This specification is licensed under the FIWARE Open Specification License.
This specification describes the application programming interfaces (API) of the ABCE layer, focusing solely on the API that the ABCE layer exposes to the upper layers, in particular, to the application layer. This information is mainly intended for application developers who want to build applications that make use of ABCE technology. The interfaces are described in an object-oriented fashion as a list of methods that take input parameters of certain types and that produce an output of a certain return type. The data types of the input and return types either refer to XML artifacts as defined in Chapter 4 or to simple XML Schema datatypes such as boolean or string. For ease of integration with applications built on top of our ABCE layer, the actual implementation will offer the top-level ABCE interfaces described below as web services. The descriptions below must therefore be mapped to descriptions in the Web Services Description Language (WSDL). Doing so is straightforward, so for the sake of readability we stick to an object-oriented notation here.
This is a work in progress and is changing on a daily basis.
This specification is licensed under the FIWARE Open Specification License.
(This section was taken from Release 3 and was written by IBM Research.) Given the multitude of distributed entities involved in a full-fledged Privacy-ABC system, the communication formats that are use by the various system entities must be fixed. Rather than profiling an existing standard format for identity management protocols such as SAML, WS-Trust, or OpenID, we felt that the many unique features of Privacy-ABCs were more suitably addressed by defining a dedicated format. In particular, existing standards do not support typical Privacy-ABC features such as pseudonyms, inspection, privacy-enhanced revocation, or advanced issuance protocols. In Chapter 8, we discuss how our Privacy-ABC infrastructure could be integrated with a number of existing frameworks. This chapter provides the specification for data artifacts exchanged during the issuance, presentation, revocation, and inspection of privacy-enhancing attribute-based credentials. Our specification separates the mechanism-independent information conveyed by the artifacts from the opaque mechanism-specific cryptographic data. This specification only defines the format for the mechanism-independent information. It provides anchor points for where instantiating technologies, in particular, U-Prove and Identity Mixer, can insert mechanism-specific data, but does not fix standard formats for this data. For the specification we use XML notation in the spirit of XML Schema, but refrain from providing a full-fledged XML Schema specification within this document for the sake of readability; we do, however, make available a separate XML schema file for the artifacts defined here at https://abc4trust.eu/download/xml/ABC4Trust_schema_H2.1.xsd. Although the artifacts are defined in XML, one could create a profile using a different encoding (ASN.1, JSON, etc.) See the corresponding schema file for more details. We start in Section Terminology and Notation with introducing the terminology and notation used throughout this chapter. Section Setup then provides the artifacts for the setup of the different Privacy-ABC entities, which includes e.g., the description of the credential type and the public parameters of an Issuer and Inspector. In Section Revocation the specifications for all artifacts related to revocation are given. For the presentation of a token, the corresponding specifications of a presentation policy and a presentation token are introduced in Section Presentation. Section Issuance is then dedicated to the Issuance of a credential and provides artifacts for the issuance policy and issuance token. Finally, Section Identity Selection and Credential Management introduces the data formats that are sent to and expected from (graphical) user interfaces.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “RECOMMENDED”, and “MAY” in this document are to be interpreted as described in RFC2119. This specification uses the following syntax to define outlines for XML data: The syntax appears as an XML instance, but values in italics indicate data types instead of literal values. Characters are appended to elements and attributes to indicate cardinality: * “?” (0 or 1) * “” (0 or more) * “+” (1 or more) The character “|” is used to indicate a choice between elements. The characters “(“ and “)” are used to indicate that contained items are to be treated as a group with respect to cardinality or choice. XML namespace prefixes (see Table XML namespaces) are used to indicate the namespace of the element being defined. * XML elements and Attributes defined by this specification are referred to in the text of this document using XPath 1.0 expressions.
The base XML namespace URI used by the definitions in this document is as follows:
Prefix | XML Namespace | Specification |
---|---|---|
xs | http://www.w3.org/2001/XMLSchema | XMLSchema2 |
abc | http://abc4trust.eu/wp2 | This document |
The credential specification describes the contents of the credentials. It can be created by the issuer or by any external authority so that multiple issuers can issue credentials of the same specification. How this artifact is protected (authenticated) is application specific; e.g., it could be included in a XML-signed document or provided as part of some metadata retrievable from a trusted source.
<abc:CredentialSpecification Version=”1.0” KeyBinding=”xs:boolean” Revocable="xs:boolean">
<abc:SpecificationUID>xs:anyURI</abc:SpecificationUID>
<abc:FriendlyCredentialName xml:lang=”xs:language”/>*
<abc:DefaultImageReference>xs:anyURI</abc:DefaultImageReference>?
<abc:AttributeDescriptions MaxLength=”xs:unsignedInt”>
<abc:AttributeDescription Type=”xs:anyURI” DataType=”xs:anyURI” Encoding=”xs:anyURI”>
<abc:FriendlyAttributeName lang=”xs:language”>xs:string</abc:FriendlyAttributeName>*
<abc:AllowedValue>…</abc:AllowedValue>*
</abc:AttributeDescription>*
</abc:AttributeDescriptions>
</abc:CredentialSpecification>
The following describes the attributes and elements listed in the schema outlined above:\
/abc:CredentialSpecification
This element contains the credential specification defining the contents of issued credentials adhering to this specification.
/abc:CredentialSpecification/@Version
This attribute indicates the version of this specification. The value MUST be “1.0”.
/abc:CredentialSpecification/@KeyBinding
This attribute indicates whether credentials adhering to this specification must be bound to a secret key.
/abc:CredentialSpecification/@Revocable
This attribute indicates whether credentials adhering to this specification are revocable or not. If the Revocable attribute is set to true, then this credential specification MUST contain a dedicated attribute for the revocation handle with attribute type http://abc4trust.eu/wp2/abcschemav1.0/revocationhandle. The data type and encoding mechanism for the revocation handle are defined by the cryptographic mechanism used for revocation. The revocation handle is automatically assigned a unique value by the issuance algorithm, possibly involving a communication step with the Revocation Authority. Even though there are no syntactical restrictions imposing this, presentation policies SHOULD NOT request to reveal the value of the revocation handle, as doing so enables Verifiers to link presentations tokens generated with the same credential. If necessary, inspection can be used to only reveal the value of the revocation handle under specific circumstances.
/abc:CredentialSpecification/abc:SpecificationUID
This element contains a URI that uniquely identifies the credential specification.
/abc:CredentialSpecification/abc:FriendlyCredentialName
This optional element provides a friendly textual name for the credential. The content of this element MUST be localized in a specific language.
/abc:CredentialSpecification/abc:FriendlyCredentialName/@lang
A required language identifier, using the language codes specified in RFC 3066, in which the content of abc:FriendlyCredentialName element have been localized.
/abc:CredentialSpecification/abc:DefaultImageReference
This optional element contains a reference to the default image for the credential issued according to this credential specification can be obtained. When implementing a Privacy-ABC system, downloading images from the identity providers should be handled carefully. The reference to the external image resource must not be used every time the credential is presented. To avoid linkability when using the credential, the corresponding image must be downloaded and stored locally at the user’s side during the issuance.
/abc:CredentialSpecification/abc:AttributeDescriptions
This element contains the descriptions of the attributes issued using this specification, encoded in order in the n child elements. It is empty if n=0, i.e., if abc:AttributeDescriptions has no child elements.
…/abc:AttributeDescriptions/abc:AttributeDescription
This element contains the description of one credential attribute.
…/abc:AttributeDescriptions/abc:AttributeDescription/@MaxLength
This attribute specifies the maximal length in bits of the integers to which attribute values are mapped using the encoding function. The keylength of any Issuer Parameters used to issue credentials adhering to this credential specification must be large enough so that attributes of the bitlength specified here can be supported. It is up to each specific credential mechanism to describe which keylength supports which attribute bitlength.
