Open
Conversation
awoie
requested review from
Sakurann,
c2bo,
danielfett,
jogu,
paulbastian,
tlodderstedt and
tplooker
tplooker
reviewed
Apr 22, 2025
tplooker
reviewed
Apr 22, 2025
tplooker
reviewed
Apr 22, 2025
Contributor
tplooker
left a comment
tplooker
left a comment
There was a problem hiding this comment.
Minor editorial review, generally very supportive of this proposal I think its a critical feature. Few other thoughts
- We should consider making this feature required as leaving it optional will make communicating credential updates/refreshes difficult.
- I believe the specification would benefit from a seperate additional endpoint that enables a wallet to ask if there are any updates for a specific credential. Otherwise without this a wallet is forced to ask for a new credential in order to determine whether anything has changed.
Contributor
|
Only other thing that came to mind on this topic that perhaps we need to discuss is how we support different datasets versus different versions of the same dataset as I suspect in the event an issuer is issuing two different datasets for the same credential (e.g two credentials about different people), to the same wallet this identifier would become ambiguous. |
This was referenced Apr 27, 2025
Closed
Collaborator
|
temporarily close to prevent confusion - will reopen once 1.0 goes out |
Collaborator
|
reopening now that 1.0 has been published. Please push the changes to 1.1.md, and not 1.0.md |
awoie
force-pushed
the
awoie/add-credential-versioning
branch
from
1af74c9 to
5846457
Compare
Contributor
Author
Contributor
Author
@tplooker If the same credential configuration is used for two different initial data sets, then you would need some additional mechanism. Wouldn't this be rather two distinct credential configurations, e.g., child, parent configuration? We could also introduce another layer between credential configuration and credential dataset identifier (version)? Is there a third option and do you have a proposal, e.g., through some new endpoint? |
Sakurann
reviewed
Feb 2, 2026
Sakurann
reviewed
Feb 2, 2026
Collaborator
Sakurann
left a comment
Sakurann
left a comment
There was a problem hiding this comment.
I think it would be good to add a bit more description of the feature this parameter enables outside the definition of a term?
awoie
commented
Feb 18, 2026
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
Contributor
Author
Thanks for reviewing. Just added the use case and applied your suggestion. Please review again @Sakurann |
awoie
commented
Mar 3, 2026
raleng
reviewed
Mar 9, 2026
c2bo
reviewed
Mar 9, 2026
Co-authored-by: Ralf Engbers <raleng@users.noreply.github.com>
awoie
commented
Mar 10, 2026
c2bo
reviewed
Mar 11, 2026
applied christian's comments Co-authored-by: Christian Bormann <chris.bormann@gmx.de>
applied christian's comments Co-authored-by: Christian Bormann <chris.bormann@gmx.de>
| * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. | ||
| * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. | ||
| * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. | ||
| * `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format - if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. |
Contributor
There was a problem hiding this comment.
credential_dataset_version rather than id?
fkj
reviewed
Apr 27, 2026
| * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. | ||
| * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. | ||
| * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. | ||
| * `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format - if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. |
Member
There was a problem hiding this comment.
Not sure about the term "opaque" here. Not really used in the other parameters, and I don't think anyone would parse this anyway.
Contributor
Author
There was a problem hiding this comment.
@fkj agreed. Does this read better?
Suggested change
| * `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format - if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. | |
| * `credential_dataset_id`: REQUIRED for the Issuer to return. Any string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format - if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. |
Member
There was a problem hiding this comment.
I think you can even just say "A string". I don't think anyone would have any reason to try to parse this.
| * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. | ||
| * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. | ||
| * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. | ||
| * `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format - if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. |
Member
There was a problem hiding this comment.
Might make sense to say why the wallet MUST NOT expect this to be here. Presumably for backwards compatibility?
Contributor
Author
There was a problem hiding this comment.
Exactly, and makes sense. We should add this.
Contributor
GarethCOliver
left a comment
GarethCOliver
left a comment
There was a problem hiding this comment.
Add either normative, or implementation considerations that if a credential data does not change then the version MUST remain the same.
This prevents thrashing on the wallet side, for wallets that are making use of the versioning to discard old data sets etc.
Co-authored-by: Frederik Krogsdal Jacobsen <fkj@users.noreply.github.com>
Co-authored-by: Frederik Krogsdal Jacobsen <fkj@users.noreply.github.com>
paulbastian
requested changes
May 6, 2026
Contributor
paulbastian
left a comment
paulbastian
left a comment
There was a problem hiding this comment.
Please discuss:
- is parameter mandatory/optional
- is this a number or a string
- add clarity how a wallet compares versions (likely simple string comparison)
- I believe an implementation consideration would make sense, see Gareths comment and also this could shorten some of the texts in the normative part, that has become a little bloated
| Credential Dataset: | ||
| : A set of one or more claims about a subject, provided by a Credential Issuer. | ||
|
|
||
| Credential Dataset Identifier |
Contributor
There was a problem hiding this comment.
Suggested change
| Credential Dataset Identifier | |
| Credential Dataset Version |
| : A set of one or more claims about a subject, provided by a Credential Issuer. | ||
|
|
||
| Credential Dataset Identifier | ||
| : A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. Note that a Credential Dataset Identifier is bound to a specific Credential Format. |
Contributor
There was a problem hiding this comment.
