italia · m-basili · Nov 22, 2024 · Nov 25, 2024 · Nov 26, 2024 · Nov 27, 2024
diff --git a/docs/common/common_definitions.rst b/docs/common/common_definitions.rst
@@ -51,10 +51,10 @@
 .. _JWS: https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature
 .. _EIDAS-ARF: https://github.com/eu-digital-identity-wallet/architecture-and-reference-framework
 .. _OpenID4VCI: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-13.html
-.. _SD-JWT: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10
+.. _SD-JWT: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-14
 .. _OpenID4VP: https://openid.net/specs/openid-4-verifiable-presentations-1_0-20.html
 .. _SIOPv2: https://openid.net/specs/openid-connect-self-issued-v2-1_0.html
-.. _SD-JWT-VC: https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/04/
+.. _SD-JWT-VC: https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/06/
 .. _PresentationExch: https://identity.foundation/presentation-exchange/spec/v2.0.0
 .. _JARM: https://openid.net/specs/oauth-v2-jarm-final.html
 .. _RFC 9449: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop
@@ -73,3 +73,4 @@
 .. _W3C-SRI: https://www.w3.org/TR/SRI/
 .. _OIDC-IDA: https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html
 .. _SPID/CIE-OpenID-Connect-Specifications: https://italia.github.io/spid-cie-oidc-docs/en
+.. _W3C.CSS-COLOR: https://www.w3.org/TR/css-color/
diff --git a/docs/en/pid-eaa-data-model.rst b/docs/en/pid-eaa-data-model.rst
diff --git a/docs/en/pid-eaa-entity-configuration.rst b/docs/en/pid-eaa-entity-configuration.rst
@@ -100,7 +100,7 @@ The *openid_credential_issuer* metadata MUST contain the following claims.
   * - **credential_configurations_supported**
     - JSON object that outlines the details of the Credential supported by the PID/(Q)EAA Provider. It includes a list of name/value pairs, where each name uniquely identifies a specific supported Credential. This identifier is utilized to inform the Wallet Instance which Credential can be provided by the PID/(Q)EAA Provider. The associated value within the object MUST contain metadata specific to that Credential, as defined following. See `OpenID4VCI`_ Sections 11.2.3 and A.3.2.
 
-        - **format**:  String identifying the format of this Credential. The PID/(Q)EAA MUST support the value string "*vc+sd-jwt*". See `OpenID4VCI`_ Section A.3.1.
+        - **format**:  String identifying the format of this Credential. The PID/(Q)EAA MUST support the value string "*dc+sd-jwt*". See `OpenID4VCI`_ Section A.3.1.
         - **scope**: JSON String identifying the supported *scope* value. The Wallet Instance MUST use this value in the Pushed Authorization Request. Scope values MUST be the entire set or a subset of the *scope* values in the *scopes_supported* parameter of the Authorization Server. [See `OpenID4VCI`_ Section  11.2.3].
         - **cryptographic_binding_methods_supported**: JSON Array of case sensitive strings that identify the representation of the cryptographic key material that the issued Credential is bound to. The PID/(Q)EAA Provider MUST support the value "*jwk*".
         - **credential_signing_alg_values_supported**: JSON Array of case sensitive strings that identify the algorithms that the PID/(Q)EAA Provider MUST support to sign the issued Credential. See Section :ref:`Cryptographic algorithms` for more details.

diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst
@@ -331,8 +331,8 @@ without encoding and signature. The JWT header:
     1. It MUST check that the PID/(Q)EAA Credential Response contains all the mandatory parameters and values are validated according to :ref:`Table of the credential response parameters <table_credential_response_claim>`.
     2. It MUST check the PID/(Q)EAA integrity by verifying the signature using the algorithm specified in the ``alg`` header parameter of SD-JWT (:ref:`PID/(Q)EAA Data Model <pid_eaa_data_model.rst>`) and the public key that is identified using the ``kid`` header of the SD-JWT.
     3. It MUST check that the received PID/(Q)EAA (in credential claim) matches the requested credential type and complies with the specific schema of that Credential defined in :ref:`PID/(Q)EAA Data Model <pid_eaa_data_model.rst>`.
-    4. It MUST process and verify the PID in SD-JWT VC format (according to `SD-JWT`_ Section 6.) or MDOC CBOR format. 
-    5. It MUST verify the Trust Chain in the header of SD-JWT VC to verify that the PID Provider is trusted.
+    4. It MUST process and verify the PID/(Q)EAA in SD-JWT VC format (according to `SD-JWT`_ Section 5.) or MDOC CBOR format. 
+    5. It MUST verify the Trust Chain in the header of SD-JWT VC to verify that the PID/(Q)EAA Provider is trusted.
 
