index.html

<!DOCTYPE html>
<html>
<head>
  <title>Verifiable Credential Refresh 2021</title>
  <meta content='text/html; charset=utf-8' http-equiv='Content-Type'>
  <!--
    === NOTA BENE ===
    For the three scripts below, if your spec resides on dev.w3 you can check
    them out in the same tree and use relative links so that they'll work
    offline.
  -->

  <script class="remove"
    src="https://unpkg.com/browse/jquery/dist/jquery.min.js"></script>
  <script class="remove"
    src="https://www.w3.org/Tools/respec/respec-w3c"></script>
  <script class="removeOnSave"
    src="https://unpkg.com/reqlist/lib/reqlist.js"></script>
  <link class="removeOnSave" rel="stylesheet" type="text/css"
    href="https://unpkg.com/reqlist/lib/reqlist.css" />

  <script class='remove' src="./common.js"></script>
  <script class="remove" type="text/javascript">
  var respecConfig = {
    // the W3C WG and public mailing list
    group: "credentials",
    wgPublicList: "public-credentials",

    // the specification's short name, as in http://www.w3.org/TR/short-name/
    shortName: "vc-refresh-2021",

    // specification status (e.g., WD, LCWD, NOTE, etc.). If in doubt use ED.
    specStatus: "CG-DRAFT",

    // Editor's Draft URL
    edDraftURI: "https://w3c-ccg.github.io/vc-refresh-2021/",

    // subtitle for the spec
    subtitle: "A data model and protocol for refreshing Verifiable Credentials",

    // if you wish the publication date to be other than today, set this
    //publishDate:  "2021-08-03",

    // previously published draft, uncomment this and set its
    // YYYY-MM-DD date and its maturity status
    //previousPublishDate:  "2021-06-15",
    //previousMaturity:  "CR",

    // automatically allow term pluralization
    pluralize: true,

    // extend the bibliography entries
    localBiblio: ccg.localBiblio,
    xref: ["web-platform", "vc-data-model"],
    github: {
      repoURL: "https://github.com/w3c-ccg/vc-refresh-2021/",
      branch: "main"
    },
    includePermalinks: false,

    // Uncomment these to use the respec extension that generates a list of
    //   normative statements:
    preProcess: [/*prepare_reqlist*/],
    postProcess: [/*add_reqlist_button*/, restrictRefs],

    // list of specification editors
    editors: [
      {
        name: "Manu Sporny",
        url: "http://manu.sporny.org/",
        company: "Digital Bazaar",
        companyURL: "https://digitalbazaar.com/",
        w3cid: 41758
      }
    ],

    // list of specification authors
    authors: [{
        name: "Manu Sporny",
        url: "http://manu.sporny.org/",
        company: "Digital Bazaar",
        companyURL: "https://digitalbazaar.com/",
        w3cid: 41758
      },
      {
        name: "Dmitri Zagidulin",
        url: "https://github.com/dmitrizagidulin",
        company: "Digital Bazaar",
        companyURL: "https://digitalbazaar.com/"
      }
    ],
    otherLinks: [{
      key: "Related Documents",
      data: [{
        value: "Verifiable Credentials Data Model",
        href: "https://www.w3.org/TR/vc-data-model/"
      }, {
        value: "Verifiable Presentation Request",
        href: "https://w3c-ccg.github.io/vp-request-spec/"
      }, {
        value: "Verifiable Credentials API",
        href: "https://w3c-ccg.github.io/vc-api/"
      }]
    }]
    };
  </script>
  <style>
  pre .highlight {
    font-weight: bold;
    color: green;
  }
  pre .comment {
    color: SteelBlue;
    user-select: none;
  }
  code a[href] {
    color: inherit;
    border-bottom: none;
  }
  code a[href]:hover {
    border-bottom: 1px solid #c63501;
  }
  table.column-width-50 td {
    width: 50%;
  }
  .longdesc {
    display: none;
  }
  .longdesc:target {
    display: block;
    background-color: #ff9;
  }
  .algorithm ol {
    counter-reset: numsection;
    list-style-type: none;
  }
  .algorithm ol>li {
    margin: 0.5em 0;
  }
  .algorithm ol>li:before {
    font-weight: bold;
    counter-increment: numsection;
    content: counters(numsection, ".") ") ";
  }
  </style>
</head>
<body data-cite="infra rfc3986">
  <section id='abstract'>

    <p>
Verifiable Credentials can expire. It is useful to provide instructions on
refreshing the credential for the times when expiration is imminent or has
already occurred. The refresh can be performed manually or, with the prior
consent of the credential holder, automatically.
    </p>
    <p>
This document specifies manual and automatic refresh mechanisms that  Verifiable
Credential issuers can utilize to enhance the experience when using their
credentials.
    </p>
  </section>

