3. Credential Format¶
This section extends the information that the following documents provide about Gaia-X Credentials:
- the Gaia-X Architecture Document, which
- defines the Conceptual Model of entities that can have Gaia-X Credentials (ServiceOfferings, their Providers, and the Resources they aggregate), and
- introduces Gaia-X Credentials and their lifecycle on a high level
- the Gaia-X Compliance Document, which defines the Gaia-X conformity assessment schemes and the requirements for the respective Trust Anchors.
- the Gaia-X Ontology containing the models to automate the Gaia-X Compliance.
3.1 Gaia-X Credential Format¶
A Gaia-X Credential is a Verifiable Credential (VC) following W3C Verifiable Credential Data Model 2.0 using the Gaia-X Ontology which is available via the Gaia-X Registry. A holder can put several Gaia-X credentials together to build a Verifiable Presentation (VP).
A Verifiable Presentation contains one or more Verifiable Credentials with individual disclosed claims and packaged in such a way that the authorship of the data is verifiable. It SHOULD be extremely short-lived, and bound to a challenge provided by a verifier. Each Verifiable Credential that might have been issued by multiple issuers contains signed claims about one or more subjects.
This section extends the W3C Verifiable Credentials Data Model v2.0 to specify how it shall be applied in the scope of Gaia-X.
3.1.1 Gaia-X Credential Example¶
This section extends the W3C Verifiable Credentials Data Model v2.0 to specify how it shall be applied in the scope of Gaia-X.
The following listing shows an example of a Gaia-X Credential document before becoming a Verifiable Credential.
Example Verifiable Credential
eyJhbGciOiJQUzI1NiIsInR5cCI6InZjK2xkK2pzb24rand0IiwiY3R5IjoidmMrbGQranNvbiIsImtpZCI6ImRpZDp3ZWI6ZXhhbXBsZS5vcmcjSldLMjAyMC1SU0EifQ.eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MiJdLCJAdHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIkxlZ2FsUGFydGljaXBhbnQiXSwiQGlkIjoiaHR0cHM6Ly9leGFtcGxlLm9yZy9sZWdhbC1wYXJ0aWNpcGFudC82OGE1YmJlYTk1MThlN2UyYWMxY2M3NWJjYzg4MTlhN2VkZDVjNDcxMWUwNzNmZmE0YmIyNjAwMzRkYzY0MjNjL2RhdGEuanNvbiIsImlzc3VlciI6ImRpZDp3ZWI6ZXhhbXBsZS5vcmciLCJ2YWxpZEZyb20iOiIyMDI0LTA0LTAxVDEyOjI2OjIyLjYwMTUxNiswMDowMCIsInZhbGlkVW50aWwiOiIyMDI0LTAxLTAxVDEyOjI2OjIyLjYwMTUxNiswMDowMCIsImNyZWRlbnRpYWxTdWJqZWN0Ijp7IkBjb250ZXh0IjpbImh0dHBzOi8vcmVnaXN0cnkubGFiLmdhaWEteC5ldS92MS9hcGkvdHJ1c3RlZC1zaGFwZS1yZWdpc3RyeS92MS9zaGFwZXMvanNvbmxkL3RydXN0ZnJhbWV3b3JrIyJdLCJpZCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvbGVnYWwtcGFydGljaXBhbnQtanNvbi82OGE1YmJlYTk1MThlN2UyYWMxY2M3NWJjYzg4MTlhN2VkZDVjNDcxMWUwNzNmZmE0YmIyNjAwMzRkYzY0MjNjL2RhdGEuanNvbiIsInR5cGUiOiJneDpMZWdhbFBhcnRpY2lwYW50IiwiZ3g6bGVnYWxOYW1lIjoiRXhhbXBsZSBPcmciLCJneDpsZWdhbFJlZ2lzdHJhdGlvbk51bWJlciI6eyJpZCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvZ2FpYXgtbGVnYWwtcmVnaXN0cmF0aW9uLW51bWJlci82OGE1YmJlYTk1MThlN2UyYWMxY2M3NWJjYzg4MTlhN2VkZDVjNDcxMWUwNzNmZmE0YmIyNjAwMzRkYzY0MjNjL2RhdGEuanNvbiJ9LCJneDpoZWFkcXVhcnRlckFkZHJlc3MiOnsiZ3g6Y291bnRyeVN1YmRpdmlzaW9uQ29kZSI6IkZSLTc1In0sImd4OmxlZ2FsQWRkcmVzcyI6eyJneDpjb3VudHJ5U3ViZGl2aXNpb25Db2RlIjoiRlItNzUifX19.NxVb_3t8WE0XWelPZsaKAcME8E28Vi5H0utVvJeYCr6cGKfj9Snl2C7buSpJIz-ZoPAKQJLKK1gWHsMh5Ge1I99vhZZ61vsGBfjLO0gFhLBwpriLMW7YkJnKD4QoTv-RxBX3JCakUCE_vkSceUOeRUfJKfEEfbyAAMjBnRZsbeH7xt5MLrs482TxYx2HhSdNkxVZU4UHK0hGSauoGfZrHV5e7XT4N2q4vXIRfN3iihYbw4-27sSDgNwOkuY34lWwRZSQsP3PoBneJcH0KDvEPgKvOt8V9ZM78wbyH9NIae8qAEKwVNF61cs3XQx6-0bqI6h0n9I4C93ShXxrqmjgTA