…/abc:AttributeDescriptions/abc:AttributeDescription/@Type
This attribute contains the unique identifier of an attribute type encoded in credentials adhering to this specification. The attribute type is a URI, to which a semantic is associated by the definition of the attribute type. The definition of attribute types is outside the scope of this document; we refer to Section 7.5 in IMI1.0 for examples. The attribute type (e.g., http://example.com/firstname) is not to be confused with the data type (e.g., xs:string) that is specified by the DataType attribute.
…/abc:AttributeDescriptions/abc:AttributeDescription/@DataType
This attribute contains the data type of the credential attribute. The supported attribute data types are the following subset of XML Schema data types. We refer to the XML Schema specification (http://www.w3.org/TR/xmlschema-2) for more information on these data types.
When specifying values for attributes of these types, the following additional restrictions must be adhered to:
…/abc:AttributeDescriptions/abc:AttributeDescription/@Encoding
To be embedded in a Privacy-ABC, credential attribute values must typically be mapped to integers of a fixed length indicated by the AttributeDescription/@MaxLength attribute. The Encoding XML attribute specifies how the value of this credential attribute is mapped to such an integer. Each data type has one or more possible encoding algorithms. The encoding used may influence which values can be encoded, whether inspection can be used for this attribute, and which predicates can be proved over the attribute values (see Section Presentation Policy). In order to apply a predicate over multiple credential attributes, the credential attributes MUST have the same encoding. The following is a list of supported encodings and their respective properties. Recommendations for typical usage are included as comments.
Encoding: urn:abc4trust:1.0:encoding:string:sha-256
Data type: http://www.w3.org/2001/XMLSchema#string
Restrictions: none
Inspectable: no (hash value only)
Supported predicates: urn:oasis:names:tc:xacml:1.0:function:string-equal
urn:abc4trust:1.0:function:string-not-equal
Comments: Best suited for strings of arbitrary lengths that are unlikely to be
used for inspection.
Encoding: urn:abc4trust:1.0:encoding:string:utf-8
Data type: http://www.w3.org/2001/XMLSchema#string
Restrictions: the UTF-8 encoded string must be shorter than @MaxLength –
8 bits or @MaxLength/8 – 1 bytes
Inspectable: yes
Supported predicates: urn:oasis:names:tc:xacml:1.0:function:string-equal
urn:abc4trust:1.0:function:string-not-equal
Comments: Best suited for short strings where the possibility to use inspection
should be kept open. For long strings that are likely to require inspection, please
consider splitting up the attribute into multiple attributes with this encoding.
Encoding: urn:abc4trust:1.0:encoding:string:prime
Data type: http://www.w3.org/2001/XMLSchema#string
Restrictions: Can only be used for attributes where the value range is restricted
by a list of …/abc:AttributeDescription/abc:AllowedValue elements.
Inspectable: yes
Supported predicates: urn:oasis:names:tc:xacml:1.0:function:string-equal
urn:abc4trust:1.0:function:string-not-equal
urn:abc4trust:1.0:function:string-equal-one-of
Comments: Best choice for attributes with a limited value range where presentation
policies are likely to request showing that the attribute value is one of a given
list of strings without revealing the exact value.
Encoding: urn:abc4trust:1.0:encoding:anyUri:sha-256
Data type: http://www.w3.org/2001/XMLSchema#anyURI
Restrictions: none
Inspectable: no (hash value only)
Supported predicates: urn:oasis:names:tc:xacml:1.0:function:anyURI-equal
urn:abc4trust:1.0:function:anyURI-not-equal
Comments: Best suited for URIs of arbitrary lengths that are unlikely to be
used for inspection.
Encoding: urn:abc4trust:1.0:encoding:anyUri:utf-8
Data type: http://www.w3.org/2001/XMLSchema#anyURI
Restrictions: shorter than @MaxLength bytes
Inspectable: yes
Supported predicates: urn:oasis:names:tc:xacml:1.0:function:anyURI-equal
urn:abc4trust:1.0:function:anyURI-not-equal
Comments: Best suited for short URIs where the possibility to use inspection
should be kept open. For long URIs that are likely to require inspection,
please consider splitting up the attribute into multiple attributes with this
encoding.
Encoding: urn:abc4trust:1.0:encoding:anyURI:prime
Data type: http://www.w3.org/2001/XMLSchema#string
Restrictions: Can only be used for attributes where the value range is
restricted by a list of …/abc:AttributeDescription/abc:AllowedValue elements.
Inspectable: yes
Supported predicates: urn:oasis:names:tc:xacml:1.0:function:anyURI-equal
urn:abc4trust:1.0:function:anyURI-not-equal
urn:abc4trust:1.0:function:anyURI-equal-one-of
Comments: Best choice for attributes with a limited value range where
presentation policies are likely to request showing that the attribute value
is one of a given list of URIs without revealing the exact value.
Encoding: urn:abc4trust:1.0:encoding:dateTime:unix:signed
Data type: http://www.w3.org/2001/XMLSchema#dateTime
Restrictions: none
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:dateTime-equal
urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than
urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal
urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than
urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal
urn:abc4trust:1.0:function:dateTime-not-equal
Comments: Good default choice for times that can be far in the past and/or future.
Greater-than and less-than predicates may be slightly less efficient using this
encoding.
Encoding: urn:abc4trust:1.0:encoding:dateTime:unix:unsigned
Data type: http://www.w3.org/2001/XMLSchema#dateTime
Restrictions: since 1970
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:dateTime-equal
urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than
urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal
urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than
urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal
urn:abc4trust:1.0:function:dateTime-not-equal
Comments: Best choice for times after 1970 that are likely to be used in
combination with greather-than or less-than predicates.
Encoding: urn:abc4trust:1.0:encoding:dateTime:prime
Data type: http://www.w3.org/2001/XMLSchema#dateTime
Restrictions: Can only be used for attributes where the value range is restricted
by a list of …/abc:AttributeDescription/abc:AllowedValue elements.
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:dateTime-equal
urn:abc4trust:1.0:function:dateTime-not-equal
urn:abc4trust:1.0:function:dateTime-equal-one of
Comments: Best choice for attributes with a limited value range where presentation policies
are likely to request showing that the attribute value is one of a given list of times
without revealing the exact value.
Encoding: urn:abc4trust:1.0:encoding:date:unix:signed
Data type: http://www.w3.org/2001/XMLSchema#date
Restrictions: none
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:date-equal
urn:oasis:names:tc:xacml:1.0:function:date-greater-than
urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal
urn:oasis:names:tc:xacml:1.0:function:date-less-than
urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal
urn:abc4trust:1.0:function:date-not-equal
Comments: Good default choice for dates that can be far in the past and/or future.
Greater-than and less-than predicates may be less efficient using this encoding.
Encoding: urn:abc4trust:1.0:encoding:date:unix:unsigned
Data type: http://www.w3.org/2001/XMLSchema#date
Restrictions: since 1970
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:date-equal
urn:oasis:names:tc:xacml:1.0:function:date-greater-than
urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal
urn:oasis:names:tc:xacml:1.0:function:date-less-than
urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal
urn:abc4trust:1.0:function:date-not-equal
Comments: Best choice for times after 1970 that are likely to be used in
combination with greather-than or less-than predicates.
Encoding: urn:abc4trust:1.0:encoding:date:since1870:unsigned
Data type: http://www.w3.org/2001/XMLSchema#date
Restrictions: since 1870
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:date-equal
urn:oasis:names:tc:xacml:1.0:function:date-greater-than
urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal
urn:oasis:names:tc:xacml:1.0:function:date-less-than
urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal
urn:abc4trust:1.0:function:date-not-equal
Comments: Best choice for birth dates, which are likely to fall after
1870 but are likely to require efficient greather-than or less-than predicates.
Encoding: urn:abc4trust:1.0:encoding:date:since2010:unsigned
Data type: http://www.w3.org/2001/XMLSchema#date
Restrictions: since 2010
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:date-equal
urn:oasis:names:tc:xacml:1.0:function:date-greater-than
urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal
urn:oasis:names:tc:xacml:1.0:function:date-less-than
urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal
urn:abc4trust:1.0:function:date-not-equal
Comments: Best choice for expiration dates, which are likely to fall after
2010 but are likely to require efficient greather-than or less-than predicates.
