Page tree

European Commission ebsi European Blockchain
Access Help Desk(opens in a new tab)

Skip to end of metadata
Go to start of metadata

E-signing and e-sealing Verifiable Credentials and Verifiable Presentations

E-signing and e-sealing Verifiable Credentials and Verifiable Presentations

Table of Contents



Context

This page presents the proof formats and schemes currently supported in EBSI. The table below summarizes VC/VP formats and proofs:

Proof FormatVC/VP FormatSignature TypeNotes

External

JWT
JWS

JWS signature compact serialised

All actors MUST support the following common cryptographic algorithm: ES256.

Support for other cryptographic algorithms is encouraged, but OPTIONAL.

JAdES

eSeal

JAdES signature compact serialised (only Baseline-B supported)

Verifiable Credentials and Verifiable Attestations in EBSI with external proofs are most of the time encoded as JWT. This encoding uses mature standards-based methods for signing content. JWT builds on JWS with compact serialisation.

More information on JWT (JSON Web Tokens) can be found here.

More information on JWS (JSON Web Signatures) can be found here.

More information on JWK (JSON Web Key) can be found here.

More information on JAdES can be found here.

Supported digital signatures

Digital Signature AlgorithmSupported curves/parametersImplementation Requirements
ECDSA

NIST P-256 and SHA-256

Required
NIST P-384 and SHA-384Optional
NIST P-521 and SHA-512Optional
RSASSAPKCS1-v1_5 using SHA-256Optional

JWS

JWS compact serialised is the basis for JWT. JWT contains the header, payload, and signature. The header contains information about the used signing algorithm, while the payload contains JWT claims and VC/VP.

Currently, the following cryptographic algorithm MUST be supported by all actors: ES256. Support for other cryptographic algorithms is encouraged and current design of VC and VP should work with all well known cryptographic algorithms that JWS supports.

Verifiable Credential

This section defines which properties of the core VA data model MUST be transformed to JWT claims. Further specializations of VA, e.g., Verifiable ID, do not require any extra processing other than a copy of VA inside the claim vc. The following table provides the mapping from the properties of the VA data model to JWT claims.

JWT PartPropertyDescription
header

typREQUIRED. MUST be JWT.
algREQUIRED. The signature algorithm that was used to sign the VA. Default: ES256.
kid

REQUIRED.

For EBSI DID Method for Legal Persons: MUST point to a DID URI resolving to an issuer's key in the DID Document, e.g., did:ebsi:z219z1CJKSbtFc69M2jHcFmq#key-1.

For EBSI DID Method for Natural Persons: MUST be set based on value from the parameter jwk in the form did:ebsi:<identifier>#<jwk-thumbprint>, e.g., did:ebsi:zmqGLeKsx5Jz74mbPvzff7RtsEfMkfgu9RijDe8nHmYPY#mh9ydQG6Cyc-JYW7mlN-OcUS4pIVCGgxA9kZ4L6G3bc

jwk

CONDITIONAL. The object containing the key material in the form of a JWK (public key). DID and DID Document are generated from this key.

REQUIRED for EBSI DID Method for Natural Persons.

payloadissREQUIRED. MUST match the value of the property issuer of the VA.
subREQUIRED. MUST match the value of the property credentialSubject.id of the VA.
expOPTIONAL. If present, it MUST match the value of the property validUntil of VA. MUST be transformed from RFC 3339 to UNIX timestamp.
nbfREQUIRED. MUST match the value of the property validFrom of VA. MUST be transformed from RFC 3339 to UNIX timestamp.
iatREQUIRED. MUST match the value of the property issued of VA. MUST be transformed from RFC 3339 to UNIX timestamp.
jtiREQUIRED. MUST match the value of the property id of VA.
vcREQUIRED. MUST be a valid VA JSON object.
signature

Example - Verifiable ID for Natural Person with external proof
{
    "alg": "ES256",
    "typ": "JWT",
 	"kid": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq#key-1"
}.{
    "iss": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
    "sub": "did:ebsi:zsSgDXeYPhZ3AuKhTFneDf1",
    "jti": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
    "iat": 1638316800,
    "nbf": 1638316800,
    "exp": 1953849600,
    "vc": {
        "@context": [
            "https://www.w3.org/2018/credentials/v1"
        ],
        "id": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
        "type": [
            "VerifiableCredential",
            "VerifiableAttestation",
            "VerifiableId"
        ],
        "issuer": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
		"issued": "2021-12-01T12:00:00.0Z",
        "issuanceDate": "2021-12-01T12:00:00.0Z",
        "validFrom": "2021-12-01T12:00:00.0Z",
		"validUntil": "2031-12-01T12:00:00.0Z",
        "expirationDate": "2031-12-01T12:00:00.0Z",
        "credentialSubject": {
            "id": "did:ebsi:zsSgDXeYPhZ3AuKhTFneDf1",
            "familyName": "Doe",
            "firstName": "John",
            "dateOfBirth": "1999-03-22",
            "personalIdentifier": "ES/AT/123456789"
        },
        "credentialSchema": {
            "id": "https://api.preprod.ebsi.eu/trusted-schemas-registry/v1/schemas/0x14b05b9213dbe7d343ec1fe1d3c8c739a3f3dc5a59bae55eb38fa0c295124f49#",
            "type": "FullJsonSchemaValidator2021"
        },
        "credentialStatus": {
            "id": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
            "type": "CredentialStatusList2020"
        },
        "evidence": [{
            "type": [
                "DocumentVerification"
            ],
            "verifier": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
            "evidenceDocument": [
                "Passport"
            ],
            "subjectPresence": "Physical",
            "documentPresence": [
                "Physical"
            ]
        }]
    }
}.<signature>

Verifiable Presentation

This section defines which properties of the core VP data model MUST be transformed to JWT claims. Further specialisations of VP do not require any extra processing other than a copy of VP inside the claim vp. The following table provides the mapping from the properties of the VP data model to JWT claims.

