Help with SDR flow

[sk91]

Hi,

I am trying to do a simple demo leveraging the veramo framework, but have trouble nailing the sdr flow.

I have a verifier (Bank) which provides a service (Open bank account)
An issuer (company registrar) which can issue a 'CertificateOfIncorporation' credential
And a holder (company who wants to open a bank account)

at this point, all implemented as http servers, have web did in well-known did's and also define a Messaging service endpoint that should handle didcomm and sdr messages

I want to do the following flow:

apply for service on the verifier and get back sdr requremets

understand the missing credential that I need to submit

go to issuer and apply for that credential -> get back sdr requirements for the credential

fill the requirements (let's assume users fills thous manually)

respond to the sdr request and get a credential in return.

Then go ahead and send the credential to verifier

and get back accept or deny

Now, all of thous steps should happen asynchronously (since there might be a manual verification step that is required)

Here is my first attempt for verifier schema

{
         "issuer":"did:web:bank-selfkey.ngrok.io",
         "replyUrl":"https://bank-selfkey.ngrok.io/messaging",
         "claims":[
            {
               "reason":"Please provide your company name",
               "claimType":"legalName",
               "essential":true,
               "credentialContext":"https://platform.selfkey.org/contexts/kyc/v1.jsonld",
               "credentialType":"CertificateOfIncorporation",
               "issuers":[
                  {
                     "did":"did:web:issuer-selfkey.ngrok.io",
                     "url":"https:////issuer-selfkey.ngrok.io"
                  }
               ]
            },
            {
               "claimType":"legalEntityType",
               "essential":true,
               "credentialContext":"https://platform.selfkey.org/contexts/kyc/v1.jsonld",
               "credentialType":"CertificateOfIncorporation",
               "issuers":[
                  {
                     "did":"did:web:issuer-selfkey.ngrok.io",
                     "url":"https:////issuer-selfkey.ngrok.io"
                  }
               ]
            },
            {
               "claimType":"jurisdiction",
               "essential":true,
               "credentialContext":"https://platform.selfkey.org/contexts/kyc/v1.jsonld",
               "credentialType":"CertificateOfIncorporation",
               "issuers":[
                  {
                     "did":"did:web:issuer-selfkey.ngrok.io",
                     "url":"https:////issuer-selfkey.ngrok.io"
                  }
               ]
            },
            {
               "claimType":"foundingDate",
               "essential":true,
               "credentialContext":"https://platform.selfkey.org/contexts/kyc/v1.jsonld",
               "credentialType":"CertificateOfIncorporation",
               "issuers":[
                  {
                     "did":"did:web:issuer-selfkey.ngrok.io",
                     "url":"https:////issuer-selfkey.ngrok.io"
                  }
               ]
            }
         ]
      }
   }
   

and this one for issuer:

{
 "issuer":"did:web:issuer-selfkey.ngrok.io",
 "replyUrl":"https://issuer-selfkey.ngrok.io/messaging",
 "claims":[
    {
       "reason":"Please provide your company name",
       "claimType":"legalName",
       "essential":true
    },
    {
       "reason":"Please provide legal entity type",
       "claimType":"legalEntityType",
       "essential":true
    },
    {
       "reason":"Please provide legal jurisdiction",
       "claimType":"jurisdiction",
       "essential":true
    },
    {
       "reason":"Please provide founding date",
       "claimType":"foundingDate",
       "essential":true
    }
 ]
}

Still I have an issue to wrap my head around how to connect thous peaces in terms of veramo framework and sdr plugin
Can someone help with that?

[simibac]

I'm not a Veramo dev but currently experimenting with the library too, so take this answer with this in mind before it is confirmed by a Veramo dev.

If I understand your workflow correctly, the issuer makes a selective disclosure request (SDR) request to the holder. However, the holder does not hold any verifiable credentials (VC) initially. So there is no way for the holder to fulfil this SDR because he does not hold a VC that proofs his legalName or legalEntityType . Therefore, you shouldn't use SDRs to issue VCs.