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC7VJTUt9Us8cKj
MzEfYyjiWA4R4/M2bS1GB4t7NXp98C3SC6dVMvDuictGeurT8jNbvJZHtCSuYEvu
NMoSfm76oqFvAp8Gy0iz5sxjZmSnXyCdPEovGhLa0VzMaQ8s+CLOyS56YyCFGeJZ
qgtzJ6GR3eqoYSW9b9UMvkBpZODSctWSNGj3P7jRFDO5VoTwCQAWbFnOjDfH5Ulg
p2PKSQnSJP3AJLQNFNe7br1XbrhV//eO+t51mIpGSDCUv3E0DDFcWDTH9cXDTTlR
ZVEiR2BwpZOOkE/Z0/BVnhZYL71oZV34bKfWjQIt6V/isSMahdsAASACp4ZTGtwi
VuNd9tybAgMBAAECggEBAKTmjaS6tkK8BlPXClTQ2vpz/N6uxDeS35mXpqasqskV
laAidgg/sWqpjXDbXr93otIMLlWsM+X0CqMDgSXKejLS2jx4GDjI1ZTXg++0AMJ8
sJ74pWzVDOfmCEQ/7wXs3+cbnXhKriO8Z036q92Qc1+N87SI38nkGa0ABH9CN83H
mQqt4fB7UdHzuIRe/me2PGhIq5ZBzj6h3BpoPGzEP+x3l9YmK8t/1cN0pqI+dQwY
dgfGjackLu/2qH80MCF7IyQaseZUOJyKrCLtSD/Iixv/hzDEUPfOCjFDgTpzf3cw
ta8+oE4wHCo1iI1/4TlPkwmXx4qSXtmw4aQPz7IDQvECgYEA8KNThCO2gsC2I9PQ
DM/8Cw0O983WCDY+oi+7JPiNAJwv5DYBqEZB1QYdj06YD16XlC/HAZMsMku1na2T
N0driwenQQWzoev3g2S7gRDoS/FCJSI3jJ+kjgtaA7Qmzlgk1TxODN+G1H91HW7t
0l7VnL27IWyYo2qRRK3jzxqUiPUCgYEAx0oQs2reBQGMVZnApD1jeq7n4MvNLcPv
t8b/eU9iUv6Y4Mj0Suo/AU8lYZXm8ubbqAlwz2VSVunD2tOplHyMUrtCtObAfVDU
AhCndKaA9gApgfb3xw1IKbuQ1u4IF1FJl3VtumfQn//LiH1B3rXhcdyo3/vIttEk
48RakUKClU8CgYEAzV7W3COOlDDcQd935DdtKBFRAPRPAlspQUnzMi5eSHMD/ISL
DY5IiQHbIH83D4bvXq0X7qQoSBSNP7Dvv3HYuqMhf0DaegrlBuJllFVVq9qPVRnK
xt1Il2HgxOBvbhOT+9in1BzA+YJ99UzC85O0Qz06A+CmtHEy4aZ2kj5hHjECgYEA
mNS4+A8Fkss8Js1RieK2LniBxMgmYml3pfVLKGnzmng7H2+cwPLhPIzIuwytXywh
2bzbsYEfYx3EoEVgMEpPhoarQnYPukrJO4gwE2o5Te6T5mJSZGlQJQj9q4ZB2Dfz
et6INsK0oG8XVGXSpQvQh3RUYekCZQkBBFcpqWpbIEsCgYAnM3DQf3FJoSnXaMhr
VBIovic5l0xFkEHskAjFTevO86Fsz1C2aSeRKSqGFoOQ0tmJzBEs1R6KqnHInicD
TQrKhArgLXX4v3CddjfTRJkFWDbE/CkvKZNOrcf1nhaGCPspRJj2KUkj1Fhl9Cnc
dn/RsYEONbwQSjIfMPkvxF+8HQ==
-----END PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh
kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ
0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc
mwIDAQAB
-----END PUBLIC KEY-----
3.2 Digital Signature Standard¶
This document follows the FIPS 186-5 standard on Digital Signature Standard (DSS).
3.3 Decentralized Identifiers¶
This section extends the W3C Decentralized Identifiers to specify how it shall be applied in the scope of Gaia-X.
3.3.1 Verification Methods¶
To ensure a Gaia-X Credential’s integrity and authenticity, its claims MUST be cryptographically signed by the
Participant that is issuing them.
This is done to avoid tampering and to technically allow to check the origin of the claims.
The supported verification methods are described below.
3.3.1.1 JSON Web Key¶
This section extends the specification from the W3C JSON Web Key.
A Verifiable Credential is Gaia-X Conformant if:
- it is signed by a trusted issuer present in the Gaia-X Registry
- its issuer has a verifiable identity coming from one of the Trust Anchors
- it complies with the Gaia-X Ontology Shacl Shapes
- it uses the enveloping proof encoding specified by this document
Without a means to link the issuer’s verification method to a Gaia-X Trust Anchor, the Gaia-X Compliance verification will fail.
To be able to assess the chain of trust, the publicKeyJwk property MUST include either
the RFC7517 x5c (X.509 Certificate Chain) parameter
or RFC7517 x5u (X.509 URL) parameter.
The x5u parameter should be resolvable to a X509 .crt, .pem, .der or .p7b file which contains a valid Gaia-X
Trust Anchor eligible for the signed claims.