  <section id='sotd'>
    <p>
Comments regarding this document are welcome. Please file issues
directly on <a href="https://github.com/w3c-ccg/vc-refresh-2021/issues/">GitHub</a>,
or send them
to <a href="mailto:public-credentials@w3.org">public-credentials@w3.org</a> (
<a href="mailto:public-credentials-request@w3.org?subject=subscribe">subscribe</a>,
<a href="https://lists.w3.org/Archives/Public/public-credentials/">archives</a>).
    </p>
  </section>

  <section class="informative">
    <h1>Introduction</h1>
    <p>
<a>Verifiable Credentials</a> can expire. It is useful to provide instructions on
refreshing the credential for the times when expiration is imminent or has
already occurred. The refresh can be performed manually or, with the prior
consent of the credential <a>holder</a>, automatically.
    </p>

    <section id="conformance">

      <p>
This document contains examples that contain JSON and JSON-LD content.
Some of these examples contain characters that are invalid, such as inline
comments (<code>//</code>) and the use of ellipsis (<code>...</code>) to denote
information that adds little value to the example. Implementers are cautioned to
remove this content if they desire to use the information as valid JSON
or JSON-LD.
      </p>

     <p>
A <dfn>conforming refresh client</dfn> is ...
     </p>

      <p>
A <dfn>conforming refresh server</dfn> is ...
      </p>

    </section>

    <section class="informative">
      <h2>Terminology</h2>

      <div data-include="terms.html">
      </div>
    </section>
  </section>

  <section>
    <h1>Refresh Data Model</h1>

    <p>
This specification utilizes the Verifiable Credentials data model
[[VC-DATA-MODEL]] and the
<a href="https://www.w3.org/TR/vc-data-model/#refreshing">Refreshing feature</a>
defined in that specification.
    </p>

    <p>
The refresh data model in this specification is expressed via the
<code>refreshService</code> property in a Verifiable Credential. The table
below provides the structure of the refresh service description.
    </p>

    <table class="simple">
      <thead>
        <tr>
          <th style="white-space: nowrap">Property</th>
          <th>Description</th>
        </tr>
      </thead>
      <tbody>
        <tr>
          <td>url</td>
          <td>
A mandatory URL that MUST be used to initiate a credential refresh.
          </td>
        </tr>
        <tr>
          <td>type</td>
          <td>
The `type` property MUST be either `MediatedRefreshService2021` or
`VerifiableCredentialRefreshService2021`.
          </td>
        </tr>
        <tr>
          <td>validFrom</td>
          <td>
An optional [[XMLSCHEMA11-2]] datetime value that specifies the earliest moment
in time that a refresh can be performed.
          </td>
        </tr>
        <tr>
          <td>validUntil</td>
          <td>
An optional [[XMLSCHEMA11-2]] datetime value that specifies the latest moment
in time that a refresh can be performed.
          </td>
        </tr>
      </tbody>
    </table>

    <p>
The example below demonstrates the use of the data model described in this
section to specify a manual refresh service:
    </p>

    <pre class="example nohighlight"
      title="Verifiable Credential specifying a manual credential refresh">
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1",
    "https://w3id.org/vc-refresh-service/v1"
  ],
  "id": "http://example.edu/credentials/3732",
  "type": ["VerifiableCredential", "UniversityDegreeCredential"],
  "issuer": "https://example.edu/issuers/14",
  "issuanceDate": "2010-01-01T19:23:24Z",
  "expirationDate": "2022-01-01T19:23:24Z",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "degree": {
      "type": "BachelorDegree",
      "name": "Bachelor of Science and Arts"
    }
  },
  <span class="highlight">"refreshService": {
    "type": "MediatedRefreshService2021",
    "url": "https://example.edu/refresh/3732",
    "validFrom": "2021-09-01T19:23:24Z"
  }</span>
}
    </pre>

    <p>
The example below demonstrates the use of the data model described in this
section to specify an automatic refresh service:
    </p>

    <pre class="example nohighlight"
      title="Verifiable Credential specifying a manual credential refresh">
{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1",
    "https://w3id.org/vc-refresh-service/v1"
  ],
  "id": "http://example.edu/credentials/3732",
  "type": ["VerifiableCredential", "UniversityDegreeCredential"],
  "issuer": "https://example.edu/issuers/14",
  "issuanceDate": "2010-01-01T19:23:24Z",
  "expirationDate": "2022-01-01T19:23:24Z",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "degree": {
      "type": "BachelorDegree",
      "name": "Bachelor of Science and Arts"
    }
  },
  <span class="highlight">"refreshService": {
    "type": "VerifiableCredentialRefreshService2021",
    "url": "https://example.edu/workflows/refresh-degree",
    "validFrom": "2021-09-01T19:23:24Z",
    "validUntil": "2022-02-01T19:23:24Z"
  }</span>
}
    </pre>

