What is the difference between W3C VC and ISO mDoc in the EUDI Wallet?

The EUDI Wallet supports two credential formats that serve complementary purposes. W3C Verifiable Credentials (using SD-JWT) are optimized for online and web-based scenarios: they work well with HTTP-based protocols like OpenID4VCI and OpenID4VP, support flexible claim structures, and align with the broader web standards ecosystem. ISO 18013-5 mDoc is optimized for proximity scenarios (face-to-face verification over BLE or NFC): it supports efficient binary encoding (CBOR), has built-in support for device engagement protocols, and was originally designed for mobile driving licences. The EUDI Wallet Architecture Reference Framework mandates that both formats must be supported, with the specific format used depending on the interaction scenario.

How does SD-JWT work with W3C Verifiable Credentials?

SD-JWT (Selective Disclosure JSON Web Token) is the proof mechanism used by the EUDI Wallet for W3C VCs. The issuer creates a JWT containing all credential claims, but each claim is individually hashed rather than included in plaintext. The issuer provides the claim values as separate disclosures alongside the JWT. When presenting the credential, the wallet includes only the disclosures for the claims the verifier needs, while the JWT signature remains valid. The verifier can verify the issuer signature on the JWT and confirm that the disclosed claims hash to the values in the JWT, without learning anything about the undisclosed claims. This provides selective disclosure without requiring complex zero-knowledge proof cryptography.

Can W3C VCs be used for government-issued identity documents?

Yes. The EUDI Wallet uses W3C VCs with SD-JWT for Person Identification Data (PID), which is the digital equivalent of a government-issued identity document. The PID credential contains claims such as family name, given name, date of birth, nationality, and a unique identifier, all issued and signed by the member state identity authority. The W3C VC format, combined with SD-JWT selective disclosure, allows the holder to present only specific claims from the PID (for example, proving nationality without revealing date of birth) while maintaining the cryptographic proof that the claims were issued by the government authority.

W3C Verifiable Credentials

technical

Full Name: World Wide Web Consortium Verifiable Credentials

Definition

W3C Verifiable Credentials (VCs) are a standard published by the World Wide Web Consortium that defines a data model for expressing digital credentials in a way that is cryptographically secure, privacy-respecting, and machine-verifiable. The VC Data Model, now at version 2.0, establishes a common structure for representing claims made by an issuer about a subject, along with the cryptographic proof that allows any verifier to independently confirm the credential's authenticity and integrity without needing to contact the issuer. The data model is format-agnostic and can be implemented using various proof mechanisms, including JSON Web Tokens, JSON-LD with Linked Data Proofs, and SD-JWT. In the EUDI Wallet ecosystem, the W3C VC standard is implemented using SD-JWT (Selective Disclosure JSON Web Token) as the primary proof mechanism, creating a credential format that combines the interoperability of the W3C data model with the selective disclosure capabilities needed for privacy-preserving identity presentations. Alongside ISO 18013-5 mDoc (the second supported format), W3C VCs form the technical foundation for the EUDI Wallet's credential ecosystem, supporting everything from government-issued Person Identification Data to private-sector attestations of attributes.

W3C VC Data Model Architecture

The W3C Verifiable Credentials Data Model defines a three-role ecosystem: issuers (entities that create and sign credentials), holders (entities that receive, store, and present credentials), and verifiers (entities that request and verify credential presentations). A Verifiable Credential consists of credential metadata (issuer identity, issuance date, expiration date, credential type), one or more claims about the subject (key-value pairs like "familyName: Smith" or "dateOfBirth: 1990-05-15"), and a cryptographic proof (typically a digital signature from the issuer). A Verifiable Presentation wraps one or more VCs with an additional proof from the holder, demonstrating that the presenter possesses the credential and is authorized to present it.