When a VC for CertificateOfIncorporation is created and how it is validated is upto the issuer and cannot be implemented using Veramo. For example you could have a web form that lets the issuer enter these 4 fields legalName, legalEntityType, jurisdiction, foundingDate. The issuer backend verifies if those claims are valid according to their rules of validation (nothing to do with Veramo). AFAIK your second json cannot be used in this process and has to be replace with some logic in the issuer backend application. If the validation is successful, a VC can be created by the issuer which looks something like this:

{
  "credentialSubject": {
    "birthDate": "2021-03-15",
    "id": "did:ethr:rinkeby:0xb2e9fe08ca9a0323103883fe12c9609ed380f475"
  },
  "issuer": {
    "id": "did:web:uzh-veramo-cloud-agent.herokuapp.com"
  },
  "id": "did:ethr:rinkeby:0xb2e9fe08ca9a0323103883fe12c9609ed380f475",
  "type": [
    "VerifiableCredential",
    "CertificateOfIncorporation"
  ],
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://platform.selfkey.org/contexts/kyc/v1.jsonld"
  ],
  "issuanceDate": "2021-03-21T13:02:34.000Z",
  "proof": {
    "type": "JwtProof2020",
    "jwt": "ey..."
  }
}

Next the holder attempts to login at the Bank (verifier). The bank creates a SDR as you described in your first json and sent to the holder.

Using the VC from above, the holder is able to create a Verifiable Presentation (VP) which contains the VC along with some additional information and pass it to the verifier.

If my understanding about Veramo is correct, the following requests are needed for your workflow:

1. issuer agent calls /createVerifiableCredential -> send VC to the holder -> holder agent stores the VC in his agent
2. verifier agent calls /createSelectiveDisclosureRequest -> send SDR to the holder
3. holder agent calls /getVerifiableCredentialsForSdr with the given SDR -> list of relevant VCs
4. holder agent calls /createVerifiablePresentation with the returned VCs -> send to verifier
5. verifier agent calls /validatePresentationAgainstSdr in order to verify the presentation and grants access if successful

If you are using the Veramo CLI, I ran into an issue regarding the SDR response. I currently work on a similar workflow but I have not tested if this issue also exists on the cloud agent.

[awoie]

@sk91 Our current implementation of SDR is a custom Veramo flow. It's main purpose is requesting VCs wrapped in VPs from a holder. To issue VCs to a holder, you could use an SDR flow where the holder of the VP is the issuer, or you just transmit the VC directly. Note, we will soon add DIF Presentation Exchange and Credential Manifest through DIDComm. For this, we will use the present-proof-v2 and issue-creds-v2 flows. Those are DIDComm sub-protocols that make use of DIF PE and CM in a canonical way.

[simibac]

in terms of the current implemented flow we will publish a tutorial shortly -

Are you referring to this page here? Or Is that tutorial available somewhere else?

[jasheal]

Hi, The first part of the SDR request has been implemented here. The response part will be completed this week before open -sourcing the explorer.
https://github.com/veramolabs/agent-explorer/blob/feature/sdr-request/src/components/standard/CreateRequest.tsx

Is there anything else you would think helpful to have in the explorer when it's released this week?

[simibac]

Hi Jason, thanks for your reply, I really appreciate the help. The new forms look help a lot. I have built something very similar.

But where I still have some confusions is how the other party responds to the generated SDR. As a result of that SDR generator form we get a JWT. This JWT is then sent to the other party via the /messaging endpoint and is interpreted by the SDRMessageHandler. Is it already possible to automatically collect all required VCs to create a VP based on a given SDR? What I have tried to automate this is by gathering all the VCs with a request to /dataStoreORMGetVerifiableCredentialsByClaims for each required claim. The user only has to check if he is okay with disclosing all of these claims and can confirm with on click (similar to what is possible with uPort). Is that functionality already part of the core or is my approach currently the way to do it?

[jasheal]

You are very close. This functionality is already wrapped in getVerifiableCredentialsForSdr see http://veramo-agent.herokuapp.com/api-docs/#/default/getVerifiableCredentialsForSdr

It takes the sdr object from the message as its arg and returns all matching credentials . Your UI needs to handle selecting the correct credentials to include in the VP.

Also this is the code from DAF (what veramo used to be called) that I'm migrating. Theres a bunch of legacy code there but you'll get an idea.

Main SDR response (uses wallet connect as transport layer)
https://github.com/uport-project/daf-mobile/blob/feature/daf-7-upgrade/src/screens/main/Requests/SelectiveDisclosure.tsx

Selecting Credentials Hook
https://github.com/uport-project/daf-mobile/blob/feature/daf-7-upgrade/src/hooks/useSelectedCredentials.ts

Getting all credentials that match sdr
https://github.com/uport-project/daf-mobile/blob/feature/daf-7-upgrade/src/services/daf.ts#L22