Encoding: urn:abc4trust:1.0:encoding:date:prime
Data type: http://www.w3.org/2001/XMLSchema#date
Restrictions: Can only be used for attributes where the value range is restricted
by a list of …/abc:AttributeDescription/abc:AllowedValue elements.
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:date-equal
urn:abc4trust:1.0:function:date-not-equal
urn:abc4trust:1.0:function:date-equal-one of
Comments: Best choice for attributes with a limited value range where presentation
policies are likely to request showing that the attribute value is one of a given list
of dates without revealing the exact value.
Encoding: urn:abc4trust:1.0:encoding:boolean:unsigned
Data type: http://www.w3.org/2001/XMLSchema#boolean
Restrictions: none
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:boolean-equal
urn:abc4trust:1.0:function:boolean-not-equal
Encoding: urn:abc4trust:1.0:encoding:integer:unsigned
Data type: http://www.w3.org/2001/XMLSchema#integer
Restrictions: positive (including zero)
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:integer-equal
urn:oasis:names:tc:xacml:1.0:function:integer-greater-than
urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal
urn:oasis:names:tc:xacml:1.0:function:integer-less-than
urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal
urn:abc4trust:1.0:function:integer-not-equal
Comments: Best for integers that cannot take negative values.
Encoding: urn:abc4trust:1.0:encoding:integer:signed
Data type: http://www.w3.org/2001/XMLSchema#integer
Restrictions: none
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:integer-equal
urn:oasis:names:tc:xacml:1.0:function:integer-greater-than
urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal
urn:oasis:names:tc:xacml:1.0:function:integer-less-than
urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal
urn:abc4trust:1.0:function:integer-not-equal
Comments: Best choice for integers that can have positive or negative values.
Encoding: urn:abc4trust:1.0:encoding:integer:prime
Data type: http://www.w3.org/2001/XMLSchema#integer
Restrictions: Can only be used for attributes where the value range is restricted
by a list of …/abc:AttributeDescription/abc:AllowedValue elements.
Inspectable: yes
Supported predicates:
urn:oasis:names:tc:xacml:1.0:function:integer-equal
urn:abc4trust:1.0:function:integer-not-equal
urn:abc4trust:1.0:function:integer-equal-one of
Comments: Best choice for attributes with a limited value range where presentation policies are likely to request showing that the attribute value is one of a given list of integers without revealing the exact value.
…/abc:AttributeDescriptions/abc:AttributeDescription/abc:FriendlyAttributeName
This optional element provides a friendly textual name for the attribute in the credential. The content of this element MUST be localized in a specific language.
…/abc:AttributeDescriptions/abc:AttributeDescription/abc:FriendlyAttributeName/@xml:lang
A required language identifier, using the language codes specified in RFC 3066, in which the content of abc:FriendlyAttributeName element have been localized.
…/abc:AttributeDescriptions/abc:AttributeDescription/abc:AllowedValue
When present, a list of AllowedValue elements restricts the range of the value of this credential attribute to the specified list of values. Each AllowedValue element contains one possible value of the credential attribute. If abc:AttributeDescription contains one or more abc:AllowedValue elements, the actual value of the attribute of an issued credential MUST be from the specified set of allowed values. The contents of the abc:AllowedValue elements MUST be of the data type specified by the abc:AttributeDescription/@DataType attribute of the parent abc:AttributeDescription element.
In order to issue credentials, the issuer must specify system parameters, and generate a key pair consisting of a secret issuing key and a public verification key. The issuer publishes its public parameters using the artifact described below. How this artifact is protected (authenticated) is application specific; e.g., it could be included in a certificate signed by a certification authority, or could be provided as part of some metadata retrievable from a trusted source. Note that one set of issuer parameters can be used to issue credentials according to several different credential specifications.
<abc:IssuerParameters Version=”1.0”>
<abc:ParametersUID>xs:anyURI</abc:ParametersUID>
<abc:FriendlyIssuerDescription lang=”xs:language”>
xs:string
</abc:FriendlyIssuerDescription>*
<abc:AlgorithmID>xs:anyURI</abc:AlgorithmID>
<abc:SystemParameters>…</abc:SystemParameters>
<abc:MaxNumberOfAttributes>xs:int</abc:MaxNumberOfAttributes>
<abc:HashAlgorithm>xs:anyUID</abc:HashAlgorithm>
<abc:CryptoParams>…</abc:CryptoParams>
<abc:KeyBindingInfo>…</abc:KeyBindingInfo>?
<abc:RevocationParametersUID>…</abc:RevocationParametersUID>?
</abc:IssuerParameters>
The following describes the attributes and elements listed in the schema outlined above:
/abc:IssuerParameters
This element contains an issuer’s public parameters.
/abc:IssuerParameters/@Version
This attribute indicates the version of this specification. The value MUST be “1.0”.
/abc:IssuerParameters/abc:ParametersUID
This element contains a URI that uniquely identifies the public issuer parameters.
/abc:IssuerParameters/abc:FriendlyIssuerDescription
This optional element provides a friendly textual description of the issuer. The content of this element MUST be localized in a specific language.
/abc:IssuerParameters/abc:FriendlyIssuerDescription/@lang
A required language identifier, using the language codes specified in RFC 3066, in which the content of abc:FriendlyIssuerDescription element have been localized.
/abc:IssuerParameters/abc:AlgorithmID
This element identifies the algorithm of the public issuer parameters. The algorithm URIs urn:abc4trust:1.0:algorithm:idemix for Identity Mixer and urn:abc4trust:1.0:algorithm:uprove for U-Prove MUST be supported; other algorithms MAY be supported.
/abc:IssuerParameters/abc:SystemParameters
This element contains the cryptographic system parameters that can be shared among many issuers. The AlgorithmID element determines how to parse this element.
/abc:IssuerParameters/abc:MaxNumberOfAttributes
One set of issuer parameters can be used to issue credentials adhering to multiple credential specifications. This element specifies the maximum number of attributes for such credentials. The number of attributes in a credential is fixed by credential specification. For revocable credentials, the revocation handle does not count towards the maximum number of attributes.
/abc:IssuerParameters/abc:HashAlgorithm
This element specifies the hash algorithm that is to be used in the generation of the presentation tokens derived from credentials issued under these parameters. This hash algorithm is not to be confused with the encoding algorithm that maps attribute values to integers and may also specify a hash function to apply to long attribute values. The hash algorithm SHA-256 with identifier urn:abc4trust:1.0:hashalgorithm:sha-256 MUST be supported; other algorithms MAY be supported.
/abc:IssuerParameters/abc:CryptoParams
This element describes the set of public cryptographic parameters needed to issue, use, and verify credentials. The content of this element is defined in an external profile based on the value of the abc:AlgorithmID element.
/abc:IssuerParameters/abc:KeyBindingInfo
This optional element contains additional cryptographic information for when these Issuer Parameters are used to issue credentials with key binding. The content of this element is technology-specific.
/abc:IssuerParameters/abc:RevocationAuthorityParametersUID
This optional element contains the parameters identifier of a revocation authority that is responsible for revoking credentials issued under these issuer parameters. The parameters referred to here are determined by the issuer (i.e., issuer-driven revocation), meaning that any presentation token involving credentials issued under these issuer parameters MUST be checked against the latest revocation information associated to the revocation parameters referenced by this element.
Note that inspection is NOT supported in R4.
In order to decrypt encrypted attributes, an inspector must generate a key pair consisting of a secret decryption key and a public encryption key. The inspector publishes its public key using the artifact described below. How this artifact is protected (authenticated) is application specific; e.g., it could be included in a certificate signed by a certification authority, or could be provided as part of some metadata retrievable from a trusted source.