To ensure the correct cryptographic tools are used with the public key, the alg property MUST be specified, the value must comply with the JSON Web Algorithms RFC7518 alg
Example of verificationMethod
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/jwk/v1"
],
"id": "did:web:example.org",
"verificationMethod": [
{
"id": "did:web:example.org#JWK-RSA",
"type": "JsonWebKey",
"controller": "did:web:example.org",
"publicKeyJwk": {
"kty": "RSA",
"n": "0oxjNiK1D5lcowRFjpzY8AY8DwkH5I4mXnz9f4ILcFIV8HG3EyWnAkYgf5EJO91P7t4NHESxuNvSXSSYe5UBizWXNfmKClX2l3g0-6Iw0amxtdgrAmX-HxOprdxfBMt1xRwf6B4M9CQzGBIDAMW5B8-zJsbnGPIz0iWJ2qdFvtPtD3He3ds7azrcLmEaQLqg2yw7Fw5xwmSRodYasXIOhk1Wg4lqiJp2bG9JBaWdJW7Q2kee39UxnAXCQKmflkQuPAALxj5C-5436n0--64Xd6JH6QeaKgyQPGLEEVwvNibiZD8PcbXqyCDCNBD7DmTOTLfjz03qH5qjYvpuo5K6Aw",
"e": "AQAB",
"kid": "q44a8UEJIUNs43nWyLSCxNQXQRB40ccilgRqsZ7n0Og",
"alg": "PS256",
"x5u": "https://example.org/.well-known/chain.pem"
}
}
],
"authentication": [
"did:web:example.org#JWK-RSA"
],
"assertionMethod": [
"did:web:example.org#JWK-RSA"
]
}
3.4 Use of Identifiers in Gaia-X Credentials¶
Each of the following MUST have a different identifier:
- a Verifiable Presentation
- a Verifiable Credential inside a Verifiable Presentation
- the subject of a Verifiable Credential, i.e., the Conceptual Model entity that claims are made about.
Gaia-X Credentials MAY reference other Gaia-X Credentials. Consider, for example, a ServiceOffering that:
- is provided by a Provider,
- is a composition of other ServiceOfferings, or
- is an aggregation of Resources.
3.5 Verifiable Credential and Verifiable Presentation¶
This section extends the W3C Verifiable Credentials Data Model v2.0 to specify how it shall be applied in the scope of Gaia-X.
3.5.1 Namespace Bindings and Contexts¶
On the level of the Verifiable Presentation and the Verifiable Credentials contained in the Verifiable Presentation, a
Gaia-X Credential MUST adhere to the vocabulary of the Verifiable Credentials Data Model, i.e., use terms from
the https://www.w3.org/2018/credentials# namespace.
To enable human authors of Gaia-X Credentials to write down these terms conveniently, they MAY, by using the @context
keyword on the level of the Verifiable Presentation, e.g.:
- reference the JSON-LD context provided by the Verifiable Credentials Data Model (https://www.w3.org/ns/credentials/v2) like in the initial example listing, or
- define their own context, which
- defines the above namespace as the default vocabulary using the
@vocabkeyword, or - maps the above namespace to a designated prefix, e.g.,
"cred".
Similarly, the claims about any credential subject MUST adhere to the vocabulary of the Gaia-X Credential Schemas published in the Gaia-X Registry, or to Federation-specific specializations of this vocabulary.
3.5.2 Identifiers¶
The @id MUST be present and unique for a given issuer.
The @id keyword is aliased to id. Consequently we MAY also use this alias.
It is up to the issuer to decide if the @id is a resolvable URL or not.
3.5.3 Integrity of Related Resources¶
In order to enable reference to objects - Verifiable Credentials or credential subject - which are not under control of
the same issuers, it is RECOMMENDED to specify an @sri Subresource Integrity attribute
to enable the verification of the integrity of the referenced object.
The sri attribute is computed by taking the hash of the referenced normalized JSON object.
The JSON object is normalized following the JSON Canonicalization Scheme (JCS) defined in
the RFC 8785.
Example of `sri` attribute
3.5.4 Types¶
The @type property MUST be present in Verifiable Presentation, Verifiable Credentials, and Credentials.
The expected values for the first @type property are:
"VerifiablePresentation"for a Verifiable Presentation"EnvelopedVerifiablePresentation"for an Enveloped Verifiable Presentation encoded as a VC-JWT"VerifiableCredential"for a Verifiable Credential"EnvelopedVerifiableCredential"for an Enveloped Verifiable Credential encoded as a VC-JWT
This @type can be followed with one or more credential related types (
ie. @type: ['Verifiable Credential', 'LegalPerson']).
The @type keyword is aliased to type. Consequently, we MAY also use this alias.
The expected values for the @type property of a credential subject are given by the taxonomy of classes defined in
the Gaia-X Trust Framework, having the
superclasses Participant, ServiceOffering and Resource.
A Federation MAY define additional subclasses of these by further shapes hosted in its Catalogue(s). In the future, Gaia-X and federations MAY also define additional, more specific credential types.
3.5.4.1 Schema Validation¶
A Schema for Gaia-X Credentials, to be used as the vocabulary of the claims about credential subjects, MUST be available
in the form of SHACL shapes (cf. the W3C Shapes Constraint Language SHACL) in the Gaia-X
Registry or in the Catalogue of a Federation.
At any point where Gaia-X Credentials are created or received, a certain set of SHACL shapes is known, which forms a
shapes graph.
A Gaia-X Credential forms a data graph. For compliance with Gaia-X and/or a specific Federation, this data graph MUST
be validated against the given shapes
graph according to the SHACL specification.
3.5.5 Issuers¶
The issuer property MUST be present in Verifiable Credential and Verifiable Presentation. The value of the issuer
property must be a resolvable URI.
The supported schemes for issuer’s URI are:
httpsdid. The supported DID methods are:web
3.5.6 validFrom¶
The validFrom property is MANDATORY for Verifiable Credential and
Verifiable Presentation.
3.5.7 validUntil¶
The validUntil property is RECOMMENDED for Verifiable Credential
and Verifiable Presentation.
3.5.8 Verifiable Credential¶
Verifiable Credentials are encoded as Json Web Tokens as described in the VC-JWT specification. This type of proofing is an enveloping proof.
A JWT consists in a header, a payload and a signature each element being separated by a dot (.).