JWT PartPropertyDescription
header

typREQUIRED. MUST be JWT.
algREQUIRED. The signature algorithm used to sign the VA. Default: ES256.
kid



REQUIRED.

For EBSI DID Method for Legal Persons: MUST point to a DID URI resolving to an issuer's key in the DID Document, e.g., did:ebsi:z219z1CJKSbtFc69M2jHcFmq#key-1.

For EBSI DID Method for Natural Persons: MUST be set based on value from the parameter jwk in the form did:ebsi:<identifier>#<jwk-thumbprint>, e.g., did:ebsi:zmqGLeKsx5Jz74mbPvzff7RtsEfMkfgu9RijDe8nHmYPY#mh9ydQG6Cyc-JYW7mlN-OcUS4pIVCGgxA9kZ4L6G3bc

jwk

CONDITIONAL. The object containing the key material in the form of a JWK (public key). DID and DID Document are generated from this key.

REQUIRED for EBSI DID Method for Natural Persons.

payloadissREQUIRED. MUST match the value of the property holder of the VP.
subREQUIRED. MUST match the value of the property credentialSubject.id of the VA.
aud

REQUIRED. MUST represent the identity of the intended audience.

Options:

  • DID of the audience
  • URI of the audience
nonceREQUIRED. Unique value to prevent replay attacks.
expREQUIRED. Expiration time after which the VP MUST NOT be accepted for processing
nbfREQUIRED. Time before which the VP MUST NOT be accepted for processing.
iatREQUIRED. Time at which the VP has been issued.
jtiOPTIONAL. MUST be a unique identifier for the VP.
vpREQUIRED. MUST be a valid VP JSON object.
signature

Example - Verifiable Presentation with external proof
{
    "alg": "ES256",
    "typ": "JWT",
	"kid": "did:ebsi:zmqGLeKsx5Jz74mbPvzff7RtsEfMkfgu9RijDe8nHmYPY#mh9ydQG6Cyc-JYW7mlN-OcUS4pIVCGgxA9kZ4L6G3bc",
	"jwk": {
        "kty": "EC",
        "crv": "secp256k1",
        "x": "uyB--aqjABIl7ou4CkW5wS2qP13Z8B0cVOf7yMlmt04",
        "y": "Zh2H3WMcD-h5pVM5zI6_HJwDY04xlZrZO4VPQoagLQs"
	}
}. {
    "iss": "did:ebsi:z9HdPU5ve8G3qTkU9wqCe915QCBwrsH9hmwbQemVBMQa",
    "sub": "did:ebsi:z9HdPU5ve8G3qTkU9wqCe915QCBwrsH9hmwbQemVBMQa",
    "aud": "https://api.test.intebsi.xyz/conformance/v1/verifier-mock/authentication-responses"
    "nonce": "343s$FSFDa-",
    "jti": "urn:ebsi:VP#1dee355d-0432-4910-ac9c-70d89e8d674e",
    "iat": 1638316800,
    "nbf": 1638316800,
    "exp": 1953849600,
    "vp": {
        "@context": [
            "https://www.w3.org/2018/credentials/v1"
        ],
        "type": [
            "VerifiablePresentation",
        ],
        "holder": "did:ebsi:zsSgDXeYPhZ3AuKhTFneDf1",
        "verifiableCredential": ["<JWT VA>"]    
    }
}.<signature>

JAdES (eSeal)

The eIDAS Regulation defines multiple levels of electronic signatures. It set the standards for electronic signatures needed to securely conduct business online in the European Single Market (ESM). One of the electronic signatures types is advanced electronic signatures (AdES), which meet the requirements of eIDAS-regulation on electronic identification and trust services for electronic transactions. Therefore, Legal Entities MUST use advanced electronic signatures and electronic seals when signing documents in the ESM. AdES relies on a public-key infrastructure (PKI), which involves using certificates and cryptographic keys. JAdES is a specialisation of AdES for JSON data.

JAdES signature scheme builds upon JWS. The outcome is a JWS token with extra properties in the header. Many of the new header properties have the same semantics as the properties defined in other ETSI standards for ADeS.

There are four JAdES baseline signatures. Each baseline adds incremental requirements to maintain the validity of the signatures over the long term by each level requiring the presence of certain JAdES header parameters (page 43 of JAdES specs). Currently, only Baseline-B is supported since this is the only baseline with support for JWT.

