Credential models
The digital identity landscape is broad and varied, with many different models coming from different standards bodies. This page gives a high-level overview of the three credential models Procivis One supports.
Terms in digital identity are often used in disparate ways. Here's how we're using key terms:
- Credential model: an architectural framework and set of specifications that defines how digital credentials are structured, issued, presented and verified. In our case, each credential model tracks with the standards bodies themselves—IETF, ISO/IEC, and W3C.
- Credential format: how a credential is represented by data. The format determines how credentials — including payload data, metadata, and cryptographic material — are mapped to data structures. A credential model may specify one or more formats for use.
- Securing mechanism: how a credential's authenticity, integrity and security is assured. Sometimes a credential model will specify precisely how credentials of that model must be secured, sometimes the model will allow for variations.
IETF SD-JWT VC
The Internet Engineering Task Force (IETF) has specified a model of Verifiable Credentials based on the SD-JWT format.
See the datatracker here for the latest draft information.
JWT and SD-JWT
A JSON Web Token (JWT) is way of representing claims between two parties, and is widely used for authentication and information exchange. A JWT is encoded as a string and consists of three parts separated by dots.
header.payload.signature
The header contains metadata about the token, and the payload contains claims about an entity. The token is signed so recipients know it has not been altered. When a JWT is shared, the entire token is sent and decoded, meaning all claims are shared with the recipient.
Selective Disclosure for JWTs (SD-JWT) is a specification for making the claims of a JWT be selectively disclosable, giving senders of the token the ability to send a token containing only a subset of the original claims while still being verifiable.
The SD-JWT VC specification defines a set of formats and rules for expressing Verifiable Credentials using the SD-JWT format.
Characteristics
As can be surmised by the specification's name, all credentials of this model encoded in the SD-JWT format.
While sharing some similarities to W3C Verifiable Credentials, SD-JWT VCs differ in both structure and content. Select differences include:
- Flatter structure with objects at the root-level, where W3C credentials nest more.
- IANA Media Type registration:
application/vc+sd-jwt. vctvalue is a generic field used to specify Type Metadata, which could, for instance, specify what type of credential it is or what semantics it uses.issis a URI that identifies the issuer of the credential.
ISO mdoc
The International Organization for Standards (ISO) developed what is officially called:
ISO/IEC 18013-5:2021
Personal identification
ISO-compliant driving licence
Part 5: Mobile driving licence (mDL) application
as a standard for mobile driving licenses, to ensure the interoperable use of electronic identification across state and country borders.
The original specification focuses on in-person sharing of credentials and includes offline verification, since driving licenses often need to be verified in places where internet access is limited. An additional specification for sharing credentials over the internet (18013-7) was published in October 2024.
ISO terminology
While the origin of this standard is firmly rooted in mDLs and devices used to read mDLs, the credential model can be employed for other kinds of credentials and exchanged through other means.
Following the "mdoc" data model at the center of the original standard, we use the term 'ISO mdoc' to refer to the entire suite of credentials originating out of the ISO mDL standard.
Characteristics
All credentials of this model of in the mdoc format.
ISO mdoc includes privacy elements such as consent mechanisms for sharing, selective disclosure capabilities and measures to prevent tracking and correlation attacks.
It also provides standards for engagement between devices using Bluetooth, QR code or NFC, and for data exchange between holders and verifiers, including encryption and cryptographic proofs.
For details on mdoc implementation in Procivis One, see the mdocs guide.
W3C Verifiable Credentials
The World Wide Web Consortium (W3C) has specified a model of Verifiable Credentials which use JSON-LD in compacted form and offer a broad array of options for credential content and securing mechanisms.
JSON-LD
JSON-LD (JavaScript Object Notation for Linked Data) extends JSON to link data together by explicit reference to resources across the Web. W3C VCs use fields like @context, @id and @type to map properties to map properties to URIs, assign unique resource identifiers, and map to terms defined in the context.
Securing mechanisms
The standard recognizes multiple kinds of securing mechanisms, including proofs that wrap the serialized credential and proofs that are embedded in the serialized credential. This allows for many different kinds of proofs and signature algorithms to be used to secure W3C VCs.
Procivis One
Procivis One supports all credential models listed here, and takes care of the complexity of formatting so users can issue, hold or verify in simple workflows.
See the supported standards for a complete list of credentials supported by Procivis One.