Example Verifiable Credential
If we use the following credential:{
"@context": [
"https://www.w3.org/2018/credentials/v2",
"https://w3id.org/gaia-x/development#"
],
"@type": [
"VerifiableCredential",
"LegalParticipant"
],
"@id": "https://example.org/legal-participant/68a5bbea9518e7e2ac1cc75bcc8819a7edd5c4711e073ffa4bb260034dc6423c/data.json",
"issuer": "did:web:example.org",
"validFrom": "2024-04-01T12:26:22.601516+00:00",
"validUntil": "2024-01-01T12:26:22.601516+00:00",
"credentialSubject": {
"id": "https://example.org/legal-participant-json/68a5bbea9518e7e2ac1cc75bcc8819a7edd5c4711e073ffa4bb260034dc6423c/data.json",
"type": "gx:LegalPerson",
"gx:legalName": "Example Org",
"gx:legalRegistrationNumber": {
"id": "https://example.org/gaiax-legal-registration-number/68a5bbea9518e7e2ac1cc75bcc8819a7edd5c4711e073ffa4bb260034dc6423c/data.json"
},
"gx:headquarterAddress": {
"gx:countrySubdivisionCode": "FR-75"
},
"gx:legalAddress": {
"gx:countrySubdivisionCode": "FR-75"
}
}
}
eyJhbGciOiJQUzI1NiIsInR5cCI6InZjK2xkK2pzb24rand0IiwiY3R5IjoidmMrbGQranNvbiIsImtpZCI6ImRpZDp3ZWI6ZXhhbXBsZS5vcmcjSldLMjAyMC1SU0EifQ.eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MiJdLCJAdHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIkxlZ2FsUGFydGljaXBhbnQiXSwiQGlkIjoiaHR0cHM6Ly9leGFtcGxlLm9yZy9sZWdhbC1wYXJ0aWNpcGFudC82OGE1YmJlYTk1MThlN2UyYWMxY2M3NWJjYzg4MTlhN2VkZDVjNDcxMWUwNzNmZmE0YmIyNjAwMzRkYzY0MjNjL2RhdGEuanNvbiIsImlzc3VlciI6ImRpZDp3ZWI6ZXhhbXBsZS5vcmciLCJ2YWxpZEZyb20iOiIyMDI0LTA0LTAxVDEyOjI2OjIyLjYwMTUxNiswMDowMCIsInZhbGlkVW50aWwiOiIyMDI0LTAxLTAxVDEyOjI2OjIyLjYwMTUxNiswMDowMCIsImNyZWRlbnRpYWxTdWJqZWN0Ijp7IkBjb250ZXh0IjpbImh0dHBzOi8vcmVnaXN0cnkubGFiLmdhaWEteC5ldS92MS9hcGkvdHJ1c3RlZC1zaGFwZS1yZWdpc3RyeS92MS9zaGFwZXMvanNvbmxkL3RydXN0ZnJhbWV3b3JrIyJdLCJpZCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvbGVnYWwtcGFydGljaXBhbnQtanNvbi82OGE1YmJlYTk1MThlN2UyYWMxY2M3NWJjYzg4MTlhN2VkZDVjNDcxMWUwNzNmZmE0YmIyNjAwMzRkYzY0MjNjL2RhdGEuanNvbiIsInR5cGUiOiJneDpMZWdhbFBhcnRpY2lwYW50IiwiZ3g6bGVnYWxOYW1lIjoiRXhhbXBsZSBPcmciLCJneDpsZWdhbFJlZ2lzdHJhdGlvbk51bWJlciI6eyJpZCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvZ2FpYXgtbGVnYWwtcmVnaXN0cmF0aW9uLW51bWJlci82OGE1YmJlYTk1MThlN2UyYWMxY2M3NWJjYzg4MTlhN2VkZDVjNDcxMWUwNzNmZmE0YmIyNjAwMzRkYzY0MjNjL2RhdGEuanNvbiJ9LCJneDpoZWFkcXVhcnRlckFkZHJlc3MiOnsiZ3g6Y291bnRyeVN1YmRpdmlzaW9uQ29kZSI6IkZSLTc1In0sImd4OmxlZ2FsQWRkcmVzcyI6eyJneDpjb3VudHJ5U3ViZGl2aXNpb25Db2RlIjoiRlItNzUifX19.NxVb_3t8WE0XWelPZsaKAcME8E28Vi5H0utVvJeYCr6cGKfj9Snl2C7buSpJIz-ZoPAKQJLKK1gWHsMh5Ge1I99vhZZ61vsGBfjLO0gFhLBwpriLMW7YkJnKD4QoTv-RxBX3JCakUCE_vkSceUOeRUfJKfEEfbyAAMjBnRZsbeH7xt5MLrs482TxYx2HhSdNkxVZU4UHK0hGSauoGfZrHV5e7XT4N2q4vXIRfN3iihYbw4-27sSDgNwOkuY34lWwRZSQsP3PoBneJcH0KDvEPgKvOt8V9ZM78wbyH9NIae8qAEKwVNF61cs3XQx6-0bqI6h0n9I4C93ShXxrqmjgTA
3.5.8.1 Header¶
The VC-JWT header MUST contain the following fields:
alg, the signature algorithm (ie.PS256)typ, the media type of the JWT which must be set tovc+ld+json+jwtcty, the content type of the payload which must be set tovc+ld+jsonkid, thedid:webor URL reference to the verification method in a DID document
Additional headers that aren’t described in the VC-JWT, JWT or JWS specifications should be ignored.
3.5.8.2 Payload¶
The payload of the VC-JWT is a standard verifiable credential with claims as described in the Verifiable Credential Data Model v2.0 specification.
Some payload claims from the JWT specification MUST be replaced by the described verifiable credential fields such as:
isswill be replaced by the verifiable credential’sissuerjtiwill be replaced by the verifiable credential’sidor@idsubwill be replaced by the verifiable credential’scredentialSubject.idorcredentialSubject.@id
The vc and vp payload claims MUST NOT be present.
ℹ️ The
iatandexppayload claims represent the JWT’s signature validity period whereas thevalidFromand thevalidUntilverifiable credential payload claims represent the verifiable credential’s data validity period. Therefore these claims can cohabit in the payload.