The data model's format-agnostic design means it can be serialized in different ways depending on the use case. The EUDI Wallet uses the SD-JWT VC profile, which serializes the credential as a JSON Web Token with selective disclosure capabilities. The SD-JWT format was chosen for the EUDI Wallet because it provides a good balance of security (standard JWT signatures using well-understood algorithms), privacy (native selective disclosure without complex cryptographic overhead), interoperability (JWT is widely supported across programming languages and platforms), and performance (compact encoding suitable for mobile devices and QR codes).

The W3C VC Data Model 2.0 (the current version) introduces several improvements over version 1.1 that are relevant to the EUDI Wallet. These include a more flexible proof mechanism that cleanly supports SD-JWT, improved vocabulary for credential status (supporting various revocation mechanisms), better support for credential schemas (defining the expected structure of claims for different credential types), and enhanced security considerations documentation. The 2.0 version also removes the mandatory requirement for JSON-LD processing, allowing simpler JSON-based implementations that are more suitable for mobile wallet environments.

SD-JWT as the EUDI Wallet VC Proof Mechanism

SD-JWT (Selective Disclosure JSON Web Token), specified in IETF draft-ietf-oauth-selective-disclosure-jwt, is the proof mechanism chosen by the EUDI Wallet Architecture Reference Framework for W3C VCs. The mechanism works by having the issuer create a standard JWT where each selectively-disclosable claim is replaced with a hash of the claim value combined with a random salt. The actual claim values and their salts are provided as separate disclosure objects alongside the JWT. The complete issuance package (JWT plus all disclosures) is stored in the holder's wallet.

When presenting the credential, the wallet includes the JWT (with the issuer's signature intact) but only the disclosure objects for the claims that the verifier has requested. The verifier receives the JWT, checks the issuer's signature, then hashes each received disclosure to verify it matches the corresponding hash in the JWT. This proves that the disclosed claims are authentic (signed by the issuer) without revealing the undisclosed claims. The verifier cannot determine even the existence of undisclosed claims beyond what the JWT structure reveals.

The SD-JWT VC profile for the EUDI Wallet adds key binding to the basic SD-JWT mechanism. Key binding requires the holder to prove possession of a private key associated with the credential, preventing credential theft: even if an attacker obtains the SD-JWT and disclosures, they cannot present the credential without the holder's device-bound private key. The key binding proof is a separate JWT signed by the holder's key, containing the verifier's nonce and the hash of the presented SD-JWT, linking the presentation to the specific interaction session.

W3C VC Ecosystem and EUDI Wallet Interoperability

The W3C VC standard provides the EUDI Wallet with interoperability beyond the EU ecosystem. The W3C VC Data Model is adopted by digital identity initiatives worldwide, including the US Department of Homeland Security's digital credential programs, Canada's Pan-Canadian Trust Framework, Australia's Digital Identity System, and various private-sector credential platforms. By building on the W3C standard, EUDI Wallet credentials are positioned for potential international recognition as bilateral or multilateral agreements with non-EU identity frameworks are established.

Within the EUDI Wallet ecosystem, the W3C VC format supports a wide range of credential types. Person Identification Data (PID) credentials contain the holder's core identity attributes as issued by the member state. Qualified Electronic Attestations of Attributes (QEAAs) issued by QTSPs represent professional qualifications, educational achievements, and other verified attributes. Electronic Attestations of Attributes (EAAs) issued by non-qualified entities represent lower-assurance credentials such as loyalty cards, membership certificates, and self-declared attributes. All these credential types use the same W3C VC structure, allowing wallets and verifiers to handle them with common processing logic.

The W3C Verifiable Credentials Working Group continues to develop extensions and best practices that benefit the EUDI Wallet ecosystem. Current work includes the Verifiable Credential API (for standardizing wallet-issuer-verifier interactions), credential status specifications (standardizing revocation checking), and the Verifiable Credentials JSON Schema specification (standardizing credential type definitions). The EUDI Wallet's adoption of the W3C standard ensures it benefits from this ongoing standards evolution while maintaining backward compatibility with existing credentials.

What are W3C Verifiable Credentials?

W3C Verifiable Credentials: World Wide Web Consortium Verifiable Credentials