<abc:InspectorPublicKey Version=”1.0”>
<abc:PublicKeyUID>xs:anyURI</abc:PublicKeyUID>
<abc:AlgorithmID>xs:anyURI</abc:AlgorithmID>
<abc:FriendlyInspectorDescription lang=”xs:language”>
xs:string
</abc:FriendlyInspectorDescription>*
<abc:CryptoParams>…</abc:CryptoParams>
</abc:InspectorPublicKey>
The following describes the attributes and elements listed in the schema outlined above:
/abc:InspectorPublicKey
This element contains an inspector's public key.
/abc:InspectorPublicKey/@Version
This attribute indicates the version of this specification. The value MUST be “1.0”.
/abc:InspectorPublicKey/abc:PublicKeyUID
This element contains a URI that uniquely identifies the public key.
/abc:InspectorPublicKey/abc:AlgorithmID
This element identifies the algorithm of the public key. The Camenisch-Shoup inspection algorithm with identifier urn:abc4trust:1.0:inspectionalgorithm:camenisch-shoup03 MUST be supported; other algorithms MAY be supported.
/abc:InspectorPublicKey/abc:FriendlyInspectorDescription
This optional element provides a friendly textual description for the inspector’s public key. The content of this element MUST be localized in a specific language.
/abc:InspectorPublicKey/abc:FriendlyInspectorDescription/@lang
A required language identifier, using the language codes specified in RFC 3066, in which the content of abc:FriendlyInspectorDescription element have been localized.
/abc:InspectorPublicKey/abc:CryptoParams
This element describes the set of public cryptographic parameters needed to issue, use, and verify credentials. The content of this element is defined in an external profile based on the value of the abc:AlgorithmID element.
Note that revocation is NOT supprted in R4. It's recommended to use a validUntil Date-attribute.
A Revocation Authority maintains information about valid and, in particular, revoked credentials. To do so, it first generates public parameters and possibly corresponding secret parameters. It publishes its public parameters together with a description of the particular revocation method that is used and a reference to the location where the most current revocation information will be published. Some revocation mechanisms require users to obtain an additional piece of information called non-revocation evidence in order to be able to prove that their credential is still valid. The different revocation mechanisms vary quite strongly in how the non-revocation evidence is created and maintained. Depending on the specific mechanism, the non-revocation evidence
The Revocation Authority can also include references to the locations where the users can obtain the information to create and to update their non-revocation evidence. Both the initialization of the non-revocation evidence and the update may be multi-leg cryptographic protocols.
Each Revocation Authority generates and publishes its parameters at setup. The parameters are static, i.e., they do not change over time as more credentials are revoked.
<abc:RevocationAuthorityParameters Version=”1.0”>
<abc:ParametersUID>xs:anyURI</abc:ParametersUID>
<abc:RevocationMechanism>xs:anyURI</abc:RevocationMechanism>
<abc:RevocationInfoReference ReferenceType=”xs:anyURI”>…</abc:RevocationInfoReference>?
<abc:NonRevocationEvidenceReference ReferenceType=”xs:anyURI”>…</abc:NonRevocationEvidenceReference>?
<abc:NonRevocationEvidenceUpdateReference ReferenceType=”xs:anyURI”>…</abc:NonRevocationEvidenceUpdateReference>?
<abc:CryptoParams>…</CryptoParams>?
</abc:RevocationAuthorityParameters>
/abc:RevocationAuthorityParameters
This element contains the public parameters of the Revocation Authority
/abc:RevocationAuthorityParameters/@Version
This attribute indicates the version of this specification. The value MUST be “1.0”.
/abc:RevocationAuthorityParameters/abc:ParametersUID
This element contains a unique identifier for these Revocation Authority parameters.
/abc:RevocationAuthorityParameters/RevocationMechanism
This attribute indicates the mechanism or algorithm used to revoke credentials. The list of supported revocation mechanisms and their identifiers have not yet been defined.
/abc:RevocationAuthorityParameters/abc:RevocationInfoReference
This optional element contains a reference to the endpoint where the most current public revocation information corresponding to these parameters can be obtained.
/abc:RevocationAuthorityParameters/abc:NonRevocationEvidenceReference
This optional element contains a reference to the endpoint with the information about how to obtain the (possibly private) user-specific non-revocation evidence object.
/abc:RevocationAuthorityParameters/abc:NonRevocationEvidenceUpdateReference
This optional element contains a reference to the endpoint the most current information for updating the non-revocation evidence can be obtained.
/abc:RevocationAuthorityParameters/abc:RevocationInfoReference/@ReferenceType
This attribute indicates the type of reference to the revocation information endpoint.
/abc:RevocationAuthorityParameters/abc:CryptoParams
This element describes the set of public cryptographic parameters that are needed to verify the Revocation Information. The content of this element is defined in an external profile based on the value of the abc:RevocationMechanism element.
A Revocation Authority regularly publishes the most recent revocation information, allowing Users to prove and Verifiers to ensure that the credentials used to generate a presentation token have not been revoked. Contrary to the Revocation Authority parameters, the revocation information changes over time, e.g., at regular time intervals, or whenever a new credential is revoked.
The Revocation Authority publishes the revocation information using the artifact described below. How this artifact is protected (authenticated) is application specific; e.g., it could be included in a XML-signed document or provided as part of some metadata retrievable from a trusted source.
<abc:RevocationInformation Version=”1.0”>
<abc:InformationUID>xs:anyURI</abc:InformationUID>
<abc:RevocationAuthorityParametersUID>xs:anyURI</abc:RevocationAuthorityParametersUID>
<abc:Created>xs:dateTime</abc:Created>?
<abc:Expires>xs:dateTime</abc:Expires>?
<abc:CryptoParams>…</abc:CryptoParams>
</abc:RevocationInformation>
The following describes the attributes and elements listed in the schema outlined above:
/abc:RevocationInformation
This element contains the current revocation information, as published by the Revocation Authority. At each update of the revocation information, a new abc:RevocationInformation element is generated.
/abc:RevocationInformation/@Version
This attribute indicates the version of this specification. The value MUST be “1.0”.
/abc:RevocationInformation/abc:InformationUID
This element contains the unique identifier of the revocation information. This identifier is different for each version of the revocation information, i.e., a new URI is used at every update.
/abc:RevocationInformation/abc:RevocationAuthorityUID
This element contains the identifier of the parameters of the revocation authority that published the revocation information.
/abc:RevocationInformation/abc:Created
This optional element contains the date and time when the revocation information was updated or first published.
/abc:RevocationInformation/abc:Expires
This optional element contains the date and time until when the revocation information is valid.
/abc:IssuerParameters/abc:CryptoParams
This element describes the set of public cryptographic parameters needed to verify whether a credential is still valid. (The content of this element is defined in an external profile based on the value of the @RevocationMechanism attribute specified in the referenced abc:Revocation AuthorityParameters element)
The exact details of how and when the non-revocation evidence is created and updated vary greatly among the different revocation mechanisms. We therefore simply define an artifact that acts as a wrapper for a message in a (possibly multi-legged) evidence creation or update protocol. These messages are sent to and received as a response from the evidence creation and update endpoints specified in the Revocation Authority parameters.
<abc:RevocationMessage Context=”…”>
<abc:RevocationAuthorityParametersUID>xs:anyURI</abc:RevocationAuthorityParametersUID>
<abc:CryptoParams>…</abc:CryptoParams>
</abc:RevocationMessage>
The following describes the attributes and elements listed in the schema outlined above:
/abc:RevocationMessage/@Context
This attribute contains a unique identifier for this protocol session, so that the different flows in the protocol session can be linked together. The request MUST contain a Context attribute. The revocation authority MUST reject requests with context values already in use.
/abc:RevocationMessage/abc:RevocationAuthorityParametersUID
This element contains the identifier of the parameters of the revocation authority that creates the non-revocation evidence information.
/abc:RevocationMessage/abc:CryptoParams
This element describes the mechanism-specific (cryptographic) parameters needed to obtain the non-revocation evidence information for building or updating the evidence.