Suggested change
| : A unique identifier that refers to a specific version of a Credential Dataset. This identifier remains stable across multiple instances of a Credential that share the same set of claim values, even if they differ in cryptographic proofs. When the claim values in the dataset change, a new Credential Dataset Identifier is assigned. This identifier enables Wallets to detect changes to the underlying data and to distinguish between Credentials issued with different versions of a Credential Dataset under the same Credential Configuration. Note that a Credential Dataset Identifier is bound to a specific Credential Format. | |
| : A String that refers to a specific version of a Credential Dataset. This version is identical for multiple instances of a Credential that share the same Credential Dataset, even if they differ in cryptographic proofs. When any of the claim values in the Credential Dataset change, a new Credential Dataset Version is assigned. This version enables Wallets to detect changes to the underlying data and to distinguish between Credentials of the same Credential Configuration are issued with different Credential Datasets. Note that a Credential Dataset Version is bound to a specific Credential Format. |
Contributor
There was a problem hiding this comment.
Is it okay to have the version as a number or rather a string?
| * `transaction_id`: OPTIONAL. String identifying a Deferred Issuance transaction. This parameter is contained in the response if the Credential Issuer cannot immediately issue the Credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see (#deferred-credential-issuance)). It MUST not be used if the `credentials` parameter is present. It MUST be invalidated after the Credential for which it was meant has been obtained by the Wallet. | ||
| * `interval`: REQUIRED if `transaction_id` is present. Contains a positive number that represents the minimum amount of time in seconds that the Wallet SHOULD wait after receiving the response before sending a new request to the Deferred Credential Endpoint. It MUST NOT be used if the `credentials` parameter is present. | ||
| * `notification_id`: OPTIONAL. String identifying one or more Credentials issued in one Credential Response. It MUST be included in the Notification Request as defined in (#notification). It MUST not be used if the `credentials` parameter is not present. | ||
| * `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format: if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. |
Contributor
There was a problem hiding this comment.
Suggested change
| * `credential_dataset_id`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Identifier associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format: if a Credential is offered in different formats, they would have different values for `credential_dataset_id`. The Wallet MUST NOT expect the `credential_dataset_id` to be always present in the Credential Response. | |
| * `credential_dataset_ver`: REQUIRED for the Issuer to return. An opaque string containing the Credential Dataset Version associated with the returned Credential(s). This allows Wallets to detect changes to the underlying Credential Dataset across different Credential Responses. This is useful in situations where claim values change over time, such as an updated address, correction of previously issued personal data, or a change in legal or entitlement status (e.g., reaching the age of majority), enabling the Wallet to distinguish between a cryptographic re-issuance of unchanged data and the issuance of a credential containing modified claim values. Note that this information is only valid for the scope of a concrete credential format: if a Credential is offered in different formats, they would have different values for `credential_dataset_ver`. The Wallet MUST NOT expect the `credential_dataset_ver` to be always present in the Credential Response. |
Contributor
There was a problem hiding this comment.
The last and first sentence are contradicting, feels like you didn't finish the first sentence and there is a condition missing. I would not make this feature mandatory.
| ``` | ||
|
|
||
| Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with an additional `notification_id` parameter: | ||
| Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with additional `notification_id` and `credential_dataset_id` parameters: |
Contributor
There was a problem hiding this comment.
Suggested change
| Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with additional `notification_id` and `credential_dataset_id` parameters: | |
| Below is a non-normative example of a Credential Response in an immediate issuance flow for multiple Credential instances in JWT VC format (JSON encoded) with additional `notification_id` and `credential_dataset_ver` parameters: |
| ], | ||
| "notification_id": "3fwe98js" | ||
| "notification_id": "3fwe98js", | ||
| "credential_dataset_id": "Jk0eOt4CXQe1NXK" |
Contributor
There was a problem hiding this comment.
Suggested change
| "credential_dataset_id": "Jk0eOt4CXQe1NXK" | |
| "credential_dataset_ver": "Jk0eOt4CXQe1NXK" |
| * If the Credential Issuer still requires more time, the Deferred Credential Response MUST use the `interval` and `transaction_id` parameters as defined in (#credential-response) and it MUST respond with the HTTP status code 202 (see Section 15.3.3 of [@!RFC9110]). The value of `transaction_id` MUST be same as the value of `transaction_id` in the Deferred Credential Request. | ||
|
|
||
| The Deferred Credential Response MAY use the `notification_id` parameter as defined in (#credential-response). | ||
| The Deferred Credential Response MAY use the `notification_id` and the `credential_dataset_id` parameter as defined in (#credential-response). |
Contributor
There was a problem hiding this comment.
Suggested change
| The Deferred Credential Response MAY use the `notification_id` and the `credential_dataset_id` parameter as defined in (#credential-response). | |
| The Deferred Credential Response MAY use the `notification_id` and the `credential_dataset_ver` parameter as defined in (#credential-response). |
| ], | ||
| "notification_id": "3fwe98js" | ||
| "notification_id": "3fwe98js", | ||
| "credential_dataset_id": "Jk0eOt4CXQe1NXK" |
Contributor
There was a problem hiding this comment.
Suggested change
| "credential_dataset_id": "Jk0eOt4CXQe1NXK" | |
| "credential_dataset_ver": "Jk0eOt4CXQe1NXK" |
| * use derived origin for `expected_origins` in IAE flow | ||
| * add require_interactive_authorization_request to AS metadata | ||
| * add interactive_authorization_endpoint to AS metadata section | ||
| * add credential dataset identifier |
Contributor
There was a problem hiding this comment.
Suggested change
| * add credential dataset identifier | |
| * add credential dataset version |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #278