Skip to main content
Version: Next

Process Flows

This document describes the key protocol flows implemented by the TSG Wallet, showing how W3C and other standards are applied in practice for credential and identity operations.

Note: These flows represent the Wallet's implementation of standard protocols. For system-wide data space flows, see the Architecture Documentation.

Core Wallet Flows

The Wallet implements several key protocol flows that form the foundation of data space identity operations:

Authentication flow

The authentication flows are either between the wallet and the UI or the wallet and an external system within the same security domain of the wallet.

Frontend

External system

Verifiable Presentation verification flow

Issuance flow

This flow describes the process of exchanging a new credential between two Wallet instances

Presentation Protocol(s)

Different protocols for exchanging Verifiable Presentations between the holder of credentials and the verifier can be used in different scenarios.

Currently three protocols are implemented or are candidates for implementation in the Wallet:

  • Eclipse Decentralized Claims Protocol: a protocol providing a machine-to-machine interface for exchanging Verifiable Presentations
  • OpenID 4 Verifiable Presentations: a draft specification from the OpenID foundation

Eclipse Decentralized Claims Protocol (DCP)

The Eclipse Decentralized Claims Protocol (DCP) defines protocols for credential issuance and presentation. The TSG Wallet implements the Eclipse DCP Presentation Protocol for exchanging Verifiable Presentations. The foundational standards used in this protocol are:

The sequence diagram below shows the interactions between the wallets and control planes of the verifier and holder.

A more detailed explanation of the steps in the sequence diagram is provided in the list below:

  1. Request a Self Issued ID token targeted at the verifier (audience) with an automatically generated access token for the verifier to request the presentation, with an optional scope to limit the access to certain credentials.
    Note: Scopes are currently accepted but not used.
  2. ID token signed with the default key defined in the wallet.
  3. Data Space Protocol Request with the id_token as Bearer token in the Authorization header.
  4. Verification request with the holder's id_token and a presentation definition according the DIF Presentation Definition specification.
  5. Validation of the holder's id_token, which additionally requires resolvement of the DID document of the holder to retrieve the public key material used to sign the id_token.
  6. Create a Self Issued ID token targeted at the holder (audience) incorporating the access token from the holder's id_token.
  7. Retrieve the "Presentation" service from the holder's DID document to find the service endpoint for requesting the presentation.
  8. Request the presentation at the service endpoint with the presentation definition and the id_token as Bearer token in the Authorization header.
  9. Validate the verifier's id_token and the access token inside the id_token.
  10. Find matching credentials based on the presentation definition and the scope of the access token. And generate a presentation submission according the DIF Presentation Submission specification.
    Note: Scopes are currently accepted but not used.
  11. Return the Verifiable Presentation in JWT format accompanied by the pesentation submission.
  12. Validate the Verifiable Presentation and validate whether it matches the requested presentation definition.
  13. Return the Verifiable Presentation when all checks are successful.
  14. Response of the original DSP request.

Credential status protocols

BitstringStatusList

The TSG Wallet has support for the Bitstring Status List v1.0 that allows for providing dynamic statuses for credentials from the perspective of the issuer.

The current implementation supports the revocation status purpose for credentials of which the TSG Wallet is the issuer. For credentials issued by external wallet implementations, the TSG Wallet has support to additionally evaluate refresh, suspension, and message purposes.