims about a subject, provided by a Credential Issuer. -Credential Dataset Identifier -: A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. - Credential (or Verifiable Credential (VC)): : An instance of a Credential Configuration with a particular Credential Dataset, that is signed by an Issuer and can be cryptographically verified. An Issuer may provide multiple Credentials as separate instances of the same Credential Configuration and Credential Dataset but with different cryptographic values. In this specification, the term "Verifiable Credential" is also referred to as "Credential". It's important to note that the use of the term "Credential" here differs from its usage in [@!OpenID.Core] and [@!RFC6749]. In this context, "Credential" specifically does not encompass other meanings such as passwords used for login credentials. @@ -999,7 +996,7 @@ Cache-Control: no-store } ``` -Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with an additional `notification_id` and `credential_dataset_id` parameter: +Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with an additional `notification_id` parameter: ``` HTTP/1.1 200 OK @@ -1014,8 +1011,7 @@ Content-Type: application/json "credential": "YXNkZnNhZGZkamZqZGFza23....29tZTIzMjMyMzIzMjMy" } ], - "notification_id": "3fwe98js", - "credential_data_set_id": "Jk0eOt4CXQe1NXK" + "notification_id": "3fwe98js" } ``` From 2c0bf282f17456795a966974174770c7ba61e5f8 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Tue, 27 Jan 2026 18:02:52 +0100 Subject: [PATCH 03/23] fix: editorial --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 48f97533..9a06da99 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1405,7 +1405,7 @@ Cache-Control: no-store } ``` -Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with an additional `notification_id` parameter: +Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with additional `notification_id` and `credential_dataset_id` parameters: ``` HTTP/1.1 200 OK From b69d8834e67751a80dbbb80d3cef8fdb3d509f9f Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Wed, 18 Feb 2026 20:51:00 +0100 Subject: [PATCH 04/23] Added use cases for dataset identifier next to parameter --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 9a06da99..0f4ebbb9 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1385,7 +1385,7 @@ The following parameters are used in the JSON-encoded Credential Response body: * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. -* `credential_dataset_id`: OPTIONAL. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. +* `credential_dataset_id`: OPTIONAL. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. From f9c993e7e3fab3acd79ca4db9ec75aa8ec1eca06 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Wed, 18 Feb 2026 20:51:20 +0100 Subject: [PATCH 05/23] Applied Kristina's suggestion Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com> --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 0f4ebbb9..0afb9501 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1552,7 +1552,7 @@ Content-Type: application/json } ], "notification_id": "3fwe98js", - "credential_data_set_id": "Jk0eOt4CXQe1NXK" + "credential_dataset_id": "Jk0eOt4CXQe1NXK" } ``` From f7f1a0f7079c3b212f0bb49fb255282f86e97a50 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Tue, 3 Mar 2026 20:59:33 +0100 Subject: [PATCH 06/23] Made credential_dataset_id required for the issuer and optional for the wallet --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 0afb9501..e225144a 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1385,7 +1385,7 @@ The following parameters are used in the JSON-encoded Credential Response body: * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. -* `credential_dataset_id`: OPTIONAL. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. +* `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. From dbacd72cb7e4a1cb190f6e5537122cea1fb406e3 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Tue, 10 Mar 2026 22:28:38 +0100 Subject: [PATCH 07/23] Apply suggestion from Ralph Co-authored-by: Ralf Engbers --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index e225144a..c02d9bfe 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1420,7 +1420,8 @@ Content-Type: application/json "credential": "YXNkZnNhZGZkamZqZGFza23....29tZTIzMjMyMzIzMjMy" } ], - "notification_id": "3fwe98js" + "notification_id": "3fwe98js", + "credential_dataset_id": "Jk0eOt4CXQe1NXK" } ``` From b20cbe484f99f8e387a7acc645341bcb7fe263e9 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Tue, 10 Mar 2026 22:29:15 +0100 Subject: [PATCH 08/23] Apply suggestion from Oliver --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index c02d9bfe..fe12c00e 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -3615,4 +3615,4 @@ The technology described in this specification was made available from contribut * use derived origin for `expected_origins` in IAE flow * add require_interactive_authorization_request to AS metadata * add interactive_authorization_endpoint to AS metadata section - * add cerdential dataset identifier + * add credential dataset identifier From efdf8da2ab00e9504721a47db70b569529a39ec4 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Thu, 2 Apr 2026 17:56:00 +0200 Subject: [PATCH 09/23] Update 1.1/openid-4-verifiable-credential-issuance-1_1.md applied christian's comments Co-authored-by: Christian Bormann --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index fe12c00e..e811d98e 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -74,7 +74,7 @@ Credential Dataset: : A set of one or more claims about a subject, provided by a Credential Issuer. Credential Dataset Identifier -: A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. +: A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. Note that A Credential Dataset Identifier is bound to a specific Credential Format. Credential (or Verifiable Credential (VC)): : An instance of a Credential Configuration with a particular Credential Dataset, that is signed by an Issuer and can be cryptographically verified. An Issuer may provide multiple Credentials as separate instances of the same Credential Configuration and Credential Dataset but with different cryptographic values. In this specification, the term "Verifiable Credential" is also referred to as "Credential". It's important to note that the use of the term "Credential" here differs from its usage in [@!OpenID.Core] and [@!RFC6749]. In this context, "Credential" specifically does not encompass other meanings such as passwords used for login credentials. From 34a25d9b1ff55778b15b61c3ec1987a975860d9a Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Thu, 2 Apr 2026 17:56:23 +0200 Subject: [PATCH 10/23] Update 1.1/openid-4-verifiable-credential-issuance-1_1.md applied christian's comments Co-authored-by: Christian Bormann --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index e811d98e..7572feb7 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1385,7 +1385,7 @@ The following parameters are used in the JSON-encoded Credential Response body: * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. -* `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. +* `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format - if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. From 825710be02cec1f3a07cbdc6c05ae87acf7547f8 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Mon, 27 Apr 2026 20:44:33 +0200 Subject: [PATCH 11/23] Applied Frederik's suggestion Co-authored-by: Frederik Krogsdal Jacobsen --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 7572feb7..834c3188 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -74,7 +74,7 @@ Credential Dataset: : A set of one or more claims about a subject, provided by a Credential Issuer. Credential Dataset Identifier -: A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. Note that A Credential Dataset Identifier is bound to a specific Credential Format. +: A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. Note that a Credential Dataset Identifier is bound to a specific Credential Format. Credential (or Verifiable Credential (VC)): : An instance of a Credential Configuration with a particular Credential Dataset, that is signed by an Issuer and can be cryptographically verified. An Issuer may provide multiple Credentials as separate instances of the same Credential Configuration and Credential Dataset but with different cryptographic values. In this specification, the term "Verifiable Credential" is also referred to as "Credential". It's important to note that the use of the term "Credential" here differs from its usage in [@!OpenID.Core] and [@!RFC6749]. In this context, "Credential" specifically does not encompass other meanings such as passwords used for login credentials. From 63e5dc33b753a113842b590239b438a50bbb40a6 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Mon, 27 Apr 2026 20:46:53 +0200 Subject: [PATCH 12/23] Applied Frederik's suggestion Co-authored-by: Frederik Krogsdal Jacobsen --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 834c3188..0e2b8323 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1385,7 +1385,7 @@ The following parameters are used in the JSON-encoded Credential Response body: * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. -* `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format - if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. +* `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format: if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. From 89dc241e0ef3cd5fee37b1a3a8c93b6d4f795ced Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Tue, 19 May 2026 17:21:30 +0200 Subject: [PATCH 13/23] Applied Paul's suggestion Co-authored-by: Paul Bastian --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 0e2b8323..8c7d29ce 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -3615,4 +3615,4 @@ The technology described in this specification was made available from contribut * use derived origin for `expected_origins` in IAE flow * add require_interactive_authorization_request to AS metadata * add interactive_authorization_endpoint to AS metadata section - * add credential dataset identifier + * add credential dataset version From 0c2308033b4cfe574c71a7031fcd7fc1dd9df2ce Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Tue, 19 May 2026 17:22:30 +0200 Subject: [PATCH 14/23] Applied Paul's suggestion Co-authored-by: Paul Bastian --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 8c7d29ce..ac85ef07 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -73,7 +73,7 @@ This specification also defines the following terms. In the case where a term ha Credential Dataset: : A set of one or more claims about a subject, provided by a Credential Issuer. -Credential Dataset Identifier +Credential Dataset Version : A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. Note that a Credential Dataset Identifier is bound to a specific Credential Format. Credential (or Verifiable Credential (VC)): From f56820b0dcc8f4f730fd7d82c86df7be7f33539f Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Thu, 11 Jun 2026 18:18:17 +0200 Subject: [PATCH 15/23] fix: applied Frederik's suggestion --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index ac85ef07..4846c368 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1385,7 +1385,7 @@ The following parameters are used in the JSON-encoded Credential Response body: * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. -* `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format: if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. +* `credential_dataset_id`: REQUIRED for the Issuer to return. A string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format: if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. From d70dbe2b4f2ab2fc9273910002ba5da945511b58 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Thu, 11 Jun 2026 18:19:59 +0200 Subject: [PATCH 16/23] fix: applied Paul's suggestion --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 4846c368..7549aa3f 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -74,7 +74,7 @@ Credential Dataset: : A set of one or more claims about a subject, provided by a Credential Issuer. Credential Dataset Version -: A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. Note that a Credential Dataset Identifier is bound to a specific Credential Format. +: A String that refers to a specific version of a Credential Dataset. This version is identical for multiple instances of a Credential that share the same Credential Dataset, even if they differ in cryptographic proofs. When any of the claim values in the Credential Dataset change, a new Credential Dataset Version is assigned. This version enables Wallets to detect changes to the underlying data and to distinguish between Credentials of the same Credential Configuration are issued with different Credential Datasets. Note that a Credential Dataset Version is bound to a specific Credential Format. Credential (or Verifiable Credential (VC)): : An instance of a Credential Configuration with a particular Credential Dataset, that is signed by an Issuer and can be cryptographically verified. An Issuer may provide multiple Credentials as separate instances of the same Credential Configuration and Credential Dataset but with different cryptographic values. In this specification, the term "Verifiable Credential" is also referred to as "Credential". It's important to note that the use of the term "Credential" here differs from its usage in [@!OpenID.Core] and [@!RFC6749]. In this context, "Credential" specifically does not encompass other meanings such as passwords used for login credentials. From 0657f5cc726b0e20276dded497921b84c04bd414 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Thu, 11 Jun 2026 18:27:13 +0200 Subject: [PATCH 17/23] fix: applied Paul's and Gareth's suggestions --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 7549aa3f..157ba28a 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1385,7 +1385,7 @@ The following parameters are used in the JSON-encoded Credential Response body: * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. -* `credential_dataset_id`: REQUIRED for the Issuer to return. A string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format: if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. +* `credential_dataset_version`: REQUIRED for the Issuer to return. A string containing the Credential Dataset Version associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format: if a Credential is offered in different formats, they would have different values for `credential_dataset_version`. For backward compatibility with Issuers conforming to earlier versions of this specification, the Wallet MUST NOT expect the `credential_dataset_version` parameter to always be present in the Credential Response. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. @@ -1405,7 +1405,7 @@ Cache-Control: no-store } ``` -Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with additional `notification_id` and `credential_dataset_id` parameters: +Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with additional `notification_id` and `credential_dataset_version` parameters: ``` HTTP/1.1 200 OK @@ -1421,7 +1421,7 @@ Content-Type: application/json } ], "notification_id": "3fwe98js", - "credential_dataset_id": "Jk0eOt4CXQe1NXK" + "credential_dataset_version": "Jk0eOt4CXQe1NXK" } ``` @@ -1528,7 +1528,7 @@ A Deferred Credential Response may either contain the requested Credentials or f * If the Credential Issuer is able to issue the requested Credentials, the Deferred Credential Response MUST use the `credentials` parameter as defined in (#credential-response) and MUST respond with the HTTP status code 200 (see Section 15.3.3 of [@!RFC9110]). * If the Credential Issuer still requires more time, the Deferred Credential Response MUST use the `interval` and `transaction_id` parameters as defined in (#credential-response) and it MUST respond with the HTTP status code 202 (see Section 15.3.3 of [@!RFC9110]). The value of `transaction_id` MUST be same as the value of `transaction_id` in the Deferred Credential Request. -The Deferred Credential Response MAY use the `notification_id` and the `credential_dataset_id` parameter as defined in (#credential-response). +The Deferred Credential Response MAY use the `notification_id` and the `credential_dataset_version` parameter as defined in (#credential-response). Additional Deferred Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. @@ -1553,7 +1553,7 @@ Content-Type: application/json } ], "notification_id": "3fwe98js", - "credential_dataset_id": "Jk0eOt4CXQe1NXK" + "credential_dataset_version": "Jk0eOt4CXQe1NXK" } ``` From ff1facaee16230969a3e6e12eab79149de52964d Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 12 Jun 2026 09:06:16 +0200 Subject: [PATCH 18/23] fix: applied Paul's, Gareth's, Frederik's suggestions --- ...penid-4-verifiable-credential-issuance-1_1.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 157ba28a..56246288 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -74,7 +74,7 @@ Credential Dataset: : A set of one or more claims about a subject, provided by a Credential Issuer. Credential Dataset Version -: A String that refers to a specific version of a Credential Dataset. This version is identical for multiple instances of a Credential that share the same Credential Dataset, even if they differ in cryptographic proofs. When any of the claim values in the Credential Dataset change, a new Credential Dataset Version is assigned. This version enables Wallets to detect changes to the underlying data and to distinguish between Credentials of the same Credential Configuration are issued with different Credential Datasets. Note that a Credential Dataset Version is bound to a specific Credential Format. +: A String that refers to a specific version of a Credential Dataset. This version is identical for multiple instances of a Credential that share the same Credential Dataset, even when the Credential instances differ in cryptographic data, e.g., an Issuer signature. When any of the claim values in the Credential Dataset change, a new Credential Dataset Version is assigned. Note that a Credential Dataset Version is bound to a specific Credential Format. Credential (or Verifiable Credential (VC)): : An instance of a Credential Configuration with a particular Credential Dataset, that is signed by an Issuer and can be cryptographically verified. An Issuer may provide multiple Credentials as separate instances of the same Credential Configuration and Credential Dataset but with different cryptographic values. In this specification, the term "Verifiable Credential" is also referred to as "Credential". It's important to note that the use of the term "Credential" here differs from its usage in [@!OpenID.Core] and [@!RFC6749]. In this context, "Credential" specifically does not encompass other meanings such as passwords used for login credentials. @@ -1385,7 +1385,9 @@ The following parameters are used in the JSON-encoded Credential Response body: * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. -* `credential_dataset_version`: REQUIRED for the Issuer to return. A string containing the Credential Dataset Version associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format: if a Credential is offered in different formats, they would have different values for `credential_dataset_version`. For backward compatibility with Issuers conforming to earlier versions of this specification, the Wallet MUST NOT expect the `credential_dataset_version` parameter to always be present in the Credential Response. +* `credential_dataset_version`: REQUIRED for the Issuer to return. A string containing the Credential Dataset Version associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. The Wallet MUST NOT expect the `credential_dataset_version` parameter to always be present in the Credential Response for backward compatibility with Issuers conforming to earlier versions of this specification. See (#credential-dataset-version-implementation) for implementation considerations. + +If the Credential Issuer includes the `credential_dataset_version` parameter, the following requirements apply. For a given Credential Dataset within the scope of a concrete Credential Format, if the Credential Dataset has not changed, the Credential Issuer MUST return the same Credential Dataset Version, even when issuing a new Credential instance with different cryptographic data, e.g., an Issuer signature. If any claim value in the Credential Dataset changes, the Credential Issuer MUST assign a new Credential Dataset Version. Wallets MUST compare Credential Dataset Version values for equality using simple string comparison with no normalization. Wallets MUST NOT infer ordering from Credential Dataset Version values. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. @@ -1978,6 +1980,16 @@ The Credential Issuer SHOULD NOT revoke previously issued, valid Credentials sol The action leading to the Wallet performing another Credential Request can also be triggered by a background process, or by the Credential Issuer using an out-of-band mechanism (SMS, email, etc.) to inform the End-User. +## Credential Dataset Version {#credential-dataset-version-implementation} + +The `credential_dataset_version` parameter enables Wallets to distinguish between a cryptographic re-issuance of unchanged data and issuance of a Credential containing modified claim values. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority). + +Using a stable Credential Dataset Version for unchanged Credential Datasets prevents unnecessary churn for Wallets that use the Credential Dataset Version to replace or discard old Credential Datasets. + +For example, a Credential Issuer can derive the Credential Dataset Version by computing a hash over a stable representation of only the Credential Dataset, rather than over the full Credential payload, so that cryptographic data, e.g., an Issuer signature, does not affect the result. + +The Credential Dataset Version value is intended only for equality checks and does not convey ordering; for example, a lexically greater value is not necessarily newer. Credential Dataset Version values are not comparable across different Credential Formats. + ## Relationship between the Credential Issuer Identifier in the Metadata and the Issuer Identifier in the Issued Credential The Credential Issuer Identifier is always a URL using the `https` scheme, as defined in (#credential-issuer-identifier). Depending on the Credential Format, the Issuer Identifier in the issued Credential may not be a URL using the `https` scheme. Some other forms that it can take are a DID included in the `issuer` property in a [@VC_DATA] format, or the `Subject` value of the document signer certificate included in the `x5chain` element in an [@ISO.18013-5] format. From 93e252660833fc3788522d521ad02b75e8408d48 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 12 Jun 2026 09:18:50 +0200 Subject: [PATCH 19/23] fix: formatting improved --- .DS_Store | Bin 0 -> 8196 bytes ...penid-4-verifiable-credential-issuance-1_1.md | 9 ++++++++- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..ef992d0377f73332ab3b0aeb72fdc511cb8b9c26 GIT binary patch literal 8196 zcmeHMZEO@p7@l`qU{+k%egFj)SbBmW1$vbt<-=Tig-{TRy+W@oaO~c$u(G#XZujmG zsMKhTNYq55G5GOI;#a~iKTu<$L8Cv^7_1oMAHQN^{9&T;;|Cbu+1W!lY+{TtHtr-l z@60>%&dmGH^X%Tt5kjD&V8jV&AcRnSn3N}D_9uz8v*(H=gqmuUfcC^2(rs7A+G&00 zir$eTia->BC<0Lgq6kD0_%B2Nzu7F&F~0k}HOiw1L=pI3Mu5E^RD76BgmQ$-;MIXy za0EcfjsQWzvdju7)leovIl?8jU;=K6lAA(!!~kxNdNu5q2;~Tu+?+so_<(R`2u~;w z%#P!$L3aWPE~7k(Koo&1Bf#iWMdD-`iR-0H&+oS7`OVGeK&YyoFmV!{L?_c-seNuK z(KIptk&zgwq7o4`VPx1W#sy#>-d`GnEAlKGED5Uv(Iu2x76Vl9K#E2Q@nwS zRLsZ?hYz=|YEoO;Rt`6*hvTjBmL|2et#x=4!ns2t-cFHsf5X{sPI7->_+G&!}8e zTUS3#k_IrSj&I#!nfdJ{%kcO0YhKoL49nTuSF}7!x6NKh%b7LMB#NUmXU&$CIm*0p zQ>6)&V>DgRtpf$iziqUxrdF03m1{)#MY_|#1#WQ-Hj@#wD2>V@N(Y%fnKv=#YH5kG zRFpN^>!BZfh-Rrpls&O`KO%ygwn{fp*$}tenr_-$wOU$B<;`MWk#7fAPLmQ;OlRF( z4xRM4E~%`i^1F05oA@Tp^Sg&kr@W-3(naZjw@=HP-6h0h*op?ja}0NphOJNzRgw$d}|h@-sOP6JZL}!E~4b4KN=T!*XbY z)vy-U!3OAtZO{WL*aH^a3j3i1BX9@Y33tIUcn}_fhv5-;44#6M@H9LFr{HBc4X?s$ za0cFk_u&Kh1U`o^;4AnVeuVRI0e%xip;o99>V<{Ea-ms>3u}Z zP!f&^!`uU*%)8y8N1+hz#zOcOLEeS8fWqrz@J`*>wQ6D1!bN9Ebbhes};Lg%j{NJONK4+D5MnE;n}9;dY`zU~Hg{$D@#{r@=iE?RaJ zfhYohB?3_0ndnmS;el*CK1XJE>VN& YU%v=ozu*4;@9yaPAASD=+>ZC`cLT+KasU7T literal 0 HcmV?d00001 diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 737f2f33..56dbf2ea 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1391,7 +1391,14 @@ The following parameters are used in the JSON-encoded Credential Response body: * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. * `credential_metadata`: OPTIONAL. Object that contains additional metadata specific to the issued Credential(s). The definitions and contained parameters for this Object are identical to the `credential_metadata` parameter as defined in Credential Issuer Metadata (see (#credential-issuer-metadata)) See (#display-metadata-considerations) for implementation considerations on credential metadata. -* `credential_dataset_version`: REQUIRED for the Issuer to return. A string containing the Credential Dataset Version associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. The Wallet MUST NOT expect the `credential_dataset_version` parameter to always be present in the Credential Response for