 If the checks defined above are successful the Wallet Instance proceeds with the secure storage of the PID/(Q)EAA.
 
@@ -897,10 +897,10 @@ If the *DPoP proof* is invalid, the Credential endpoint returns an error respons
     - **Description**
     - **Reference**
   * - **format**
-    - Format of the Credential to be issued. This MUST be ``vc+sd-jwt`` or ``mso_mdoc``.
+    - Format of the Credential to be issued. This MUST be ``dc+sd-jwt`` or ``mso_mdoc``.
     - [`OpenID4VCI`_].
   * - **vct**
-    - CONDITIONAL. REQUIRED only if the *format* identifier is ``vc+sd-jwt``. 
+    - CONDITIONAL. REQUIRED only if the *format* identifier is ``dc+sd-jwt``. 
     - See Annex A3.4. of [`OpenID4VCI`_]
   * - **doctype**
     - CONDITIONAL. REQUIRED only if the *format* identifier is ``mso_mdoc``. 
@@ -969,7 +969,7 @@ The Credential Response contains the following parameters:
     - **Description**
     - **Reference**
   * - **credential**
-    - CONDITIONAL. REQUIRED if ``lead_time`` is not present. String Containing the issued PID/(Q)EAA. If the requested format identifier is ``vc+sd-jwt`` then the ``credential`` parameter MUST NOT be re-encoded. If the requested format identifier is ``mso_mdoc`` then the ``credential`` parameter MUST be a base64url-encoded representation of the issued Credential.
+    - CONDITIONAL. REQUIRED if ``lead_time`` is not present. String Containing the issued PID/(Q)EAA. If the requested format identifier is ``dc+sd-jwt`` then the ``credential`` parameter MUST NOT be re-encoded. If the requested format identifier is ``mso_mdoc`` then the ``credential`` parameter MUST be a base64url-encoded representation of the issued Credential.
     - Section 7.3, Annex A2.5 and Annex A3.5 of [`OpenID4VCI`_].
   * - **lead_time**
     - CONDITIONAL. REQUIRED if ``credential`` is not present. The amount of time (in seconds) required before making a new Credential Request.

diff --git a/docs/en/relying-party-entity-configuration.rst b/docs/en/relying-party-entity-configuration.rst
@@ -41,7 +41,7 @@ The *wallet_relying_party* metadata MUST contain the following parameters.
   * - **authorization_signed_response_alg**
     - String representing the signing [:rfc:`7515`] *alg* algorithm that MUST be used for signing authorization responses. The algorithm *none* MUST NOT be used. See `[oauth-v2-jarm-03] <https://openid.net/specs/oauth-v2-jarm-03.html>`_ Section 3.
   * - **vp_formats**
-    - JSON object defining the formats and proof types of Verifiable Presentations and Verifiable Credentials the RP supports. It consists of a list of name/value pairs, where each name uniquely identifies a supported type. The RP MUST support at least "*vc+sd-jwt*" according to `OPENID4VC-HAIP`_ Draft 00 Section 7.2.7. The value associated with each name/value pair MUST be a JSON object "**sd-jwt_alg_values**" that MUST contain a JSON array containing identifiers of cryptographic algorithms the RP supports for protection of a SD-JWT. The *alg* JOSE header (as defined in :rfc:`7515`) of the presented SD-JWT MUST match one of the array values. See also `OpenID4VP`_ Draft 20 Section 9.1.
+    - JSON object defining the formats and proof types of Verifiable Presentations and Verifiable Credentials the RP supports. It consists of a list of name/value pairs, where each name uniquely identifies a supported type. The RP MUST support at least "*dc+sd-jwt*" according to `OPENID4VC-HAIP`_ Draft 00 Section 7.2.7. The value associated with each name/value pair MUST be a JSON object "**sd-jwt_alg_values**" that MUST contain a JSON array containing identifiers of cryptographic algorithms the RP supports for protection of a SD-JWT. The *alg* JOSE header (as defined in :rfc:`7515`) of the presented SD-JWT MUST match one of the array values. See also `OpenID4VP`_ Draft 20 Section 9.1.
   * - **presentation_definitions_supported**
     - JSON Array of supported *presentation_definition* objects that MUST be compliant to the syntax defined in Section 5 of `[DIF.PresentationExchange] <https://identity.foundation/presentation-exchange/spec/v2.0.0/>`_ and Section 7.2.8 of `OPENID4VC-HAIP`_ Draft 00. For *presentation_definition* objects see also `OpenID4VP`_ Section 5.1.
   * - **jwks**

diff --git a/docs/en/remote-flow.rst b/docs/en/remote-flow.rst
@@ -114,7 +114,7 @@ A non-normative example of the HTTP request is represented below:
         "form_post.jwt"
       ],
       "vp_formats_supported": {
-        "vc+sd-jwt": {
+        "dc+sd-jwt": {
             "sd-jwt_alg_values": [
                 "ES256",
                 "ES384"
@@ -427,7 +427,7 @@ Below is a non-normative example of the decrypted payload of the JWT contained i
             {
                 "id": "PersonIdentificationData",
                 "path": "$.vp_token[0]",
-                "format": "vc+sd-jwt"
+                "format": "dc+sd-jwt"
             },
             {
                 "id": "WalletAttestation",

diff --git a/docs/en/ssi-introduction.rst b/docs/en/ssi-introduction.rst
@@ -12,7 +12,7 @@ The main difference between this new approach and the traditional IAM infrastruc
 
 Digital identity Wallet Architectures are significant in the field of data exchange and data governance. In accordance with the  eIDAS Regulation, a new digital identity paradigm is designed for European Users - be they citizens, public administrations, or companies - who want to access another Member State's services using their national authentication systems.
 
-The main roles in a Wallet ecosystem are are listed as follow:
+The main roles in a Wallet ecosystem are listed as follow:
 
  - Issuers: parties who can issue digital credentials about a person;
  - Verifiers: parties who request Holders' digital credentials for authentication and authorization purposes;

diff --git a/docs/en/trust.rst b/docs/en/trust.rst
@@ -28,8 +28,7 @@ except for Wallet Instances which are End-User's personal devices certified by t
 .. note::
     The Wallet Instance, as a personal device, is certified as reliable through a verifiable attestation issued and signed by a trusted third party.
 
-    This is called *Wallet Attestation* and is documented in `the dedicated section  <Wallet Attestation>`_.
-
+    This is called *Wallet Attestation* and is documented in `the dedicated section  <wallet-attestation.html>`_.
 
 Below the table with the summary of the Federation Entity roles, mapped on the corresponding EUDI Wallet roles, as defined in the `EIDAS-ARF`_.
 
@@ -513,7 +512,7 @@ Below there is a non-normative example of an Subordinate Statement issued by an
                       ]
                 },
                 "vp_formats": {
-                    "vc+sd-jwt": {
+                    "dc+sd-jwt": {
                         "sd-jwt_alg_values": [
                             "ES256",
                             "ES384"

diff --git a/docs/en/wallet-attestation.rst b/docs/en/wallet-attestation.rst
@@ -366,7 +366,7 @@ Below an non-normative example of the Wallet Attestation without encoding and si
       "form_post.jwt"
     ],
     "vp_formats_supported": {
-        "vc+sd-jwt": {
+        "dc+sd-jwt": {
             "sd-jwt_alg_values": [
                 "ES256",
                 "ES384"

diff --git a/examples/credential-request.json b/examples/credential-request.json
@@ -1,5 +1,5 @@
 {
-    "format": "vc+sd-jwt",
+    "format": "dc+sd-jwt",
     "vct": "EuropeanDisabilityCard",
     "proof": {
       "proof_type": "jwt",

diff --git a/examples/ec-eaa.json b/examples/ec-eaa.json
@@ -103,7 +103,7 @@
             ],
             "credential_configurations_supported": {
                 "EuropeanDisabilityCard": {
-                    "format": "vc+sd-jwt",
+                    "format": "dc+sd-jwt",
                     "scope": "EuropeanDisabilityCard",
                     "cryptographic_binding_methods_supported": [
                         "jwk"
@@ -186,15 +186,15 @@
                                 }
                             ]
                         },
-                        "tax_id_code": {
+                        "personal_administrative_number": {
                             "value_type": "string",
                             "display": [
                                 {
                                     "name": "Codice Fiscale",
                                     "locale": "it-IT"
                                 },
                                 {
-                                    "name": "Tax Id Number",
+                                    "name": "Tax Identification Number",
                                     "locale": "en-US"
                                 }
                             ]
@@ -254,7 +254,7 @@
                     }
                 },
                 "MDL": {
-                    "format": "vc+sd-jwt",
+                    "format": "dc+sd-jwt",
                     "scope": "MDL",
                     "cryptographic_binding_methods_supported": [
                         "jwk"
@@ -509,7 +509,7 @@
                 "A256GCM"
             ],
             "vp_formats": {
-                "vc+sd-jwt": {
+                "dc+sd-jwt": {
                     "sd-jwt_alg_values": [
                         "ES256",
                         "ES384",
@@ -524,7 +524,7 @@
                         {
                             "id": "PersonIdentificationData",
                             "format": {
-                                "vc+sd-jwt": {
+                                "dc+sd-jwt": {
                                     "alg": [
                                         "ES256",
                                         "ES384",
@@ -553,12 +553,7 @@
                                         },
                                         {
                                             "path": [
-                                                "$.unique_id"
-                                            ]
-                                        },
-                                        {
-                                            "path": [
-                                                "$.tax_id_code"
+                                                "$.personal_administrative_number"
                                             ]
                                         }
                                     ]

diff --git a/examples/ec-rp.json b/examples/ec-rp.json
@@ -45,7 +45,7 @@
             ],
             "authorization_signed_response_alg": "ES256",
             "vp_formats": {
-                "vc+sd-jwt": {
+                "dc+sd-jwt": {
                     "sd-jwt_alg_values": [
                         "ES256",
                         "ES384",
@@ -62,7 +62,7 @@
                             "name": "Person Identification Data",
                             "purpose": "User Authentication",
                             "format": {
-                                "vc+sd-jwt": {
+                                "dc+sd-jwt": {
                                     "alg": [
                                         "ES256",
                                         "ES384",
@@ -92,12 +92,7 @@
                                     },
                                     {
                                         "path": [
-                                            "$.unique_id"
-                                        ]
-                                    },
-                                    {
-                                        "path": [
-                                            "$.tax_id_code"
+                                            "$.personal_administrative_number"
                                         ]
                                     }
                                 ]