JWT PartPropertyDescription
header

typREQUIRED. MUST be jose.
algREQUIRED. The underlying signature algorithm used to sign the VA.
ctyREQUIRED. Content type. MUST be json.
kid

REQUIRED. Key identifier. Hint to identifying the signing certificate.

x5t#S256REQUIRED. X.509 certificate SHA-256 thumbprint.
x5cREQUIRED. X.509 certificate chain.
sigTREQUIRED. Time of the signing process.
critREQUIRED. Names of all the signed header parameters.
Example - Verifiable ID for Natural Person with JAdES Signature
{
  "alg": "RS256",
  "cty": "json",
  "kid": "MGcwYKReMFwxCzAJBgNVBAYTAlNJMRQwEgYDVQQKEwtIYWxjb20gZC5kLjEXMBUGA1UEYRMOVkFUU0ktNDMzNTMxMjYxHjAcBgNVBAMTFUhhbGNvbSBDQSBQTyBlLXNlYWwgMQIDEPSP",
  "x5t#S256": "-zpb6qm4B4NrqhEhjoloohMtoj9jRm7BJXG3jkWB4EQ",
  "x5c": [
    "MIIGYTCCBUmgAwIBAgIDEPSPMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAlNJMRQwEgYDVQQKEwtIYWxjb20gZC5kLjEXMBUGA1UEYRMOVkFUU0ktNDMzNTMxMjYxHjAcBgNVBAMTFUhhbGNvbSBDQSBQTyBlLXNlYWwgMTAeFw0xOTEyMjMxMDI4MzNaFw0yMjEyMjMxMDI4MzNaMIH+MQswCQYDVQQGEwJTSTEmMCQGA1UEChMdQU5USE9OWSBGSVNIRVIgQ0FNSUxMRVJJIFMuUC4xFzAVBgkrBgEEAa4zAgMTCDYxMDM4NzUwMRcwFQYDVQRhEw5WQVRTSS02MTAzODc1MDEtMCsGA1UEAxMkQW50aG9ueSBGaXNoZXIgQ2FtaWxsZXJpIFMucC4gRSBTZWFsMQ8wDQYDVQQEEwZFIFNlYWwxJjAkBgNVBCoTHUFudGhvbnkgRmlzaGVyIENhbWlsbGVyaSBTLnAuMS0wKwYJKoZIhvcNAQkBFh5hbnRob255QGtub3dsZWRnZWlubm92YXRpb24uZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq6v/DdquFWMOCDqs3PXRyooEPJ7YXZHvhauSL8DncZzCpziPmEDQ9h2NR6sjOM43Om5B9nFWXHdXcUl8a5wwAuHH9TkKGJIhgSMDDG8cM6+l2Ns6BrnveVJ2L7Wcbi1sTDfoaqZHxe472X3YwhnP7YEZXzt9KGvFO3PyhFEb8y/a3vhL4X30OTicQJmO7GLlLHWVBy28o1z9he3rHFfINOvH9wHnCzAqbTLcNiOYnc0Jp0RtlFtZj8FwpdY6RGCl8qAVLaIuG/ASpd6tTd8zs8fyazBOMHMKQ2IM92G+TdnesyER6eMLB7Oj7VKW9I+JEiZaPaCWsBKRAqgnvvF/DAgMBAAGjggKHMIICgzATBgNVHSMEDDAKgAhJSHZQdwqxDDCBggYIKwYBBQUHAQMEdjB0MBUGCCsGAQUFBwsCMAkGBwQAi+xJAQIwCAYGBACORgEBMAgGBgQAjkYBBDAyBgYEAI5GAQUwKDAmFiBodHRwczovL3d3dy5oYWxjb20uc2kvcmVwb3NpdG9yeRMCRU4wEwYGBACORgEGMAkGBwQAjkYBBgIwgYAGCCsGAQUFBwEBBHQwcjBNBggrBgEFBQcwAoZBaHR0cDovL3d3dy5oYWxjb20uc2kvdXBsb2Fkcy9yZXBvc2l0b3J5L0hhbGNvbV9DQV9QT19lLXNlYWxfMS5jZXIwIQYIKwYBBQUHMAGGFWh0dHA6Ly9vY3NwLmhhbGNvbS5zaTBmBgNVHSAEXzBdMFAGCisGAQQBrjMFAwEwQjBABggrBgEFBQcCARY0aHR0cDovL3d3dy5oYWxjb20uc2kvdXBsb2Fkcy9maWxlcy9DUFNfaGFsY29tX2NhLnBkZjAJBgcEAIvsQAEDMIGzBgNVHR8EgaswgagwgaWggaKggZ+GZWxkYXA6Ly9sZGFwLmhhbGNvbS5zaS9jbj1IYWxjb20lMjBDQSUyMFBPJTIwZS1zZWFsJTIwMSxvPUhhbGNvbSxjPVNJP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3Q7YmluYXJ5hjZodHRwOi8vZG9taW5hLmhhbGNvbS5zaS9jcmxzL2hhbGNvbV9jYV9wb19lLXNlYWxfMS5jcmwwEQYDVR0OBAoECEsy60sNP7RzMA4GA1UdDwEB/wQEAwIFoDAYBgYqhXAiAgEEDhMMODg4ODAzMDAwNjc2MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAFE+e6vcubeQ4I6Eptx1lE2dBxB+DEaw4m6quPbSZk7yanByp0QRG/rSXFAJC2PDQRVc9k/J096VftrE9tIPyOpEYXXugdLJ5t9ufpkTbGNOp1O/ioxqWcMqvY/vyuXrvsu5wAd0sAmKaruOqNKLSIxoy1xRxZjhfFUYIjATK8T6SCVRfojZw81Cbx0TNZHRG79dlEEg5zViy8ZPt419O4iCRuzVCUfIlZ8lVtAWiEDALWR4VUXXAJN5GFLgj6Br26kLxiiABTLZcYgr8fEPUCU5mNvHWU+gD9yHYv68ploPbEPONK6OlcTfhvEjPitVOOB+/QBiSIr95U3+vkGRSf0="
  ],
  "typ": "jose",
  "sigT": "2022-04-13T07:18:32Z",
  "crit": [
    "sigT"
  ]
}
.
{
    "iss": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
    "sub": "did:ebsi:zsSgDXeYPhZ3AuKhTFneDf1",
    "jti": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",      
	"iat": 1638316800,
    "nbf": 1638316800,
    "exp": 1953849600,
    "vc": {
        "@context": [
            "https://www.w3.org/2018/credentials/v1"
        ],
        "id": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
        "type": [
            "VerifiableCredential",
            "VerifiableAttestation",
            "VerifiableId"
        ],
        "issuer": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",  		
		"issued": "2021-12-01T12:00:00.0Z",
        "issuanceDate": "2021-12-01T12:00:00.0Z",
        "validFrom": "2021-12-01T12:00:00.0Z",
		"validUntil": "2031-12-01T12:00:00.0Z",
        "expirationDate": "2031-12-01T12:00:00.0Z",          
		"credentialSubject": {
            "id": "did:ebsi:zsSgDXeYPhZ3AuKhTFneDf1",
            "familyName": "Doe",
            "firstName": "John",
            "dateOfBirth": "1999-03-22",
            "personalIdentifier": "ES/AT/123456789"
        },
        "credentialSchema": {
            "id": "https://api.preprod.ebsi.eu/trusted-schemas-registry/v1/schemas/0x14b05b9213dbe7d343ec1fe1d3c8c739a3f3dc5a59bae55eb38fa0c295124f49#",
            "type": "FullJsonSchemaValidator2021"
        },
        "credentialStatus": {
            "id": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
            "type": "CredentialStatusList2020"
        },
        "evidence": [{
            "type": [
                "DocumentVerification"
            ],
            "verifier": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
            "evidenceDocument": [
                "Passport"
            ],
            "subjectPresence": "Physical",
            "documentPresence": [
                "Physical"
            ]
        }]
    }
}.<signature>