The user agent can create presentation tokens using one or more credentials in its possession. The verifier can optionally insist that all credentials used to generate the token are bound to the same user (i.e., to the same user secret) or device. In a typical ABC presentation interaction, the user first requests access to a protected resource, upon which the verifier sends a presentation policy that describes which credentials the user should present to obtain access. The user agent then checks whether it has the necessary credentials to satisfy the verifier’s presentation policy, and if so, generates a presentation token containing the appropriate cryptographic evidence. Upon receiving the presentation token, the verifier checks that the cryptographic evidence is valid for the presented credentials and checks that the token satisfies the presentation policy. If both tests succeed, it grants access to the resource.
The verifier’s policy describes the class of presentation tokens that it will accept. It is expressed by means of a abc:PresentationPolicyAlternatives element, with the following schema:
<abc:PresentationPolicyAlternatives Version=”1.0”>
<abc:PresentationPolicy PolicyUID=”xs:anyURI”?>
<abc:Message>
<abc:Nonce>…</abc:Nonce>?
<abc:FriendlyPolicyName lang=”xs:language”>
xs:string
</abc:FriendlyPolicyName>*
<abc:FriendlyPolicyDescription lang=”xs:language”>
xs:string
</abc:FriendlyPolicyDescription>*
<abc:VerifierIdentity>xs:any</abc:VerifierIdentity>?
<abc:ApplicationData>…</abc:ApplicationData>?
</abc:Message>?
<abc:Pseudonym Exclusive=”xs:boolean”? Scope=”xs:string” Established=”xs:boolean”? Alias=”xs:anyURI”? SameKeyBindingAs=”xs:anyURI”?>
<abc:PseudonymValue> </abc:PseudonymValue>?
</abc:Pseudonym>*
<abc:Credential Alias=”xs:anyURI”? SameKeyBindingAs=”xs:anyURI”?>
<abc:CredentialSpecAlternatives>
<abc:CredentialSpecUID>…</abc:CredentialSpecUID>+
</abc:CredentialSpecAlternatives>
<abc:IssuerAlternatives>
<abc:IssuerParametersUID
RevocationInformationUID=”xs:anyURI”?>
…
</abc:IssuerParametersUID>+
</abc:IssuerAlternatives>
<abc:DisclosedAttribute AttributeType=”xs:anyURI”
DataHandlingPolicy=”xs:anyURI”?>
( <abc:InspectorAlternatives>
<abc:InspectorPublicKeyUID>…</abc:InspectorPublicKeyUID>+
</abc:InspectorAlternatives>
<abc:InspectionGrounds>…</abc:InspectionGrounds>
)?
</abc:DisclosedAttribute>*
</abc:Credential>*
<abc:VerifierDrivenRevocation>
<abc:RevocationParametersUID>…</abc:RevocationParametersUID>
<abc:Attribute CredentialAlias=”xs:anyURI”
AttributeType=”xs:anyURI”>+
</abc:VerifierDrivenRevocation>*
<abc:AttributePredicate Function=”xs:anyURI”>
( <abc:Attribute CredentialAlias=”xs:anyURI”
AttributeType=”xs:anyURI” DataHandlingPolicy=”xs:anyURI”?/>
|
<abc:ConstantValue>…</abc:ConstantValue>
)+
</abc:AttributePredicate>*
</abc:PresentationPolicy>+
</abc:PresentationPolicyAlternatives>
The following describes the attributes and elements listed in the schema outlined above:
/abc:PresentationPolicyAlternatives
This element contains a presentation policy, which may contain multiple policy alternatives as child elements. The presented token must satisfy at least one of the specified policies.
/abc:PresentationPolicyAlternatives/@Version
This attribute indicates the token version number; it MUST be “1.0”.
/abc:PresentationPolicyAlternatives/abc:PresentationPolicy
This element contains one policy alternative.
…/abc:PresentationPolicy/@PolicyUID
This attribute assigns a unique identifier to this presentation policy that can be referenced from presentation tokens that satisfy the policy.
/abc:PresentationPolicyAlternatives/abc:PresentationPolicy/abc:Message
This optional element specifies a message to be authenticated (signed) by the private key of each credential in the token.
…/abc:PresentationPolicy/abc:Message/abc:Nonce
This optional element contains a random nonce.
…/abc:PresentationPolicy/abc:Message/abc:FriendlyPolicyName
This optional element provides a friendly textual name for the policy. The content of this element MUST be localized in a specific language.
…/abc:PresentationPolicy/abc:Message/abc:FriendlyPolicyName/@lang
A required language identifier, using the language codes specified in RFC 3066, in which the content of abc:FriendlyPolicyName element have been localized.
…/abc:PresentationPolicy/abc:Message/abc:FriendlyPolicyDescription
This optional element provides a friendly textual description for the policy. The content of this element MUST be localized in a specific language.
…/abc:PresentationPolicy/abc:Message/abc:FriendlyPolicyDescription/@lang
A required language identifier, using the language codes specified in RFC 3066, in which the content of abc:FriendlyPolicyDescription element have been localized.
…/abc:PresentationPolicy/abc:Message/abc:VerifierIdentity
This optional element contains the identity of the verifier (e.g., his URL, public key, or SSL certificate hash) for whom the presentation token must be constructed. The presentation token will authenticate the verifier identity, offering some protection against man-in-the-middle attacks if the user’s application software can parse and verify the verifier’s identity.
…/abc:PresentationPolicy/abc:Message/abc:ApplicationData
This optional element can contain any application-specific data. The contained data MAY be human readable, depending on the application, and displayed to the user.
/abc:PresentationPolicyAlternatives/abc:PresentationPolicy/abc:Pseudonym
When present, this optional element indicates that a pseudonym must be presented with the presentation token. If this policy does not involve any credentials to be presented, then a verifiable pseudonym must be presented. Otherwise, a certified pseudonym associated to the presented credentials must be presented. See Section 2.4 for more information on pseudonyms.
…/abc:PresentationPolicy/abc:Pseudonym/@Scope
This attribute indicates a string to which the pseudonym is associated. The user agent is assumed to maintain state information to keep track of which pseudonym it previously used for which scope. There can be multiple verifiable or certified pseudonyms associated to the same scope string, but a scope-exclusive pseudonym is guaranteed to be unique with respect to the scope string and the user secret. In the former case, the scope string is merely a hint to the user agent which of its stored pseudonyms can be reused in the presentation token, or to which scope string it should associate a newly created pseudonym. In the latter case, the scope string uniquely determines the pseudonym that needs to be used. The scope string MAY encode an identifier of the verifier and/or of the requested resource. See Section 2.4 for more information on the use of pseudonyms.
…/abc:PresentationPolicy/abc:Pseudonym/@Exclusive
When present and set to true, this attribute indicates that a scope-exclusive pseudonym is to be presented with the token. The value of the @Scope attribute determines the scope with respect to which the pseudonym must be generated. See Section 2.4 for more information on scope-exclusive pseudonyms.
…/abc:PresentationPolicy/abc:Pseudonym/@Established
When set to true, this attribute indicates that the pseudonym to be presented by the User must re-authenticate under a pseudonym that was previously established with the Verifier. When set to false or when not present, this attribute indicates that the User may establish a new pseudonym in the presentation token.
…/abc:PresentationPolicy/abc:Pseudonym/@Alias
This optional attribute defines an alias for this pseudonym so that it can be referred to from other pseudonyms or credentials to enforce same key binding, or, if this presentation token is part of an issuance token, to support carrying over key binding to the newly issued credential. See the /abc:IssuancePolicy/abc:CredentialTemplate/abc:UnknownAttributes /abc:KeyBinding/abc:PseudonymInfo/@Alias element.
…/abc:PresentationPolicy/abc:Pseudonym/@SameKeyBindingAs
If present, this XML attribute contains an alias referring either to another Pseudonym element within this policy, or to a Credential element for a credential with key binding. This indicates that the current pseudonym and the referred pseudonym or credential have to be bound to the same key. Insisting credentials to be bound to the same key limits users from sharing credentials.