If the @type is “VerifiableCredential”, the property credentialSubject MUST be defined. The value
of credentialSubject can be a Credential or an array of Credentials. A Verifiable Credential MUST have :
- an
@id, - an
issuer, - a
@type, and - a
credentialSubjectobject or acredentialSubjectarray.
NB: The
@idand@typekeywords are aliased toidandtyperespectively. Consequently, we MAY also use these aliases.
3.5.8.3 Signature¶
The last element of a VC-JWT is the signature which is cryptographically secured to ensure integrity hence making the Verifiable Credential tamper-proof.
A JWS is signed using the issuer’s private key and can be verified by using the issuer’s public key which is obtainable
through the issuer’s DID document (referenced in the kid JWS header).
VC-JWT signatures are created by following the JSON Web Signature (JWS) specification. Many libraries are available online to manage JWS creation.
3.5.8.4 Credential Subject¶
The credentialSubject can be an object or array of objects, containing claims.
The claims about one Gaia-X entity MAY be spread over multiple Credentials and their subjects.
Each credential subject MUST have an @id.
A credential subject MAY be described by value, i.e., by stating one or more claims about it in place.
In this case, it MUST have a @type as specified below.
Alternatively, a credential subject MAY be described by reference.
In this case, the @id MUST be resolvable to an RDF resource that has the same @id, a @type, and one or more
claims. See Identifiers section for more details.
The value of the @type property dictates the vocabulary available in
the Trust Framework document for the definition of
claims about the credential subject. E.g., LegalPerson, ServiceOffering, DataResource, …
Example of credentialSubject
{
"@id": "https://example.com/legalPersonABC?vcid=c93b5075b3988eda4a529afce7e7c127f607b55dc08bb12e8c9adc9e33fe814f",
"@type": "gx:legalPerson",
"gx:legalName": "Legal Person ABC",
"gx:legalRegistrationNumber": {
"@id": "https://gaia-x.eu/legalRegistrationNumber_VC.json"
},
"gx:headquarterAddress": {
"gx:countrySubdivisionCode": "FR-IDF"
},
"gx:legalAddress": {
"gx:countrySubdivisionCode": "FR-IDF"
}
}
3.5.9 Enveloped Verifiable Credential¶
An Enveloped Verifiable Credential is a convenient way of describing a Verifiable Credential that has been encoded with an enveloping proof such as VC-JWT.
It’s represented as a basic JSON object with three fields:
@contextwhich is usually set tohttps://www.w3.org/ns/credentials/v2idcontaining the data of the VC-JWT in the form of anapplication/vc+ld+json+jwtdata URLtypewhich must be set toEnvelopedVerifiableCredential
This type of Verifiable Credential is very useful in the context of a Verifiable Presentation to embed multiple Verifiable Credentials.
Example Enveloped Verifiable Credential
Below is an example representing the [Verifiable Credential example](#verifiable-credential) as an Enveloped Verifiable Credential.{
"@context": "https://www.w3.org/ns/credentials/v2",
"id": "data:application/vc+ld+json+jwt;eyJhbGciOiJQUzI1NiIsInR5cCI6InZjK2xkK2pzb24rand0IiwiY3R5IjoidmMrbGQranNvbiIsImtpZCI6ImRpZDp3ZWI6ZXhhbXBsZS5vcmc6bGVnYWxQZXJzb25BQkMja2V5In0.eyJAaWQiOiJkaWQ6d2ViOmV4YW1wbGUub3JnOmxlZ2FsUGVyc29uQUJDIiwiQHR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiXSwiaXNzdWVyIjoiZGlkOndlYjpleGFtcGxlLm9yZzpsZWdhbFBlcnNvbkFCQyIsInZhbGlkRnJvbSI6IjIwMjQtMDEtMDFUMDA6MDA6MDBaIiwidmFsaWRVbnRpbCI6IjIwMjQtMDQtMDFUMDA6MDA6MDBaIiwiY3JlZGVudGlhbFN1YmplY3QiOlt7IkBpZCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvbGVnYWxQZXJzb25BQkMiLCJAdHlwZSI6Imd4OmxlZ2FsUGVyc29uIiwiZ3g6bGVnYWxOYW1lIjoiTGVnYWwgUGVyc29uIEFCQyIsImd4OmxlZ2FsUmVnaXN0cmF0aW9uTnVtYmVyIjp7IkBpZCI6Imh0dHBzOi8vZ2FpYS14LmV1L2xlZ2FsUmVnaXN0cmF0aW9uTnVtYmVyX1ZDLmpzb24ifSwiZ3g6aGVhZHF1YXJ0ZXJBZGRyZXNzIjp7Imd4OmNvdW50cnlTdWJkaXZpc2lvbkNvZGUiOiJGUi1JREYifSwiZ3g6bGVnYWxBZGRyZXNzIjp7Imd4OmNvdW50cnlTdWJkaXZpc2lvbkNvZGUiOiJGUi1JREYifX1dfQ.RIQKYwKsYEhH9p3m9tbG6zQKae3A7Qz3oAHXMI9RwXYVCL-euaBG7fWGTQ_F6yqWSPeQ6veHqkxKkvtdLIkSSpxZRJCtQs2HiORQX3tc21dkqtziKJIDJhmIBIq-2zDToPb5D4Yb_ryP0aTgcnBavAuiNCf7x3_gS6tBtYd_ZNnh3cifFiLGLop6PUhqhaTEYBlw1ou-28XUCHPeaarGrmxyZzxiBV_3J5hAe8XvfnFo9Y__LcbuOjNMsU2kKhI9otw9Ll4C8IZ9Qsqdq52QFCvkbvtcvX_3IJpzyxSS7TxOXAPPwYbYV_u7tgygPRvvmQG99Q651y62tQGA_B6Eqg",
"type": "EnvelopedVerifiableCredential"
}
3.5.10 Verifiable Presentation¶
If the @type is “VerifiablePresentation”, the property verifiableCredential MUST be defined.