How to sign VC and VP

This section describes how to sign Verifiable Credential and Verifiable Presentation. If you follow these steps, VC/VP will be compatible with the EBSI ecosystem.

StepActionInputOutputNotes
1Prepare VC or VP in JSON format.VC/VP Data Model

Verifiable Credential

Example - Verifiable ID
{
        "@context": [
            "https://www.w3.org/2018/credentials/v1"
        ],
        "id": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
        "type": [
            "VerifiableCredential",
            "VerifiableAttestation",
            "VerifiableId"
        ],
        "issuer": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",  		
		"issued": "2021-12-01T12:00:00.0Z",
        "issuanceDate": "2021-12-01T12:00:00.0Z",
        "validFrom": "2021-12-01T12:00:00.0Z",
		"validUntil": "2031-12-01T12:00:00.0Z",
        "expirationDate": "2031-12-01T12:00:00.0Z",           
		"credentialSubject": {
            "id": "did:ebsi:zsSgDXeYPhZ3AuKhTFneDf1",
            "familyName": "Doe",
            "firstName": "John",
            "dateOfBirth": "1999-03-22",
            "personalIdentifier": "ES/AT/123456789"
        },
        "credentialSchema": {
            "id": "https://api.preprod.ebsi.eu/trusted-schemas-registry/v1/schemas/0x14b05b9213dbe7d343ec1fe1d3c8c739a3f3dc5a59bae55eb38fa0c295124f49#",
            "type": "FullJsonSchemaValidator2021"
        },
        "credentialStatus": {
            "id": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
            "type": "CredentialStatusList2020"
        },
        "evidence": [{
            "type": [
                "DocumentVerification"
            ],
            "verifier": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
            "evidenceDocument": [
                "Passport"
            ],
            "subjectPresence": "Physical",
            "documentPresence": [
                "Physical"
            ]
        }]
}
Use one of the EBSI VC data models found here.
2Digitally sign the VC/VP.

JWS
2aSigning for external proof

Verifiable Credential with additional claim properties and JWK private key

Example - Verifiable ID with additional claim properties
{
    "iss": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
    "sub": "did:ebsi:zsSgDXeYPhZ3AuKhTFneDf1",
    "jti": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
    "iat": 1638316800,
    "nbf": 1638316800,
    "exp": 1953849600,
    "vc": {
        "@context": [
            "https://www.w3.org/2018/credentials/v1"
        ],
        "id": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
        "type": [
            "VerifiableCredential",
            "VerifiableAttestation",
            "VerifiableId"
        ],
        "issuer": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
        "issued": "2021-12-01T12:00:00.0Z",
        "issuanceDate": "2021-12-01T12:00:00.0Z",
        "validFrom": "2021-12-01T12:00:00.0Z",
        "validUntil": "2031-12-01T12:00:00.0Z",
        "expirationDate": "2031-12-01T12:00:00.0Z",
        "credentialSubject": {
            "id": "did:ebsi:zsSgDXeYPhZ3AuKhTFneDf1",
            "familyName": "Doe",
            "firstName": "John",
            "dateOfBirth": "1999-03-22",
            "personalIdentifier": "ES/AT/123456789"
        },
        "credentialSchema": {
            "id": "https://api.preprod.ebsi.eu/trusted-schemas-registry/v1/schemas/0x14b05b9213dbe7d343ec1fe1d3c8c739a3f3dc5a59bae55eb38fa0c295124f49#",
            "type": "FullJsonSchemaValidator2021"
        },
        "credentialStatus": {
            "id": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
            "type": "CredentialStatusList2020"
        },
        "evidence": [
            {
                "type": [
                    "DocumentVerification"
                ],
                "verifier": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
                "evidenceDocument": [
                    "Passport"
                ],
                "subjectPresence": "Physical",
                "documentPresence": [
                    "Physical"
                ]
            }
        ]
    }
}