    <p>
Performing an HTTP GET on the `https://example.edu/workflows/refresh-degree`
will initiate a presentation request using the Verifiable Credentials API
[[VC-API]].
    </p>

  </section>

  </section>

  <section>
    <h1>Refresh Protocol</h1>

    <p>
This section details the protocols that can be used to refresh a credential. In
general, all refresh protocols in this specification implement the
following general pattern.
    </p>

    <img src="diagrams/refresh-flow.svg">

    <section class="algorithm">
      <h2>MediatedRefreshService2021 Protocol</h2>

      <p>
The MediatedRefreshService2021 protocol is used when an <a>issuer</a> uses a refresh
prodedure that is non-automatable or requires an interactive exchange with the
<a>holder</a>. The manual refresh protocol consists of executing the following
steps:
      </p>

      <ol>
        <li>
The <a>holder</a> software extracts the `refreshService.type`,
`refreshService.url`, and `refreshService.validFrom` properties and saves
them as <em>type</em>, <em>url</em>, and <em>validFrom</em>, respectively.
        </li>
        <li>
If <em>type</em> does not equal `MediatedRefreshService2021`,
raise an `INVALID_REFRESH_ALGORITHM` exception.
        </li>
        <li>
If <em>validFrom</em> is defined, but expresses a datetime that is later
than the current datetime, raise a `REFRESH_NOT_ALLOWED` exception.
        </li>
        <li>
If <em>url</em> is not defined, raise an `INVALID_URL` exception.
        </li>
        <li>
Open an application, such as a Web browser, that is capable of handling
<em>url</em> and pass the value to be opened to the application.
        </li>
      </ol>

      <p>
The example below demonstrates what an HTTP client would perform after the
final step above:
      </p>

      <pre class="example"
        title="Step 1 (request to issuer): Initiate manual refresh interaction">
GET /refresh/3732 HTTP/1.1
Host: example.edu
Accept: text/html, */*
Accept-Encoding: gzip, deflate
      </pre>

    </section>

    <section class="algorithm">
      <h2>VerifiableCredentialRefreshService2021 Protocol</h2>

      <p>
The VerifiableCredentialRefreshService2021 protocol is used when an <a>issuer</a> uses a refresh
prodedure that does not require an interactive exchange with the
<a>holder</a> and is therefore, fully automatable. The auto refresh protocol
consists of executing the following steps:
      </p>

      <ol>
        <li>
The <a>holder</a> software extracts the `refreshService.type`,
`refreshService.url`, `refreshService.validFrom`, and
`refreshService.validUntil` properties and saves them as <em>type</em>,
<em>url</em>, <em>validFrom</em>,  and <em>validUntil</em>, respectively.
        </li>
        <li>
If <em>type</em> does not equal `VerifiableCredentialRefreshService2021`,
raise an `INVALID_REFRESH_ALGORITHM` exception.
        </li>
        <li>
If <em>validFrom</em> is defined, but expresses a datetime that is later
than the current datetime, raise a `REFRESH_NOT_ALLOWED` exception.
        </li>
        <li>
If <em>validUntil</em> is defined, but expresses a datetime that is before
the current datetime, raise a `REFRESH_NOT_ALLOWED` exception.
        </li>
        <li>
If <em>url</em> is not defined, raise an `INVALID_URL` exception.
        </li>
        <li>
Use an HTTP client to perform an HTTP GET on <em>url</em>. The response
from the server MUST be a Verifiable Presentation Request [[VP-REQUEST]] as
defined by the
<a href="https://w3c-ccg.github.io/vc-api/#presenting">Presenting</a>
section of the [[VC-API]] specification.
        </li>
      </ol>

      <p>
The following examples elaborate upon the flow of messages after the final step
above is executed:
      </p>

      <pre class="example"
        title="Step 1 (request to issuer): Initiate degree refresh workflow">
GET /workflows/refresh-degree HTTP/1.1
Host: example.edu
Content-Type: application/json
Accept: application/json, */*
Accept-Encoding: gzip, deflate
      </pre>

      <pre class="example"
        title="Step 2 (response from issuer): Verifiable Presentation Request">
HTTP/1.1 200 OK
Date: Fri, 14 Jun 2022 18:37:12 GMT
Connection: keep-alive

{
  "verifiablePresentationRequest": {
    "query": [{
        "type": "DIDAuth"
      }, {
        "type": "QueryByExample",
        "credentialQuery": {
          "reason": "We need to see your existing University Degree credential.",
          "example": {
            "@context": [
              "https://www.w3.org/2018/credentials/v1",
              "https://www.w3.org/2018/credentials/examples/v1"
            ],
            "type": "UniversityDegreeCredential"
          }
        }
      }],
      "challenge": "3182bdea-63d9-11ea-b6de-3b7c1404d57f",
      "domain": "example.edu",
      "interact": {
        "service": [{
          "type": "VerifiableCredentialRefreshService2021",
          "serviceEndpoint": "https://example.edu/active-flows/123456"
        }]
      }
    }
  }
}
      </pre>

