From 9519ae4883d6fa678e56648ba8d72a4f19ec6ab5 Mon Sep 17 00:00:00 2001 From: Dima Postnikov Date: Wed, 25 Mar 2026 12:20:44 +1100 Subject: [PATCH 1/4] Mention security analysis in 1.1 Applying PR694 1.0 changes to 1.1 --- 1.1/openid-4-verifiable-presentations-1_1.md | 28 +++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index a6c783a3..9227294a 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -1765,6 +1765,10 @@ While breaking changes to the specifications referenced in this specification ar # Security Considerations {#security_considerations} +## Formal Security Analysis + +The security properties of the OpenID for Verifiable Credentials family of specifications have been formally analyzed, see [@secanalysis.openid4vc]. + ## Preventing Replay of Verifiable Presentations {#preventing-replay} An attacker could try to inject Presentations obtained from (for example) a previous Authorization Response into another Authorization Response, thus impersonating the End-User that originally presented the respective Verifiable Presentation. Holder Binding aims to prevent such attacks. @@ -2367,6 +2371,26 @@ Ecosystems intending to use trusted authority mechanisms SHOULD ensure that the + + + Formal Security Analysis of the OpenID for Verifiable Presentations Specification (with DC API) + + + + + + + + + + + OpenID for Verifiable Credentials: Formal Security Analysis using the Web Infrastructure Model + + + + + + # OpenID4VP over the Digital Credentials API {#dc_api} This section defines how to use OpenID4VP with the Digital Credentials API. @@ -2544,6 +2568,8 @@ The audience for the response (for example, the `aud` value in a Key Binding JWT ## Security Considerations {#dc_api_security_considerations} +The security properties of the OpenID4VP protocol, when used in conjunction with the Digital Credentials API (DC API) [@!W3C.Digital_Credentials_API], have been formally analyzed, see [@secanalysis.openid4vp.dc]. + The following security considerations from OpenID4VP apply: * Preventing Replay of Verifiable Presentations as described in (#preventing-replay), with the difference that the origin is used instead of the Client Identifier to bind the response to the Client. @@ -2551,7 +2577,7 @@ The following security considerations from OpenID4VP apply: * VP Token abuse (#vp-token-abuse). * Encrypting an Unsigned Response as described in (#encrypting_unsigned_response). * TLS Requirements as described in (#tls-requirements). -* Always Use the Full Client Identifier as described in (#full-client-identifier) for signed requests. +* Always use the Full Client Identifier as described in (#full-client-identifier) for signed requests. * Security Checks on the Returned Credentials and Presentations as described in (#dcql_query_security). * DCQL Value Matching as described in (#dcql-value-matching). From cc9ac9c7bd0f7d8b9a33c80278e20bae3418e545 Mon Sep 17 00:00:00 2001 From: Dima Postnikov Date: Wed, 25 Mar 2026 12:27:41 +1100 Subject: [PATCH 2/4] Update openid-4-verifiable-presentations-1_0.md --- 1.0/openid-4-verifiable-presentations-1_0.md | 29 ++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/1.0/openid-4-verifiable-presentations-1_0.md b/1.0/openid-4-verifiable-presentations-1_0.md index 915752f7..254d7e7d 100644 --- a/1.0/openid-4-verifiable-presentations-1_0.md +++ b/1.0/openid-4-verifiable-presentations-1_0.md @@ -1769,6 +1769,10 @@ While breaking changes to the specifications referenced in this specification ar # Security Considerations {#security_considerations} +## Formal Security Analysis + +The security properties of the OpenID for Verifiable Credentials family of specifications have been formally analyzed, see [@secanalysis.openid4vc]. + ## Preventing Replay of Verifiable Presentations {#preventing-replay} An attacker could try to inject Presentations obtained from (for example) a previous Authorization Response into another Authorization Response, thus impersonating the End-User that originally presented the respective Verifiable Presentation. Holder Binding aims to prevent such attacks. @@ -2357,7 +2361,6 @@ Ecosystems intending to use trusted authority mechanisms SHOULD ensure that the - Named Information Hash Algorithm Registry @@ -2367,6 +2370,26 @@ Ecosystems intending to use trusted authority mechanisms SHOULD ensure that the + + + Formal Security Analysis of the OpenID for Verifiable Presentations Specification (with DC API) + + + + + + + + + + + OpenID for Verifiable Credentials: Formal Security Analysis using the Web Infrastructure Model + + + + + + # OpenID4VP over the Digital Credentials API {#dc_api} This section defines how to use OpenID4VP with the Digital Credentials API. @@ -2544,6 +2567,8 @@ The audience for the response (for example, the `aud` value in a Key Binding JWT ## Security Considerations {#dc_api_security_considerations} +The security properties of the OpenID4VP protocol, when used in conjunction with the Digital Credentials API (DC API) [@!W3C.Digital_Credentials_API], have been formally analyzed, see [@secanalysis.openid4vp.dc]. + The following security considerations from OpenID4VP apply: * Preventing Replay of Verifiable Presentations as described in (#preventing-replay), with the difference that the origin is used instead of the Client Identifier to bind the response to the Client. @@ -3570,4 +3595,4 @@ The technology described in this specification was made available from contribut -final - * https://openid.net/specs/openid-4-verifiable-presentations-1_0-final.html \ No newline at end of file + * https://openid.net/specs/openid-4-verifiable-presentations-1_0-final.html From 9191c4fc55132887d4c85030748a06699e748c6d Mon Sep 17 00:00:00 2001 From: Dima Postnikov Date: Wed, 25 Mar 2026 12:28:50 +1100 Subject: [PATCH 3/4] Typo --- 1.0/openid-4-verifiable-presentations-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.0/openid-4-verifiable-presentations-1_0.md b/1.0/openid-4-verifiable-presentations-1_0.md index 254d7e7d..44169951 100644 --- a/1.0/openid-4-verifiable-presentations-1_0.md +++ b/1.0/openid-4-verifiable-presentations-1_0.md @@ -2575,7 +2575,7 @@ The following security considerations from OpenID4VP apply: * End-User Authentication using Credentials as described in (#end-user-authentication-using-credentials). * Encrypting an Unsigned Response as described in (#encrypting_unsigned_response). * TLS Requirements as described in (#tls-requirements). -* Always Use the Full Client Identifier as described in (#full-client-identifier) for signed requests. +* Always use the Full Client Identifier as described in (#full-client-identifier) for signed requests. * Security Checks on the Returned Credentials and Presentations as described in (#dcql_query_security). * DCQL Value Matching as described in (#dcql-value-matching). From ba81f6fc7fb8cfe369ca21d3fdd895fafb126e12 Mon Sep 17 00:00:00 2001 From: Dima Postnikov Date: Wed, 25 Mar 2026 12:29:43 +1100 Subject: [PATCH 4/4] Remove space to align with 1.0 --- 1.1/openid-4-verifiable-presentations-1_1.md | 1 - 1 file changed, 1 deletion(-) diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index 9227294a..2b124ff8 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -2361,7 +2361,6 @@ Ecosystems intending to use trusted authority mechanisms SHOULD ensure that the - Named Information Hash Algorithm Registry