The pseudonym or credential that is referred to does not have to refer back to this pseudonym. If the referred to pseudonym or credential also has a SameKeyBindingAs attribute that refers to a third pseudonym or credential, then all three pseudonyms/credentials must be bound to the same key. In other words, SameKeyBindingAs induces a transitive relationship.
…/abc:PresentationPolicy/abc:Pseudonym/abc:PseudonymValue
When present, this optional element indicates that a pseudonym with the given value must be presented, the value being encoded as content of type xs:base64Binary. Note that this feature only makes sense if the verifier has reason to believe that the user to whom the policy is sent knows the user secret (and, if applicable, pseudonym metadata) underlying the given pseudonym, for example, because he established the pseudonym in a previous presentation token.
…/abc:PresentationPolicy/abc:Credential
This optional element specifies a credential that has to be used in the generation of the token. Omitting this element may be useful, for example, when the user can obtain access by merely presenting an existing verifiable pseudonym.
…/abc:PresentationPolicy/abc:Credential/@Alias
This optional attribute creates an alias for this credential to refer to attributes from this credential in attribute predicates. See the …/abc:PresentationPolicy/abc:AttributePredicates element.
…/abc:PresentationPolicy/abc:Credential/@SameKeyBindingAs
If present, this XML attribute contains an alias referring either to a Pseudonym element within this policy, or to another Credential element for a credential with key binding. This indicates that the current credential and the referred pseudonym or credential have to be bound to the same key. Insisting credentials to be bound to the same key limits users from sharing credentials.
The pseudonym or credential that is referred to does not have to refer back to this credential. If the referred to pseudonym or credential also has a SameKeyBindingAs attribute that refers to a third pseudonym or credential, then all three pseudonyms/credentials must be bound to the same key. In other words, SameKeyBindingAs induces a transitive relationship.
…/abc:PresentationPolicy/abc:Credential/abc:CredentialSpecAlternatives
This element contains a list of credential specifications. The issued credential used to instantiate this credential in the presentation token must adhere to one of the listed credential specifications.
…/abc:Credential/abc:CredentialSpecAlternatives/abc:CredentialSpecUID
This element contains one credential specification identifier that can be used to instantiate this credential in the presentation token.
…/abc:Credential/abc:IssuerAlternatives
This element contains a list of identifiers for issuer parameters UID. The issued credential used to instantiate this credential in the presentation token must be issued under one of the listed issuer parameters.
…/abc:Credential/abc:IssuerAlternatives/abc:IssuerParametersUID
This element contains one issuer parameters identifier that is accepted for this credential in the presentation token. This specification defines two dedicated values for the issuer parameters:
…/abc:IssuerAlternatives/abc:IssuerParametersUID/@RevocationInformationUID
If the issuer parameters referred to in this element specify an Issuer-driven Revocation Authority, i.e., if the referred abc:IssuerParameters element contains an abc:RevocationParametersUID child element, then this optional XML attribute can indicate for which version of the revocation information the presented token must be valid. By specifying the current revocation information identifier in the presentation policy, the User does not have to get in touch with the Revocation Authority to check whether her non-revocation evidence information is still up to date, thereby avoiding a possible source of linkability.
…/abc:PresentationPolicy/abc:Credential//abc:DisclosedAttribute
This element specifies an attribute of this credential that has to be revealed in the presentation token, either to the verifier itself, or to an external inspector.
Even though there are no syntactical restrictions imposing this, presentation policies SHOULD NOT request to reveal the value of the revocation handle (with attribute type http://abc4trust.eu/wp2/abcschemav1.0/revocationhandle), as doing so enables Verifiers to link presentations tokens generated with the same credential. If necessary, inspection can be used to only reveal the value of the revocation handle under specific circumstances.
…/abc:Credentials/abc:Credential/abc:DisclosedAttribute/@AttributeType
This attribute specifies the type of the credential attribute of which the value must be revealed in the presentation token. If multiple credential specifications are allowed for this credential (i.e., if multiple abc:CredentialSpecUID elements are listed in the abc:CredentialSpecAlternatives child element of the ancestor abc:Credential element), then the specified attribute type MUST occur in all listed credential specifications.
For each credential and each attribute type, there MUST be at most one abc:DisclosedAttribute element without abc:InspectorAlternatives child element. Likewise, for each credential and each attribute type, there MUST be at most one abc:DisclosedAttribute element with the same abc:InspectionGrounds child element.
…/abc:Credential/abc:DisclosedAttribute/@DataHandlingPolicy
This XML attribute can be used to refer to an external data handling policy describing how the Verifier will treat the revealed attribute value once it is received. The data handling policy may be human-readable and/or machine-readable. The specification of a data handling policy schema is outside of the scope of this document.
…/abc:Credential/abc:DisclosedAttribute/abc:InspectorAlternatives
This optional element lists a number of inspector public key identifiers. When present, this element indicates that the value of this attribute does not have to be revealed to the verifier, but must be encrypted under one of the listed inspector public keys. See Section 2.6 for more details on revealing attributes to an inspector.
…/abc:DisclosedAttribute/abc:InspectorAlternatives/abc:InspectorPublicKeyUID
This element contains one identifier of an inspector public key under which the attribute value can be encrypted.
…/abc:Credential/abc:DisclosedAttribute/abc:InspectionGrounds
This optional element contains a string describing the valid grounds or circumstances under which the inspector can be asked to decrypt the attribute value or circumstances. This element must be present whenever a sibling abc:InspectorAlternatives element is present. See Section 2.6 for more details on revealing attributes to an inspector.
…/abc:PresentationPolicy/abc:VerifierDrivenRevocation
This optional element specifies all parameters for checking if a (set of) attribute value(s) from the specified credentials was not revoked using verifier-driven revocation.
Verifier-driven revocation can be based on combinations of attributes from a set of different credentials, in which case there will be multiple abc:Attribute elements per one abc:VerifierDrivenRevocation element. Then the User has to prove that a disjunctive combination of these attribute values was not revoked with respect to the specified abc:RevocationParametersUID.
…/abc:PresentationPolicy/abc:VerifierDrivenRevocation/abc:RevocationParametersUID
This element contains the UID of the revocation authority parameters. The User needs to provide a proof that a following (set of) attribute value(s) was not revoked according to the specified set of parameters.
…/abc:PresentationPolicy/abc:VerifierDrivenRevocation/abc:Attribute
This element specifies a credential attribute that is used for verifier-driven revocation.
…/abc:PresentationPolicy/abc:VerifierDrivenRevocation/abc:Attribute/@CredentialAlias
This attribute specifies the alias of the credential from which the attribute is used. The specified value MUST also occur as an Alias attribute in an abc:Credential element within this abc:PresentationPolicy.
…/abc:PresentationPolicy/abc:VerifierDrivenRevocation/abc:Attribute/@AttributeType
This attribute refers to the attribute within the credential that is to be used for verifier driven-revocation.
…/abc:PresentationPolicy/abc:AttributePredicate
This element specifies a predicate that must hold over the attribute values. To satisfy the policy, the presentation token must for each of the listed predicates either prove (in a data-minimizing way) that the credential attributes satisfy the specified predicate, or must reveal the value of the involved attribute(s) so that the verifier can check whether the predicate is satisfied. The child elements are the ordered list of arguments of the predicate.
…/abc:PresentationPolicy/abc:AttributePredicate/@Function
This attribute specifies the boolean function for this predicate. See Section 4.4.34 for a list of supported functions and their implications on the list of arguments in the child elements. Note that not all predicate functions can be used for all attributes: the allowed predicate functions depend on the data type and on the chosen encoding of the credential attributes. See Section 4.2.1 for a list of which predicates can be used in combination with which data types and encodings.
…/abc:AttributePredicate/abc:Attribute
This element specifies a reference to a credential attribute that is to be used as an argument of the predicate.
…/abc:AttributePredicate/abc:Attribute/@CredentialAlias
This attribute specifies the alias of the credential from which the attribute must be used. The specified alias MUST also occur as an Alias attribute in an abc:Credential element within the ancestor abc:PresentationPolicy element.