      <p class="note">
While the example above utilizes a Verifiable Presentation Request [VP-REQUEST],
other types of equivalent presentation request formats, such as WACI/PeX, can be
utilized (simultaneously or alternatively) based on the presentation request
formats that are supported by the Issuer.
      </p>

      <pre class="example"
        title="Step 3 (presentation to issuer): Provide Verifiable Presentation">
POST /active-flows/123456 HTTP/1.1
Host: example.edu
Content-Type: application/json
Accept: application/json, */*
Accept-Encoding: gzip, deflate

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1"
  ],
  "type": ["VerifiablePresentation"],
  "holder": "did:example:ebfeb1f712ebc6f1c276e12ec21",
  "verifiableCredential": [{
    "@context": [
      "https://www.w3.org/2018/credentials/v1",
      "https://www.w3.org/2018/credentials/examples/v1",
      "https://w3id.org/security/suites/ed25519-2020/v1"
    ],
    "id": "http://example.edu/credentials/3732",
    "type": [
      "VerifiableCredential",
      "UniversityDegreeCredential"
    ],
    "issuer": "https://example.edu/issuers/14",
    "issuanceDate": "2010-01-01T19:23:24Z",
    "expirationDate": "2022-01-01T19:23:24Z",
    "credentialSubject": {
      "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
      "degree": {
        "type": "BachelorDegree",
        "name": "Bachelor of Science and Arts"
      }
    },
    "refreshService": {
      "type": "VerifiableCredentialRefreshService2021",
      "url": "https://example.edu/workflows/refresh-degree",
      "validFrom": "2021-09-01T19:23:24Z"
    },
    "proof": {
      "type": "Ed25519Signature2020",
      "created": "2021-12-05T17:59:45Z",
      "verificationMethod": "https://example.edu/issuers/14#key-1",
      "proofPurpose": "assertionMethod",
      "proofValue": "z2aArNcQKX9aqYK7GRZmV7c9xfGuwB5YAXhkYY9DTvLdTCQEsXaNpz1G
                     ZL9XDXdFQGT27WB68e2Y3wo9k75rka8oo"
    }
  }],
  "proof": {
    "type": "Ed25519Signature2020",
    "created": "2022-06-15T16:37:12Z",
    "verificationMethod": "did:example:76e12ec712ebc6f1c221ebfeb1f#key-1",
    "proofPurpose": "authentication",
    "challenge": "3182bdea-63d9-11ea-b6de-3b7c1404d57f",
    "domain": "example.edu",
    "proofValue": "z4aU6NSpnCvnjJqzAPw3cqJ1LKoWimEWxKz7StJYzwaZE2a3QAuK8vcq
                   umwr6uabr7RshvjH1yTv1fTuhPUii1fN"
  }
}
      </pre>

      <pre class="example"
        title="Step 4 (response from issuer): Re-issued Verifiable Credential">
HTTP/1.1 200 OK
Date: Fri, 14 Jun 2022 18:37:12 GMT
Connection: keep-alive

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1"
  ],
  "type": ["VerifiablePresentation"],
  "verifiableCredential": [{
    "@context": [
      "https://www.w3.org/2018/credentials/v1",
      "https://www.w3.org/2018/credentials/examples/v1",
      "https://w3id.org/security/suites/ed25519-2020/v1"
    ],
    "id": "http://example.edu/credentials/3732",
    "type": [
      "VerifiableCredential",
      "UniversityDegreeCredential"
    ],
    "issuer": "https://example.edu/issuers/14",
    "issuanceDate": "2010-01-01T19:23:24Z",
    "expirationDate": "2027-06-14T18:37:12Z",
    "credentialSubject": {
      "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
      "degree": {
        "type": "BachelorDegree",
        "name": "Bachelor of Science and Arts"
      }
    },
    "refreshService": {
      "type": "VerifiableCredentialRefreshService2021",
      "url": "https://example.edu/workflows/refresh-degree",
      "validFrom": "2027-03-14T19:23:24Z",
      "validUntil": "2027-07-14T19:23:24Z"
    },
    "proof": {
      "type": "Ed25519Signature2020",
      "created": "2022-06-14T18:37:12Z",
      "verificationMethod": "https://example.edu/issuers/14#key-1",
      "proofPurpose": "assertionMethod",
      "proofValue": "z2aArNcQKX9aqYK7GRZmV7c9xfGuwB5YAXhkYY9DTvLdTCQEsXaNpz1G
                     ZL9XDXdFQGT27WB68e2Y3wo9k75rka8oo"
    }
  }]
}
      </pre>

    </section>

  </section>

</body>
</html>