The value of verifiableCredential property MUST be an array of one or
several Enveloped Verifiable Credentials. A Verifiable Presentation MUST have :
- a
@type, - a
verifiableCredentialarray ofEnvelopedVerifiableCredential,
Example Verifiable Presentation
Below is an example of a Verifiable Presentation containing the example from the [Enveloped Verifiable Credential](#enveloped-verifiable-credential) chapter.{
"@context": [
"https://www.w3.org/ns/credentials/v2"
],
"@id": "https://gaia-x.eu/verifiablePresentation/1",
"type": [
"VerifiablePresentation"
],
"verifiableCredential": [
{
"@context": "https://www.w3.org/ns/credentials/v2",
"id": "data:application/vc+ld+json+jwt;eyJhbGciOiJQUzI1NiIsInR5cCI6InZjK2xkK2pzb24rand0IiwiY3R5IjoidmMrbGQranNvbiIsImtpZCI6ImRpZDp3ZWI6ZXhhbXBsZS5vcmc6bGVnYWxQZXJzb25BQkMja2V5In0.eyJAaWQiOiJkaWQ6d2ViOmV4YW1wbGUub3JnOmxlZ2FsUGVyc29uQUJDIiwiQHR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiXSwiaXNzdWVyIjoiZGlkOndlYjpleGFtcGxlLm9yZzpsZWdhbFBlcnNvbkFCQyIsInZhbGlkRnJvbSI6IjIwMjQtMDEtMDFUMDA6MDA6MDBaIiwidmFsaWRVbnRpbCI6IjIwMjQtMDQtMDFUMDA6MDA6MDBaIiwiY3JlZGVudGlhbFN1YmplY3QiOlt7IkBpZCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvbGVnYWxQZXJzb25BQkMiLCJAdHlwZSI6Imd4OmxlZ2FsUGVyc29uIiwiZ3g6bGVnYWxOYW1lIjoiTGVnYWwgUGVyc29uIEFCQyIsImd4OmxlZ2FsUmVnaXN0cmF0aW9uTnVtYmVyIjp7IkBpZCI6Imh0dHBzOi8vZ2FpYS14LmV1L2xlZ2FsUmVnaXN0cmF0aW9uTnVtYmVyX1ZDLmpzb24ifSwiZ3g6aGVhZHF1YXJ0ZXJBZGRyZXNzIjp7Imd4OmNvdW50cnlTdWJkaXZpc2lvbkNvZGUiOiJGUi1JREYifSwiZ3g6bGVnYWxBZGRyZXNzIjp7Imd4OmNvdW50cnlTdWJkaXZpc2lvbkNvZGUiOiJGUi1JREYifX1dfQ.RIQKYwKsYEhH9p3m9tbG6zQKae3A7Qz3oAHXMI9RwXYVCL-euaBG7fWGTQ_F6yqWSPeQ6veHqkxKkvtdLIkSSpxZRJCtQs2HiORQX3tc21dkqtziKJIDJhmIBIq-2zDToPb5D4Yb_ryP0aTgcnBavAuiNCf7x3_gS6tBtYd_ZNnh3cifFiLGLop6PUhqhaTEYBlw1ou-28XUCHPeaarGrmxyZzxiBV_3J5hAe8XvfnFo9Y__LcbuOjNMsU2kKhI9otw9Ll4C8IZ9Qsqdq52QFCvkbvtcvX_3IJpzyxSS7TxOXAPPwYbYV_u7tgygPRvvmQG99Q651y62tQGA_B6Eqg",
"type": "EnvelopedVerifiableCredential"
}
]
}
3.5.11 Enveloped Verifiable Presentation¶
Just like an Enveloped Verifiable Credential, an Enveloped Verifiable Presentation
is a representation of a Verifiable Presentation in the form of a basic JSON object
containing
an application/vp+ld+jwt data URL.
This data URL expresses a JWS secured Verifiable Presentation. The same headers as Verifiable Credentials are used in a Verifiable Presentation VC-JWT except:
- the
typheader is set tovp+ld+jwt - the
ctyheader is set tovp+ld+json
Example Enveloped Verifiable Presentation
Below is a representation of the [Verifiable Presentation example](#verifiable-presentation) as an Enveloped Verifiable Presentation.{
"@context": "https://www.w3.org/ns/credentials/v2",
"id": "data:application/vp+ld+jwt;eyJhbGciOiJQUzI1NiIsInR5cCI6InZjK2xkK2pzb24rand0IiwiY3R5IjoidmMrbGQranNvbiIsImtpZCI6ImRpZDp3ZWI6ZXhhbXBsZS5vcmc6bGVnYWxQZXJzb25BQkMja2V5In0.eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvbnMvY3JlZGVudGlhbHMvdjIiXSwiQGlkIjoiaHR0cHM6Ly9nYWlhLXguZXUvdmVyaWZpYWJsZVByZXNlbnRhdGlvbi8xIiwidHlwZSI6WyJWZXJpZmlhYmxlUHJlc2VudGF0aW9uIl0sInZlcmlmaWFibGVDcmVkZW50aWFsIjpbeyJAY29udGV4dCI6Imh0dHBzOi8vd3d3LnczLm9yZy9ucy9jcmVkZW50aWFscy92MiIsImlkIjoiZGF0YTphcHBsaWNhdGlvbi92YytsZCtqc29uK2p3dDtleUpoYkdjaU9pSlFVekkxTmlJc0luUjVjQ0k2SW5aaksyeGtLMnB6YjI0cmFuZDBJaXdpWTNSNUlqb2lkbU1yYkdRcmFuTnZiaUlzSW10cFpDSTZJbVJwWkRwM1pXSTZaWGhoYlhCc1pTNXZjbWM2YkdWbllXeFFaWEp6YjI1QlFrTWphMlY1SW4wLmV5SkFhV1FpT2lKa2FXUTZkMlZpT21WNFlXMXdiR1V1YjNKbk9teGxaMkZzVUdWeWMyOXVRVUpESWl3aVFIUjVjR1VpT2xzaVZtVnlhV1pwWVdKc1pVTnlaV1JsYm5ScFlXd2lYU3dpYVhOemRXVnlJam9pWkdsa09uZGxZanBsZUdGdGNHeGxMbTl5Wnpwc1pXZGhiRkJsY25OdmJrRkNReUlzSW5aaGJHbGtSbkp2YlNJNklqSXdNalF0TURFdE1ERlVNREE2TURBNk1EQmFJaXdpZG1Gc2FXUlZiblJwYkNJNklqSXdNalF0TURRdE1ERlVNREE2TURBNk1EQmFJaXdpWTNKbFpHVnVkR2xoYkZOMVltcGxZM1FpT2x0N0lrQnBaQ0k2SW1oMGRIQnpPaTh2WlhoaGJYQnNaUzV2Y21jdmJHVm5ZV3hRWlhKemIyNUJRa01pTENKQWRIbHdaU0k2SW1kNE9teGxaMkZzVUdWeWMyOXVJaXdpWjNnNmJHVm5ZV3hPWVcxbElqb2lUR1ZuWVd3Z1VHVnljMjl1SUVGQ1F5SXNJbWQ0T214bFoyRnNVbVZuYVhOMGNtRjBhVzl1VG5WdFltVnlJanA3SWtCcFpDSTZJbWgwZEhCek9pOHZaMkZwWVMxNExtVjFMMnhsWjJGc1VtVm5hWE4wY21GMGFXOXVUblZ0WW1WeVgxWkRMbXB6YjI0aWZTd2laM2c2YUdWaFpIRjFZWEowWlhKQlpHUnlaWE56SWpwN0ltZDRPbU52ZFc1MGNubFRkV0prYVhacGMybHZia052WkdVaU9pSkdVaTFKUkVZaWZTd2laM2c2YkdWbllXeEJaR1J5WlhOeklqcDdJbWQ0T21OdmRXNTBjbmxUZFdKa2FYWnBjMmx2YmtOdlpHVWlPaUpHVWkxSlJFWWlmWDFkZlEuUklRS1l3S3NZRWhIOXAzbTl0Ykc2elFLYWUzQTdRejNvQUhYTUk5UndYWVZDTC1ldWFCRzdmV0dUUV9GNnlxV1NQZVE2dmVIcWt4S2t2dGRMSWtTU3B4WlJKQ3RRczJIaU9SUVgzdGMyMWRrcXR6aUtKSURKaG1JQklxLTJ6RFRvUGI1RDRZYl9yeVAwYVRnY25CYXZBdWlOQ2Y3eDNfZ1M2dEJ0WWRfWk5uaDNjaWZGaUxHTG9wNlBVaHFoYVRFWUJsdzFvdS0yOFhVQ0hQZWFhckdybXh5Wnp4aUJWXzNKNWhBZThYdmZuRm85WV9fTGNidU9qTk1zVTJrS2hJOW90dzlMbDRDOElaOVFzcWRxNTJRRkN2a2J2dGN2WF8zSUpwenl4U1M3VHhPWEFQUHdZYllWX3U3dGd5Z1BSdnZtUUc5OVE2NTF5NjJ0UUdBX0I2RXFnIiwidHlwZSI6IkVudmVsb3BlZFZlcmlmaWFibGVDcmVkZW50aWFsIn1dfQ.jnEqD2HH7eNnzRPwTjwsFigyENPozdDzmksXjevGNiH4hWJGLoM-765IP1mEE-tsLi2tMXQ6TeWIfw_6NkpY0vo_FUXWBBlj0IgMbxbt0gQwHRW9Ph3SVKQMCdIfp_pmdWPCEUrr_HxjkdiZpF1fa4qGSYBYl6tRSf1N0iCY0SzKvStI-EiudwHtlSygcqjxNq1jdpZtQyjYa_golZmyBdX7BYUUkcY30vypKTjMgBLHlZOzIljdiLKcm_MfDGEBt-Ha_qxpKpwRZoMFhsq89RXeExpeAw8Vg3ZR7yWsmP3T-7DDrZ5sadpNyCDXpryvm2UoDs__M4lEvkl3HIy9LQ",
"type": "EnvelopedVerifiablePresentation"
}
3.6 Gaia-X compliance input/output¶
The Gaia-X Compliance service
flowchart LR
in[Verifiable Presentation]
compliance[Gaia-X Compliance]
out[Verifiable Credential]
in --> |input|compliance --> |output|out3.6.1 Input¶
The input of the Gaia-X Compliance service is a VC-JWT Verifiable Presentation that might contain:
- one or more Enveloped Verifiable Credentials
- one or more Verifiable Credentials
Such a Verifiable Credential MAY or MAY NOT be covered by the Gaia-X Compliance rules.
The following example contains fake, placeholder attributes for Participant and ServiceOffering, which are not valid
against the Gaia-X Credential Schema.