…/abc:AttributePredicate/abc:Attribute/@AttributeType
This attribute refers to the attribute within the credential that is to be used as an argument in the predicate.
…/abc:AttributePredicate/abc:Attribute/@DataHandlingPolicy
This XML attribute can be used to refer to an external data handling policy describing how the Verifier will treat the information that the attribute value satisfies the specified predicate. The data handling policy may be human-readable and/or machine-readable. The specification of a data handling policy schema is outside of the scope of this document.
…/abc:AttributePredicate/abc:ConstantValue
This element contains a constant value that is to be used as an argument in the predicate. The data type of the argument depends on the function of the predicate. We refer to Section 4.5.3 for a list of supported functions and the data types of their arguments.
The presentation of one or multiple credentials results in a presentation token that is sent to the verifier. The syntax for the element is:
<abc:PresentationToken Version=”1.0”>
<abc:PresentationTokenDescription PolicyUID=”xs:anyURI”
TokenUID=”xs:anyURI”?>
<abc:Message>
<abc:Nonce>…</abc:Nonce>?
<abc:FriendlyPolicyName lang=”xs:language”>
xs:string
</abc:FriendlyPolicyName>*
<abc:FriendlyPolicyDescription lang=”xs:language”>
xs:string
</abc:FriendlyPolicyDescription>*
<abc:VerifierIdentity>xs:any</abc:VerifierIdentity>
<abc:ApplicationData>…</abc:ApplicationData>?
</abc:Message>?
<abc:Pseudonym Scope=”xs:string”? Exclusive=”xs:boolean”?
Alias=”xs:anyURI”? SameKeyBindingAs=”xs:anyURI”?>
<abc:PseudonymValue>…</abc:PseudonymValue>
</abc:Pseudonym>*
<abc:Credential Alias=”xs:anyURI”? SameKeyBindingAs=”xs:anyURI”?>
<abc:CredentialSpecUID>…</abc:CredentialSpecUID>
<abc:IssuerParametersUID>…</abc:IssuerParametersUID>
<abc:RevocationInformationUID>
…
</abc:RevocationInformationUID>?
<abc:DisclosedAttribute AttributeType=”xs:anyURI”
DataHandlingPolicy=”xs:anyURI”?>
( <abc:InspectorPublicKeyUID>…</abc:InspectorPublicKeyUID>
<abc:InspectionGrounds>…</abc:InspectionGrounds>
)?
<abc:AttributeValue>…</abc:AttributeValue>
</abc:DisclosedAttribute>*
</abc:Credential>*
<abc:VerifierDrivenRevocation>
<abc:RevocationInformationUID>…</abc:RevocationInformationUID>
<abc:Attribute AttributeType=”xs:anyURI” CredentialAlias=”xs:anyURI” >+
</abc:VerifierDrivenRevocation>*
<abc:AttributePredicate Function=”xs:anyURI”>
( <abc:Attribute CredentialAlias=”xs:anyURI”
AttributeType=”xs:anyURI”
DataHandlingPolicy=”xs:anyURI”?/>
|
<abc:ConstantValue>…</abc:ConstantValue>
)+
</abc:AttributePredicate>*
</abc:PresentationTokenDescription>
<abc:CryptoEvidence>…</abc:CryptoEvidence>
</abc:PresentationToken>
The following describes the attributes and elements listed in the schema outlined above:
/abc:PresentationToken
This element contains a presentation token.
/abc:PresentationToken/@Version
This attribute indicates the token version number; it MUST be “1.0”.
/abc:PresentationTokenDescription
This element contains a technology-agnostic description of the revealed information.
…/abc:PresentationPolicy/@PolicyUID
This attribute refers to the UID of the presentation policy that this token satisfies.
…/abc:PresentationPolicy/@TokenUID
This optional attribute assigns a unique identifier to this presentation token.
…/abc:PresentationTokenDescription/abc:Message
This optional element specifies a message that is authenticated (signed) by the private key of each credential in the token.
…/abc:PresentationTokenDescription/abc:Message/abc:Nonce
This optional element contains a random nonce that is to be signed by a presentation token satisfying this policy. The nonce is generated by the Issuer and prevents replay attacks.
…/abc:PresentationTokenDescription/abc:Message/abc:FriendlyPolicyName
This optional element provides a friendly textual name for the policy. The content of this element MUST be localized in a specific language.
…/abc:PresentationTokenDescription/abc:Message/abc:FriendlyPolicyName/@lang
A required language identifier, using the language codes specified in RFC 3066, in which the content of abc:FriendlyPolicyName element have been localized.
…/abc:PresentationTokenDescription/abc:Message/abc:VerifierIdentity
This optional element contains the identity of the verifier (e.g., his URL, public key, or SSL certificate hash) to whom this presentation token is intended. The presentation token authenticates the verifier identity, meaning that it cannot be changed after the token was created. This can offer protection against man-in-the-middle attacks if the user’s application software has a way to parse and verify the verifier’s identity.
The format and verification of the verifier identity must be performed by the application logic. The ABCE does not perform any such checks.
…/abc:PresentationTokenDescription/abc:Message/abc:FriendlyPolicyDescription
This optional element provides a friendly textual description for the policy. The content of this element MUST be localized in a specific language.
…/abc:Message/abc:FriendlyPolicyDescription/@lang
A required language identifier, using the language codes specified in RFC 3066, in which the content of abc:FriendlyPolicyDescription element have been localized.
…/abc:PresentationTokenDescription/abc:Message/abc:ApplicationData
This optional element can contains data of type string.
…/abc:PresentationTokenDescription/abc:Pseudonym
When present, this element indicates that a pseudonym is presented with the presentation token. If this policy does not involve any credentials, then this is a verifiable pseudonym, otherwise it is a certified pseudonym associated to the presented credentials. See Section 2.4 for more information on pseudonyms.
…/abc:PresentationTokenDescription/abc:Pseudonym/@Scope
This optional attribute indicates that the presented pseudonym is for a specific scope (e.g., a resource identifier) See Section 2.4 for more information on the use of pseudonyms. The user agent is assumed to maintain state information to keep track of which pseudonym it previously used for which scope.
…/abc:PresentationTokenDescription/abc:Pseudonym/@Exclusive
When present, this attribute indicates that a scope-exclusive pseudonym is presented with the token. The value of the @Scope attribute determines the scope with respect to which the pseudonym was generated. See Section 2.4 for more information on scope-exclusive pseudonyms.
…/abc:PresentationTokenDescription/abc:Pseudonym/@Alias
This optional attribute defines an alias for this pseudonym so that it can be referred to from other pseudonyms or credentials to enforce same key binding, or, if this presentation token is part of an issuance token, to support carrying over key binding to the newly issued credential. See the /abc:IssuancePolicy/abc:CredentialTemplate/abc:UnknownAttributes /abc:KeyBinding/abc:PseudonymInfo/@Alias element.
…/abc:PresentationTokenDescription/abc:Pseudonym/@SameKeyBindingAs
If present, this XML attribute contains an alias referring either to another Pseudonym element within this presentation token, or to a Credential element for a credential with key binding. This indicates that the current pseudonym and the referred pseudonym or credential are bound to the same key.
The pseudonym or credential that is referred to does not have to refer back to this pseudonym. If the referred to pseudonym or credential also has a SameKeyBindingAs attribute that refers to a third pseudonym or credential, then all three pseudonyms/credentials are bound to the same key. In other words, SameKeyBindingAs induces a transitive relationship.
…/abc:PresentationTokenDescription/abc:Pseudonym/abc:PseudonymValue
This element contains the value of the pseudonym encoded as content of type xs:base64Binary.
If the token contains no abc:Credentials element but does contain an abc:Pseudonym, then this presentation token merely proves knowledge of the secret key underlying the pseudonym.