JWS signature  (compact serialisation)

Non-normative example - JWS signature (Compact Serialisation)
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDplYnNpOnoyMTl6MUNKS1NidEZjNjlNMmpIY0ZtcSNrZXktMSJ9.eyJpc3MiOiJkaWQ6ZWJzaTp6MjE5ejFDSktTYnRGY
zY5TTJqSGNGbXEiLCJzdWIiOiJkaWQ6ZWJzaTp6c1NnRFhlWVBoWjNBdUtoVEZuZURmMSIsImp0aSI6InVybjplYnNpOnN0YXR1czppZGVudGl0eTp2ZXJpZmlhYmxlSUQjMWRlZTM1NWQ
tMDQzMi00OTEwLWFjOWMtNzBkODllOGQ2NzRlIiwiaWF0IjoxNjM4MzE2ODAwLCJuYmYiOjE2MzgzMTY4MDAsImV4cCI6MTk1Mzg0OTYwMCwidmMiOnsiQGNvbnRleHQiOlsiaHR0cHM6L
y93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiXSwiaWQiOiJ1cm46ZWJzaTpzdGF0dXM6aWRlbnRpdHk6dmVyaWZpYWJsZUlEIzFkZWUzNTVkLTA0MzItNDkxMC1hYzljLTcwZDg
5ZThkNjc0ZSIsInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJWZXJpZmlhYmxlQXR0ZXN0YXRpb24iLCJWZXJpZmlhYmxlSWQiXSwiaXNzdWVyIjoiZGlkOmVic2k6ejIxOXoxQ0
pLU2J0RmM2OU0yakhjRm1xIiwiaXNzdWVkIjoiMjAyMS0xMi0wMVQxMjowMDowMC4wWiIsImlzc3VhbmNlRGF0ZSI6IjIwMjEtMTItMDFUMTI6MDA6MDAuMFoiLCJ2YWxpZEZyb20iOiIyM
DIxLTEyLTAxVDEyOjAwOjAwLjBaIiwidmFsaWRVbnRpbCI6IjIwMzEtMTItMDFUMTI6MDA6MDAuMFoiLCJleHBpcmF0aW9uRGF0ZSI6IjIwMzEtMTItMDFUMTI6MDA6MDAuMFoiLCJjcmVk
ZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDplYnNpOnpzU2dEWGVZUGhaM0F1S2hURm5lRGYxIiwiZmFtaWx5TmFtZSI6IkRvZSIsImZpcnN0TmFtZSI6IkpvaG4iLCJkYXRlT2ZCaXJ0aCI
6IjE5OTktMDMtMjIiLCJwZXJzb25hbElkZW50aWZpZXIiOiJFUy9BVC8xMjM0NTY3ODkifSwiY3JlZGVudGlhbFNjaGVtYSI6eyJpZCI6Imh0dHBzOi8vYXBpLnByZXByb2QuZWJzaS5ldS
90cnVzdGVkLXNjaGVtYXMtcmVnaXN0cnkvdjEvc2NoZW1hcy8weDE0YjA1YjkyMTNkYmU3ZDM0M2VjMWZlMWQzYzhjNzM5YTNmM2RjNWE1OWJhZTU1ZWIzOGZhMGMyOTUxMjRmNDkjIiwid
HlwZSI6IkZ1bGxKc29uU2NoZW1hVmFsaWRhdG9yMjAyMSJ9LCJjcmVkZW50aWFsU3RhdHVzIjp7ImlkIjoidXJuOmVic2k6c3RhdHVzOmlkZW50aXR5OnZlcmlmaWFibGVJRCMxZGVlMzU1
ZC0wNDMyLTQ5MTAtYWM5Yy03MGQ4OWU4ZDY3NGUiLCJ0eXBlIjoiQ3JlZGVudGlhbFN0YXR1c0xpc3QyMDIwIn0sImV2aWRlbmNlIjpbeyJ0eXBlIjpbIkRvY3VtZW50VmVyaWZpY2F0aW9
uIl0sInZlcmlmaWVyIjoiZGlkOmVic2k6ejIxOXoxQ0pLU2J0RmM2OU0yakhjRm1xIiwiZXZpZGVuY2VEb2N1bWVudCI6WyJQYXNzcG9ydCJdLCJzdWJqZWN0UHJlc2VuY2UiOiJQaHlzaWN
hbCIsImRvY3VtZW50UHJlc2VuY2UiOlsiUGh5c2ljYWwiXX1dfX0.uKkuf6-DhJk8db4UgcU3LI0-jFsO8Jf5xyAOYV2iRxKTVgjRl-6_1LBhX2mb9-2YxwMtUzfj0yjIWSivhgKY7Q
Any library that supports JWS signatures can be used, e.g., Authlib.
JAdES
2bSigning for external proof