backward compatibility with Issuers conforming to earlier versions of this specification. See (#credential-dataset-version-implementation) for implementation considerations. If the Credential Issuer includes the `credential_dataset_version` parameter, the following requirements apply. For a given Credential Dataset within the scope of a concrete Credential Format, if the Credential Dataset has not changed, the Credential Issuer MUST return the same Credential Dataset Version, even when issuing a new Credential instance with different cryptographic data, e.g., an Issuer signature. If any claim value in the Credential Dataset changes, the Credential Issuer MUST assign a new Credential Dataset Version. Wallets MUST compare Credential Dataset Version values for equality using simple string comparison with no normalization. Wallets MUST NOT infer ordering from Credential Dataset Version values. +* `credential_dataset_version`: REQUIRED for the Issuer to return. A string containing the Credential Dataset Version associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. The Wallet MUST NOT expect the `credential_dataset_version` parameter to always be present in the Credential Response for backward compatibility with Issuers conforming to earlier versions of this specification. See (#credential-dataset-version-implementation) for implementation considerations. + + If the Credential Issuer includes the `credential_dataset_version` parameter, the following requirements apply: + + * For a given Credential Dataset within the scope of a concrete Credential Format, if the Credential Dataset has not changed, the Credential Issuer MUST return the same Credential Dataset Version, even when issuing a new Credential instance with different cryptographic data, e.g., an Issuer signature. + * If any claim value in the Credential Dataset changes, the Credential Issuer MUST assign a new Credential Dataset Version. + * Wallets MUST compare Credential Dataset Version values for equality using simple string comparison with no normalization. + * Wallets MUST NOT infer ordering from Credential Dataset Version values. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. From dbbd8a6445930158520230d60e8900a8ad7a2939 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 12 Jun 2026 18:47:44 +0200 Subject: [PATCH 20/23] fix: clarify ordering --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 56dbf2ea..866295b9 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1398,7 +1398,7 @@ The following parameters are used in the JSON-encoded Credential Response body: * For a given Credential Dataset within the scope of a concrete Credential Format, if the Credential Dataset has not changed, the Credential Issuer MUST return the same Credential Dataset Version, even when issuing a new Credential instance with different cryptographic data, e.g., an Issuer signature. * If any claim value in the Credential Dataset changes, the Credential Issuer MUST assign a new Credential Dataset Version. * Wallets MUST compare Credential Dataset Version values for equality using simple string comparison with no normalization. - * Wallets MUST NOT infer ordering from Credential Dataset Version values. + * Wallets MUST NOT infer ordering, such as whether one value is newer or older than another, from Credential Dataset Version values. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. From d9e48b81ae3348dfe06c684bb28088f49be70ca1 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 12 Jun 2026 18:50:55 +0200 Subject: [PATCH 21/23] fix: improved backward compatibility note for wallets --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index 866295b9..d6e8e2ca 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1391,7 +1391,7 @@ The following parameters are used in the JSON-encoded Credential Response body: * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. * `credential_metadata`: OPTIONAL. Object that contains additional metadata specific to the issued Credential(s). The definitions and contained parameters for this Object are identical to the `credential_metadata` parameter as defined in Credential Issuer Metadata (see (#credential-issuer-metadata)) See (#display-metadata-considerations) for implementation considerations on credential metadata. -* `credential_dataset_version`: REQUIRED for the Issuer to return. A string containing the Credential Dataset Version associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. The Wallet MUST NOT expect the `credential_dataset_version` parameter to always be present in the Credential Response for backward compatibility with Issuers conforming to earlier versions of this specification. See (#credential-dataset-version-implementation) for implementation considerations. +* `credential_dataset_version`: REQUIRED for the Issuer to return. A string containing the Credential Dataset Version associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. Since Wallets might interact with Credential Issuers conforming to earlier versions of this specification that omit the `credential_dataset_version` parameter, Wallets