diff --git a/examples/pid-json-example-payload.json b/examples/pid-json-example-payload.json
@@ -10,16 +10,22 @@
   },
   "vct": "https://pidprovider.example.org/v1.0/personidentificationdata",
   "vct#integrity": "c5f73e250fe869f24d15118acce286c9bb56b63a443dc85af653cd73f6078b1f",
-  "verification": {
-    "trust_framework": "eidas",
-    "assurance_level": "high",
-    "evidence": {
-      "method": "cie"
+  "verification": [
+    {
+      "type": "vouch",
+      "time": "2020-03-19T12:42Z",
+      "attestation": {
+        "type": "digital_attestation",
+        "reference_number": "6485-1619-3976-6671",
+        "date_of_issuance": "2020-03-19T12:43Z",
+        "voucher": {
+          "organization": "Ministero dell'interno"
+        }
+      }
     }
-  },
-  "unique_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+  ],
   "given_name": "Mario",
   "family_name": "Rossi",
   "birth_date": "1980-01-10",
-  "tax_id_code": "TINIT-XXXXXXXXXXXXXXXX"
+  "personal_administrative_number": "TINIT-XXXXXXXXXXXXXXXX"
 }
diff --git a/examples/pid-mdoc-cbor-example.txt b/examples/pid-mdoc-cbor-example.txt
@@ -27,11 +27,10 @@
                           3: h'E2382149255AE8E955AF9B8984395…',                                        
                           4: h'BBC77E6CCA981A3AD0C3E544EDF86…',                                     
                           6: h'BB6E6C68D1B4B4EC5A2AE9206F5t4…',
-                          7: h'F8A5966E6DAC9970E0334D8F75E25…',              
-                          8: h'DEFDF1AA746718016EF1B94BFE5R6…'
+                          7: h'F8A5966E6DAC9970E0334D8F75E25…'
                       },
                       "eu.europa.ec.eudiw.pid.it.1": {  
-                          9: h'F9EE4D36F67DBD75E23311AC1C29…'
+                          8: h'F9EE4D36F67DBD75E23311AC1C29…'
                       }
                   },                             
                   "deviceKeyInfo": {                              
@@ -89,7 +88,7 @@
                   "elementIdentifier": "given_name",
                   "elementValue": "Mario"                             
                   }                         
-              >>)),            
+              >>),            
               24(<<                            
                   {                               
                   "digestID": 6,                             
@@ -104,24 +103,16 @@
                   "random": h'6059FF1CE27B4997B4ADE1DE7B01DC60',
                   "elementIdentifier": "birth_date",
                   "elementValue": 1004("1956-01-12")% the tag 1004 defines the value    
-                                                      is a full date 
+                    is a full date 
                   }  
-              >>),         
-              24(<<  
-                  {                              
-                  "digestID": 8,                              
-                  "random": h'53C15C57B3B076E788795829190220B4',
-                  "elementIdentifier": "unique_id",
-                  "elementValue": "xxxxxxxx-xxx-xxxx-xxxxxxxxxxxx" 
-                  }   
               >>)
               ],
               "eu.europa.ec.eudiw.pid.it.1": [
                   24(<<
                       {
-                      "digestID": 9, 
+                      "digestID": 8, 
                       "random": h'11aa7273a2d2daa973f5951f0c34c2fbae',
-                      "elementIdentifier": "tax_id_number", 
+                      "elementIdentifier": "personal_administrative_number", 
                       "elementValue": "TINIT-XXXXXXXXXXXXXXX"
                       }                         
                   >>)                    

diff --git a/examples/pid-sd-jwt-example-header.json b/examples/pid-sd-jwt-example-header.json
@@ -1,5 +1,5 @@
 {
-  "typ":"vc+sd-jwt",
+  "typ":"dc+sd-jwt",
   "alg":"ES256",
   "kid":"dB67gL7ck3TFiIAf7N6_7SHvqk0MDYMEQcoGGlkUAAw",
   "trust_chain" : [

diff --git a/examples/pid-sd-jwt-example-payload.json b/examples/pid-sd-jwt-example-payload.json
@@ -1,14 +1,13 @@
 {
   "_sd": [
-    "BoMGktW1rbikntw8Fzx_BeL4YbAndr6AHsdgpatFCig",
-    "ENNo31jfzFp8Y2DW0R-fIMeWwe7ELGvGoHMwMBpu14E",
+    "4KfNcVziiuiktw8UMBaZQBRlLorpAhFz2ii37niYF2Q",
     "VQI-S1mT1Kxfq2o8J9io7xMMX2MIxaG9M9PeJVqrMcA",
     "Yrc-s-WSr4exEYtqDEsmRl7spoVfmBxixP12e4syqNE",
+    "egljN30TYCjSEtzVszDFWbryYskAOEmM3TKT2X2fdpA",
     "s1XK5f2pM3-aFTauXhmvd9pyQTJ6FMUhc-JXfHrxhLk",
     "zVdghcmClMVWlUgGsGpSkCPkEHZ4u9oWj1SlIBlCc1o"
   ],
   "iss": "https://pidprovider.example.org",
-  "iat": 1683000000,
   "exp": 1883000000,
   "sub": "NzbLsXh8uDCcd7noWXFZAfHkxZsRGC9Xs",
   "status": {
@@ -18,13 +17,6 @@
   },
   "vct": "https://pidprovider.example.org/v1.0/personidentificationdata",
   "vct#integrity": "c5f73e250fe869f24d15118acce286c9bb56b63a443dc85af653cd73f6078b1f",
-  "verification": {
-    "trust_framework": "eidas",
-    "assurance_level": "high",
-    "evidence": {
-      "method": "cie"
-    }
-  },
   "_sd_alg": "sha-256",
   "cnf": {
     "jwk": {