Verifiable Credential with additional claim properties and X.509 certificate

Example - Verifiable ID with additional claim properties
{
    "iss": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
    "sub": "did:ebsi:zsSgDXeYPhZ3AuKhTFneDf1",
    "jti": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
    "iat": 1638316800,
    "nbf": 1638316800,
    "exp": 1953849600,
    "vc": {
        "@context": [
            "https://www.w3.org/2018/credentials/v1"
        ],
        "id": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
        "type": [
            "VerifiableCredential",
            "VerifiableAttestation",
            "VerifiableId"
        ],
        "issuer": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
        "issued": "2021-12-01T12:00:00.0Z",
        "issuanceDate": "2021-12-01T12:00:00.0Z",
        "validFrom": "2021-12-01T12:00:00.0Z",
        "validUntil": "2031-12-01T12:00:00.0Z",
        "expirationDate": "2031-12-01T12:00:00.0Z",
        "credentialSubject": {
            "id": "did:ebsi:zsSgDXeYPhZ3AuKhTFneDf1",
            "familyName": "Doe",
            "firstName": "John",
            "dateOfBirth": "1999-03-22",
            "personalIdentifier": "ES/AT/123456789"
        },
        "credentialSchema": {
            "id": "https://api.preprod.ebsi.eu/trusted-schemas-registry/v1/schemas/0x14b05b9213dbe7d343ec1fe1d3c8c739a3f3dc5a59bae55eb38fa0c295124f49#",
            "type": "FullJsonSchemaValidator2021"
        },
        "credentialStatus": {
            "id": "urn:ebsi:status:identity:verifiableID#1dee355d-0432-4910-ac9c-70d89e8d674e",
            "type": "CredentialStatusList2020"
        },
        "evidence": [
            {
                "type": [
                    "DocumentVerification"
                ],
                "verifier": "did:ebsi:z219z1CJKSbtFc69M2jHcFmq",
                "evidenceDocument": [
                    "Passport"
                ],
                "subjectPresence": "Physical",
                "documentPresence": [
                    "Physical"
                ]
            }
        ]
    }
}

JAdES signature (compact serialisation)