MUST NOT rely on the parameter being present in every Credential Response. See (#credential-dataset-version-implementation) for implementation considerations. If the Credential Issuer includes the `credential_dataset_version` parameter, the following requirements apply: From 2f9a1fa6d5c2f1e505d5a2473940fad49c6aa727 Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 12 Jun 2026 19:02:44 +0200 Subject: [PATCH 22/23] fix: applied Gareth's suggestion --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 1 + 1 file changed, 1 insertion(+) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index d6e8e2ca..f7c21bea 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -1399,6 +1399,7 @@ The following parameters are used in the JSON-encoded Credential Response body: * If any claim value in the Credential Dataset changes, the Credential Issuer MUST assign a new Credential Dataset Version. * Wallets MUST compare Credential Dataset Version values for equality using simple string comparison with no normalization. * Wallets MUST NOT infer ordering, such as whether one value is newer or older than another, from Credential Dataset Version values. + * Wallets SHOULD maintain active Credentials only from the latest received version of a Credential Dataset. If the Wallet is unable to determine the latest received version, it is RECOMMENDED that it make a new Credential Request. Additional Credential Response parameters MAY be defined and used. The Wallet MUST ignore any unrecognized parameters. From abd75280a23fa7cb8f4444f90bea8f39aa33f0aa Mon Sep 17 00:00:00 2001 From: Oliver Terbu Date: Fri, 12 Jun 2026 19:21:25 +0200 Subject: [PATCH 23/23] fix: clarified that timestamps won't change the versioin --- 1.1/openid-4-verifiable-credential-issuance-1_1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/1.1/openid-4-verifiable-credential-issuance-1_1.md b/1.1/openid-4-verifiable-credential-issuance-1_1.md index f7c21bea..e46802ed 100644 --- a/1.1/openid-4-verifiable-credential-issuance-1_1.md +++ b/1.1/openid-4-verifiable-credential-issuance-1_1.md @@ -74,7 +74,7 @@ Credential Dataset: : A set of one or more claims about a subject, provided by a Credential Issuer. Credential Dataset Version -: A String that refers to a specific version of a Credential Dataset. This version is identical for multiple instances of a Credential that share the same Credential Dataset, even when the Credential instances differ in cryptographic data, e.g., an Issuer signature. When any of the claim values in the Credential Dataset change, a new Credential Dataset Version is assigned. Note that a Credential Dataset Version is bound to a specific Credential Format. +: A String that refers to a specific version of a Credential Dataset. This version is identical for multiple instances of a Credential that share the same Credential Dataset, even when the Credential instances differ in data that is not part of the Credential Dataset, such as cryptographic data (e.g., an Issuer signature) or timestamps. When any of the claim values in the Credential Dataset change, a new Credential Dataset Version is assigned. Note that a Credential Dataset Version is bound to a specific Credential Format. Credential (or Verifiable Credential (VC)): : An instance of a Credential Configuration with a particular Credential Dataset, that is signed by an Issuer and can be cryptographically verified. An Issuer may provide multiple Credentials as separate instances of the same Credential Configuration and Credential Dataset but with different cryptographic values. In this specification, the term "Verifiable Credential" is also referred to as "Credential". It's important to note that the use of the term "Credential" here differs from its usage in [@!OpenID.Core] and [@!RFC6749]. In this context, "Credential" specifically does not encompass other meanings such as passwords used for login credentials. @@ -2025,7 +2025,7 @@ The `credential_dataset_version` parameter enables Wallets to distinguish betwee Using a stable Credential Dataset Version for unchanged Credential Datasets prevents unnecessary churn for Wallets that use the Credential Dataset Version to replace or discard old Credential Datasets. -For example, a Credential Issuer can derive the Credential Dataset Version by computing a hash over a stable representation of only the Credential Dataset, rather than over the full Credential payload, so that cryptographic data, e.g., an Issuer signature, does not affect the result. +For example, a Credential Issuer can derive the Credential Dataset Version by computing a hash over a stable representation of only the Credential Dataset, rather than over the full Credential payload, so that data outside the Credential Dataset, such as cryptographic data (e.g., an Issuer signature) or timestamps, does not affect the result. The Credential Dataset Version value is intended only for equality checks and does not convey ordering; for example, a lexically greater value is not necessarily newer. Credential Dataset Version values are not comparable across different Credential Formats.