Example of Compliance input
> :warning: Due to the lack of readability of JWTs, the following credentials are not signed, for more complete functional cases please take a look at these [examples](https://gitlab.com/gaia-x/technical-committee/identity-credentials-and-access-management-working-group/icam/-/tree/main/docs/examples/){
"@context": [
"https://www.w3.org/ns/credentials/v2"
],
"type": "VerifiablePresentation",
"issuer": "did:web:gaia-x.eu",
"validUntil": "2024-07-11T07:51:07.168+00:00",
"verifiableCredential": [
{
"id": "https://gaia-x.eu/participant.json",
"type": "VerifiableCredential",
"issuer": "did:web:gaia-x.eu",
"validFrom": "2024-01-01T19:23:24Z",
"validUntil": "2024-07-11T07:42:21.972+00:00",
"credentialSubject": {
"id": "https://gaia-x.eu/participant.json#cs",
"type": "gx:LegalPerson",
"https://schema.org/name": "GAIA-X",
"gx:registrationNumber": {
"id": "https://gaia-x.eu/gaia-x-lrn.json#cs"
},
"gx:headquartersAddress": {
"type": "gx:Address",
"gx:countryCode": "BE"
},
"gx:legalAddress": {
"type": "gx:Address",
"gx:countryCode": "BE"
}
}
},
{
"id": "https://gaia-x.eu/gaia-x-lrn.json",
"issuer": "did:web:gaia-x.eu",
"type": "VerifiableCredential",
"validFrom": "2024-05-15T12:10:23.900Z",
"validUntil": "2024-07-11T07:43:05.752+00:00",
"credentialSubject": {
"type": "gx:VatID",
"id": "https://gaia-x.eu/gaia-x-lrn.json#cs",
"gx:vatID": "BE0762747721",
"gx:countryCode": "BE"
}
},
{
"issuer": "did:web:gaia-x.eu",
"id": "https://gaia-x.eu/gaia-x-tsandcs.json",
"type": "VerifiableCredential",
"validFrom": "2024-05-27T09:12:35.754Z",
"validUntil": "2024-07-11T07:43:30.274+00:00",
"credentialSubject": {
"gx:termsAndConditions": "The PARTICIPANT signing the Self-Description agrees as follows:\n- to update its descriptions about any changes, be it technical, organizational, or legal - especially but not limited to contractual in regards to the indicated attributes present in the descriptions.\n\nThe keypair used to sign Verifiable Credentials will be revoked where Gaia-X Association becomes aware of any inaccurate statements in regards to the claims which result in a non-compliance with the Trust Framework and policy rules defined in the Policy Rules and Labelling Document (PRLD).",
"type": "gx:GaiaXTermsAndConditions",
"id": "https://gaia-x.eu/gaia-x-tsandcs.json#cs"
}
},
{
"id": "https://gaia-x.eu/service.json",
"issuer": "did:web:gaia-x.eu",
"type": "VerifiableCredential",
"validFrom": "2024-07-23T13:36:54.648Z",
"validUntil": "2024-07-25T15:17:11.243+00:00",
"credentialSubject": {
"type": "gx:ServiceOffering",
"gx:providedBy": {
"@id": "https://gaia-x.eu/participant.json#cs"
},
"gx:policy": "",
"gx:termsAndConditions": {
"gx:URL": "http://termsandconds.com",
"gx:hash": "d8402a23de560f5ab34b22d1a142feb9e13b3143"
},
"gx:dataAccountExport": {
"gx:requestType": "API",
"gx:accessType": "digital",
"gx:formatType": "application/json"
},
"@id": "https://gaia-x.eu/service.json#cs"
}
}
]
}
3.6.2 Output¶
The output of the Gaia-X Compliance service is a VC-JWT VerifiableCredential containing the id and hash of the
compliant VerifiableCredential from the input.
Example of Compliance output
{
"@context": [
"https://www.w3.org/ns/credentials/v2",
"https://w3id.org/gaia-x/development#"
],
"type": [
"VerifiableCredential",
"gx:ComplianceCredential"
],
"id": "https://storage.gaia-x.eu/credential-offers/b3e0a068-4bf8-4796-932e-2fa83043e203",
"issuer": "did:web:compliance.lab.gaia-x.eu:development",
"validFrom": "2024-07-24T15:18:28.376Z",
"validUntil": "2024-10-22T15:18:28.355Z",
"credentialSubject": {
"id": "https://storage.gaia-x.eu/credential-offers/b3e0a068-4bf8-4796-932e-2fa83043e203#cs",
"gx:evidence": [
{
"id": "https://gaia-x.eu/participant.json",
"type": "gx:ComplianceEvidence",
"gx:integrity": "sha256-578b2fa4ec5d83317f7356dfb11f656c14ac3b1705ee276d09ed76871bf53b29",
"gx:integrityNormalization": "RFC8785:JCS",
"gx:engineVersion": "2.2.0",
"gx:rulesVersion": "PRLD-24.04_pre",
"gx:originalType": "gx:LegalPerson,VerifiableCredential"
},
{
"id": "https://gaia-x.eu/gaia-x-tsandcs.json",
"type": "gx:ComplianceEvidence",
"gx:integrity": "sha256-3962bfc58471f19e8e5d5ea05652725ca0bb8b62af27cfdd8d9022c69b585387",
"gx:integrityNormalization": "RFC8785:JCS",
"gx:engineVersion": "2.2.0",
"gx:rulesVersion": "PRLD-24.04_pre",
"gx:originalType": "gx:GaiaXTermsAndConditions,VerifiableCredential"
},
{
"id": "https://gaia-x.eu/gaia-x-lrn.json",
"type": "gx:ComplianceEvidence",
"gx:integrity": "sha256-3e374271b13e1241eda27c672de70c3d4d497a4b4c8f02f287fe3aa61d789fd9",
"gx:integrityNormalization": "RFC8785:JCS",
"gx:engineVersion": "2.2.0",
"gx:rulesVersion": "PRLD-24.04_pre",
"gx:originalType": "gx:VatID,VerifiableCredential"
},
{
"id": "https://gaia-x.eu/service.json",
"type": "gx:ComplianceEvidence",
"gx:integrity": "sha256-1b1a7bb3545891ca912ee29425b74d842eec09c1c4f6847571708d0888601457",
"gx:integrityNormalization": "RFC8785:JCS",
"gx:engineVersion": "2.2.0",
"gx:rulesVersion": "PRLD-24.04_pre",
"gx:originalType": "gx:ServiceOffering,VerifiableCredential"
}
]
}
}