Non-normative example - JAdES signature (Compact Serialisation)
eyJhbGciOiJSUzI1NiIsImN0eSI6Impzb24iLCJraWQiOiJNR2N3WUtSZU1Gd3hDekFKQmdOVkJBWVRBbE5KTVJRd0VnWURWUVFLRXd0SVlXeGpiMjBnWkM1a0xqRVhNQlVHQTFVRVlSTU9Wa0ZV
VTBrdE5ETXpOVE14TWpZeEhqQWNCZ05WQkFNVEZVaGhiR052YlNCRFFTQlFUeUJsTFhObFlXd2dNUUlERVBTUCIsIng1dCNTMjU2IjoiLXpwYjZxbTRCNE5ycWhFaGpvbG9vaE10b2o5alJtN0JK
WEczamtXQjRFUSIsIng1YyI6WyJNSUlHWVRDQ0JVbWdBd0lCQWdJREVQU1BNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1Gd3hDekFKQmdOVkJBWVRBbE5KTVJRd0VnWURWUVFLRXd0SVlXeGpiMjBnWkM1
a0xqRVhNQlVHQTFVRVlSTU9Wa0ZVVTBrdE5ETXpOVE14TWpZeEhqQWNCZ05WQkFNVEZVaGhiR052YlNCRFFTQlFUeUJsTFhObFlXd2dNVEFlRncweE9URXlNak14TURJNE16TmFGdzB5TWpFeU1q
TXhNREk0TXpOYU1JSCtNUXN3Q1FZRFZRUUdFd0pUU1RFbU1DUUdBMVVFQ2hNZFFVNVVTRTlPV1NCR1NWTklSVklnUTBGTlNVeE1SVkpKSUZNdVVDNHhGekFWQmdrckJnRUVBYTR6QWdNVENEWXhN
RE00TnpVd01SY3dGUVlEVlFSaEV3NVdRVlJUU1MwMk1UQXpPRGMxTURFdE1Dc0dBMVVFQXhNa1FXNTBhRzl1ZVNCR2FYTm9aWElnUTJGdGFXeHNaWEpwSUZNdWNDNGdSU0JUWldGc01ROHdEUVlE
VlFRRUV3WkZJRk5sWVd3eEpqQWtCZ05WQkNvVEhVRnVkR2h2Ym5rZ1JtbHphR1Z5SUVOaGJXbHNiR1Z5YVNCVExuQXVNUzB3S3dZSktvWklodmNOQVFrQkZoNWhiblJvYjI1NVFHdHViM2RzWldSb
lpXbHVibTkyWVhScGIyNHVaWFV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3E2di9EZHF1RldNT0NEcXMzUFhSeW9vRVBKN1lYWkh2aGF1U0w4RG5jWnpDcHppUG
1FRFE5aDJOUjZzak9NNDNPbTVCOW5GV1hIZFhjVWw4YTV3d0F1SEg5VGtLR0pJaGdTTURERzhjTTYrbDJOczZCcm52ZVZKMkw3V2NiaTFzVERmb2FxWkh4ZTQ3MlgzWXdoblA3WUVaWHp0OUtHdk
ZPM1B5aEZFYjh5L2EzdmhMNFgzME9UaWNRSm1PN0dMbExIV1ZCeTI4bzF6OWhlM3JIRmZJTk92SDl3SG5DekFxYlRMY05pT1luYzBKcDBSdGxGdFpqOEZ3cGRZNlJHQ2w4cUFWTGFJdUcvQVNwZD
Z0VGQ4enM4ZnlhekJPTUhNS1EySU05MkcrVGRuZXN5RVI2ZU1MQjdPajdWS1c5SStKRWlaYVBhQ1dzQktSQXFnbnZ2Ri9EQWdNQkFBR2pnZ0tITUlJQ2d6QVRCZ05WSFNNRUREQUtnQWhKU0haUWR
3cXhERENCZ2dZSUt3WUJCUVVIQVFNRWRqQjBNQlVHQ0NzR0FRVUZCd3NDTUFrR0J3UUFpK3hKQVFJd0NBWUdCQUNPUmdFQk1BZ0dCZ1FBamtZQkJEQXlCZ1lFQUk1R0FRVXdLREFtRmlCb2RIUndj
em92TDNkM2R5NW9ZV3hqYjIwdWMya3ZjbVZ3YjNOcGRHOXllUk1DUlU0d0V3WUdCQUNPUmdFR01Ba0dCd1FBamtZQkJnSXdnWUFHQ0NzR0FRVUZCd0VCQkhRd2NqQk5CZ2dyQmdFRkJRY3dBb1pCYU
hSMGNEb3ZMM2QzZHk1b1lXeGpiMjB1YzJrdmRYQnNiMkZrY3k5eVpYQnZjMmwwYjNKNUwwaGhiR052YlY5RFFWOVFUMTlsTFhObFlXeGZNUzVqWlhJd0lRWUlLd1lCQlFVSE1BR0dGV2gwZEhBNkx
5OXZZM053TG1oaGJHTnZiUzV6YVRCbUJnTlZIU0FFWHpCZE1GQUdDaXNHQVFRQnJqTUZBd0V3UWpCQUJnZ3JCZ0VGQlFjQ0FSWTBhSFIwY0RvdkwzZDNkeTVvWVd4amIyMHVjMmt2ZFhCc2IyRmtj
eTltYVd4bGN5OURVRk5mYUdGc1kyOXRYMk5oTG5Ca1pqQUpCZ2NFQUl2c1FBRURNSUd6QmdOVkhSOEVnYXN3Z2Fnd2dhV2dnYUtnZ1orR1pXeGtZWEE2THk5c1pHRndMbWhoYkdOdmJTNXphUzlqYm
oxSVlXeGpiMjBsTWpCRFFTVXlNRkJQSlRJd1pTMXpaV0ZzSlRJd01TeHZQVWhoYkdOdmJTeGpQVk5KUDJObGNuUnBabWxqWVhSbGNtVjJiMk5oZEdsdmJteHBjM1E3WW1sdVlYSjVoalpvZEhSd09p
OHZaRzl0YVc1aExtaGhiR052YlM1emFTOWpjbXh6TDJoaGJHTnZiVjlqWVY5d2IxOWxMWE5sWVd4Zk1TNWpjbXd3RVFZRFZSME9CQW9FQ0VzeTYwc05QN1J6TUE0R0ExVWREd0VCL3dRRUF3SUZvRE
FZQmdZcWhYQWlBZ0VFRGhNTU9EZzRPREF6TURBd05qYzJNQWtHQTFVZEV3UUNNQUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUZFK2U2dmN1YmVRNEk2RXB0eDFsRTJkQnhCK0RFYXc0bTZxdVBi
U1prN3lhbkJ5cDBRUkcvclNYRkFKQzJQRFFSVmM5ay9KMDk2VmZ0ckU5dElQeU9wRVlYWHVnZExKNXQ5dWZwa1RiR05PcDFPL2lveHFXY01xdlkvdnl1WHJ2c3U1d0FkMHNBbUthcnVPcU5LTFNJeG
95MXhSeFpqaGZGVVlJakFUSzhUNlNDVlJmb2padzgxQ2J4MFROWkhSRzc5ZGxFRWc1elZpeThaUHQ0MTlPNGlDUnV6VkNVZklsWjhsVnRBV2lFREFMV1I0VlVYWEFKTjVHRkxnajZCcjI2a0x4aWlB
QlRMWmNZZ3I4ZkVQVUNVNW1OdkhXVStnRDl5SFl2NjhwbG9QYkVQT05LNk9sY1RmaHZFalBpdFZPT0IrL1FCaVNJcjk1VTMrdmtHUlNmMD0iXSwidHlwIjoiam9zZSIsInNpZ1QiOiIyMDIyLTA0LTE
zVDA3OjE4OjMyWiIsImNyaXQiOlsic2lnVCJdfQ.ew0KICAgICAgICAiQGNvbnRleHQiOiBbDQogICAgICAgICAgICAiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiDQogICA
gICAgIF0sDQogICAgICAgICJpZCI6ICJ1cm46ZWJzaTpzdGF0dXM6aWRlbnRpdHk6dmVyaWZpYWJsZUlEIzFkZWUzNTVkLTA0MzItNDkxMC1hYzljLTcwZDg5ZThkNjc0ZSIsDQogICAgICAgICJ0eX
BlIjogWw0KICAgICAgICAgICAgIlZlcmlmaWFibGVDcmVkZW50aWFsIiwNCiAgICAgICAgICAgICJWZXJpZmlhYmxlQXR0ZXN0YXRpb24iLA0KICAgICAgICAgICAgIlZlcmlmaWFibGVJZCINCiAgI
CAgICAgXSwNCiAgICAgICAgImlzc3VlciI6ICJkaWQ6ZWJzaTp6MjE5ejFDSktTYnRGYzY5TTJqSGNGbXEiLA0KICAgICAgICAiaXNzdWFuY2VEYXRlIjogIjIwMjEtMTItMDFUMTI6MDA6MDAuMFoi
LA0KICAgICAgICAidmFsaWRGcm9tIjogIjIwMjEtMTItMDFUMTI6MDA6MDAuMFoiLA0KICAgICAgICAiZXhwaXJhdGlvbkRhdGUiOiAiMjAzMS0xMi0wMVQxMjowMDowMC4wWiIsDQogICAgICAgICJ
jcmVkZW50aWFsU3ViamVjdCI6IHsNCiAgICAgICAgICAgICJpZCI6ICJkaWQ6ZWJzaTp6c1NnRFhlWVBoWjNBdUtoVEZuZURmMSIsDQogICAgICAgICAgICAiZmFtaWx5TmFtZSI6ICJEb2UiLA0KIC
AgICAgICAgICAgImZpcnN0TmFtZSI6ICJKb2huIiwNCiAgICAgICAgICAgICJkYXRlT2ZCaXJ0aCI6ICIxOTk5LTAzLTIyIiwNCiAgICAgICAgICAgICJwZXJzb25hbElkZW50aWZpZXIiOiAiRVMvQV
QvMTIzNDU2Nzg5Ig0KICAgICAgICB9LA0KICAgICAgICAiY3JlZGVudGlhbFNjaGVtYSI6IHsNCiAgICAgICAgICAgICJpZCI6ICJodHRwczovL2FwaS5wcmVwcm9kLmVic2kuZXUvdHJ1c3RlZC1zY2
hlbWFzLXJlZ2lzdHJ5L3YxL3NjaGVtYXMvMHgxNGIwNWI5MjEzZGJlN2QzNDNlYzFmZTFkM2M4YzczOWEzZjNkYzVhNTliYWU1NWViMzhmYTBjMjk1MTI0ZjQ5IyIsDQogICAgICAgICAgICAidHlwZS
I6ICJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEiDQogICAgICAgIH0sDQogICAgICAgICJjcmVkZW50aWFsU3RhdHVzIjogew0KICAgICAgICAgICAgImlkIjogInVybjplYnNpOnN0YXR1czppZG
VudGl0eTp2ZXJpZmlhYmxlSUQjMWRlZTM1NWQtMDQzMi00OTEwLWFjOWMtNzBkODllOGQ2NzRlIiwNCiAgICAgICAgICAgICJ0eXBlIjogIkNyZWRlbnRpYWxTdGF0dXNMaXN0MjAyMCINCiAgICAgIC
AgfSwNCiAgICAgICAgImV2aWRlbmNlIjogW3sNCiAgICAgICAgICAgICJ0eXBlIjogWw0KICAgICAgICAgICAgICAgICJEb2N1bWVudFZlcmlmaWNhdGlvbiINCiAgICAgICAgICAgIF0sDQogICAgIC
AgICAgICAidmVyaWZpZXIiOiAiZGlkOmVic2k6ejIxOXoxQ0pLU2J0RmM2OU0yakhjRm1xIiwNCiAgICAgICAgICAgICJldmlkZW5jZURvY3VtZW50IjogWw0KICAgICAgICAgICAgICAgICJQYXNzcG
9ydCINCiAgICAgICAgICAgIF0sDQogICAgICAgICAgICAic3ViamVjdFByZXNlbmNlIjogIlBoeXNpY2FsIiwNCiAgICAgICAgICAgICJkb2N1bWVudFByZXNlbmNlIjogWw0KICAgICAgICAgICAgIC
AgICJQaHlzaWNhbCINCiAgICAgICAgICAgIF0NCiAgICAgICAgfQ.lii7REs_1B6HCb4I93VmZLWvyfU_25oF1y4Bd7dMW5GcajLtWLHV1MYRYMRQr7V1OfeE1Lrb_lfetog2DH0YEbhs-RqW7G8KDGoCwSnOhFtk7d1nAH2cShSvTHQy2OOy_u08wccr6dvS7194OMXkJ7YSc1EbL0tz40WsS34xgB9N6HwIRsD8TCPXU7oSnYrD3IZqrZfjSY0dNFlie-O31zWoVfCQi2oHQJy9LtGfQRaaZDnvTId0AIfrgK8FgOuLGRrrFB4wDyeo6GJj4gaARc5wtObeuIwE8s9Kd8LP4v0VR4tD1_Fi9X5zKrJxH94cpAn-GxCUUSVkGaeL1IgLXg
This step can be done with DSS.



How to verify VC and VP

This section describes how to verify the proof of Verifiable Credentials and Verifiable Presentation.

StepActionNotes
1Extract signature type

Check the header of JWT: if it contains JAdES specific header properties, e.g., x5c, then it is JAdES signature, else JWS.

2Verify signature
JWS
2aExtract DID EBSI version

Check the header of JWT: if the property kid and jwk are present, then it is EBSI DID Method for Natural Persons, else EBSI DID Method for Legal Persons.

EBSI DID Method for Legal Persons: resolve DID Document and public key.

EBSI DID Method for Natural Persons: construct DID Document from the JWK public key and DID identifier.

For more information: EBSI DID Method.

2b

Verifying external proofVerify the JWS signature (Compact Serialisation) with any library that supports JWS signatures.
JAdES
2bVerifying external proof

Verify the JAdES signature with DSS:

  • signed file: JWT
  • original file: decode base64 encoded payload