…/abc:PresentationTokenDescription/abc:Credential
This optional element specifies a credential that is presented in this token. If the token contains no abc:Credential element but does contain an abc:Pseudonym, then this presentation token merely proves knowledge of the user secret underlying the pseudonym.
…/abc:PresentationTokenDescription/abc:Credential/@Alias
This optional attribute defines an alias for this credential to refer to attributes from this credential in attribute predicates. See the /abc:PresentationToken/abc:AttributePredicates element.
…/abc:PresentationTokenDescription/abc:Credential/@SameKeyBindingAs
If present, this XML attribute contains an alias referring either to a Pseudonym element within this presentation token, or to another Credential element for a credential with key binding. This indicates that the current credential and the referred pseudonym or credential are bound to the same key.
The pseudonym or credential that is referred to does not have to refer back to this credential. If the referred to pseudonym or credential also has a SameKeyBindingAs attribute that refers to a third pseudonym or credential, then all three pseudonyms/credentials are bound to the same key. In other words, SameKeyBindingAs induces a transitive relationship.
…/abc:Credential/abc:CredentialSpecUID
This element contains the credential specification identifier of the presented credential.
…/abc:PresentationTokenDescriptionabc:Credential/abc:IssuerParametersUID
This element contains the issuer public key identifier of the presented credential.
…/abc:PresentationTokenDescriptionabc:Credential/abc:RevocationInformationUID
This optional element contains an identifier of the revocation information with respect to which the presented credential is proved to be non-revoked. The revocation information referenced here corresponds to the issuer-driven revocation parameters referenced from the issuer parameters; see the /abc:PresentationToken/abc:PresentationTokenDescription/abc:Credential/abc:VerifierDrivenRevocation element for verifier-driven revocation.
When verifying the token, the verifier has to independently obtain the current revocation information using the mechanism specified by the revocation authority parameters referenced in the IssuerParameters. It is up to the verifier to check that the revocation information UID referenced in this element is indeed the most recent one.
…/abc:PresentationTokenDescription/abc:Credential/abc:Attributes
This element lists the attributes from this credential that are revealed by this presentation token, either in the clear to the verifier itself, or encrypted to an external inspector.
…/abc:PresentationTokenDescription/abc:Credential/abc:DisclosedAttribute
This element specifies one attribute of this credential that is revealed in the presentation token.
…/abc:Credential/abc:DisclosedAttribute/@AttributeType
This attribute specifies the type of the credential attribute of which the value is revealed.
There MUST be at most one abc:DisclosedAttribute element without abc:InspectorPublicKeyUID child element per credential and per attribute type. Also, for abc:DisclosedAttribute elements with an abc:InspectorPublicKeyUID child element, there MUST be at most one abc:DisclosedAttribute element per credential and per attribute type with the same abc:InspectionGrounds child element.
…/abc:Credential/abc:DisclosedAttribute/@DataHandlingPolicy
This optional XML attribute can be used to refer to an external data handling policy that the Verifier has to adhere to concerning the revealed attribute value. The data handling policy may be human-readable and/or machine-readable. The specification of a data handling policy schema is outside of the scope of this document.
…/abc:Credential/abc:DisclosedAttribute/abc:InspectorPublicKeyUID
This optional element contains the identifier of the inspector public key under which the attribute value is encrypted.
…/abc:Credential/abc:DisclosedAttribute/abc:InspectionGrounds
This optional element contains a string describing the valid grounds or circumstances under which the inspector can be asked to decrypt the attribute value or circumstances. This element must be present whenever a sibling abc:InspectorPublicKeyUID element is present. See Section 2.6 for more details on revealing attributes to an inspector.
…/abc:Credential/abc:DisclosedAttribute/abc:AttributeValue
This element specifies the value of the revealed attribute. When encrypted to an inspector, this element MAY contain data of type xs:base64Binary representing the ciphertext for the encrypted attribute. However, there is no guarantee that this data by itself is decryptable by the inspector. When requesting decryption of an attribute, the complete presentation token must always be sent to the inspector.
…/abc:PresentationTokenDescription/abc:VerifierDrivenRevocation
This optional element specifies all parameters for checking if a (set of) attribute value(s) from the specified credentials was not revoked using verifier-driven revocation, as requested in the presentation policy by the verifier.
…/abc:PresentationTokenDescription/abc:VerifierDrivenRevocation/abc:RevocationInformationUID
This element contains an identifier of revocation information with respect to which the presented (combination of) attribute value(s) is proved to be non-revoked. The revocation information referenced here corresponds to the verifier-driven revocation parameters mentioned in the verifier’s presentation policy; see the /abc:PresentationToken/abc:Credential/ abc:RevocationInformationUID element for issuer-driven revocation.
When verifying the token, the verifier has to independently obtain the current revocation information using the mechanism specified by the revocation authority parameters referenced in the presentation policy. It is up to the verifier to check that the revocation information UID referenced in this element is indeed the most recent one.
…/abc:PresentationTokenDescription/abc:VerifierDrivenRevocation/abc:Attribute
This element specifies a credential attribute that is used for verifier-driven revocation. In case of multiple attributes specified, the User proves that a disjunctive combination of the attribute values was non-revoked with respect to abc:RevocationInformationUID.
…/abc:PresentationTokenDescription/abc:VerifierDrivenRevocation/abc:Attribute/@CredentialAlias
This attribute specifies the alias of the credential from which the attribute is used. The specified value MUST also occur as an Alias attribute in an abc:Credential element within this abc:PresentationToken.
…/abc:PresentationTokenDescription/abc:VerifierDrivenRevocation/abc:Attribute/@AttributeType
This attribute refers to the exact attribute within the credential which is used for verifier driven-revocation.
…/abc:PresentationTokenDescription/abc:AttributePredicate
This optional element specifies a predicate that is guaranteed to hold by this token. The child elements are the ordered list of arguments of the predicate.
…/abc:AttributePredicate/@Function
This attribute specifies the boolean function for this predicate. See Section 4.5.3 for a list of supported functions and their implications on the list of arguments in the child elements. Note that not all predicate functions can be used for all attributes: the allowed predicate functions depend on the data type and on the chosen encoding of the credential attributes. See Section 4.2.1 for a list of which predicates can be used in combination with which data types and encodings.
…/abc:AttributePredicate/abc:Attribute
This element specifies a reference to a credential attribute that is used as an argument of the predicate.
…/abc:AttributePredicate/abc:Attribute/@CredentialAlias
This attribute specifies the alias of the credential from which the attribute is used. The specified value MUST also occur as an Alias attribute in an abc:Credential element within this abc:PresentationToken.
…/abc:AttributePredicate/abc:Attribute/@AttributeType
This attribute refers to the exact attribute within the credential that is used as an argument in the predicate.
…/abc:AttributePredicate/abc:Attribute/@DataHandlingPolicy
This optional XML attribute can be used to refer to an external data handling policy that the Verifier has to adhere to with respect to the information that the attribute value satisfies the specified predicate. The data handling policy may be human-readable and/or machine-readable. The specification of a data handling policy schema is outside of the scope of this document.
…/abc:AttributePredicate/abc:ConstantValue
This element contains a constant value that is used as an argument in the predicate. The data type of the argument depends on the function of the predicate. We refer to Section 4.5.3 for a list of supported functions and the data types of their arguments.
/abc:PresentationToken/abc:CryptoEvidence
This element contains the cryptographic evidence for the presentation token.
When evaluating predicates over attributes in presentation policies and presentation tokens, the following list of function URIs from XACML20 for (in)equality testing of different data types MUST be supported. We refer to Appendix A of XACML20 for the semantics of these functions and the data types of their arguments. In order to prove predicates over credential attributes, the involved attributes MUST use the same encoding (see Section 4.2.1).
Moreover, this specification defines the following list of new functions for inequality testing.
For type being one of string, boolean, integer, date, time, dateTime, or anyURI, the semantics of function urn:abc4trust:1.0:function:type-not-equal is defined as follows. The function SHALL take two arguments of data-type http://www.w3.org/2001/XMLSchema#type and SHALL return an http://www.w3.org/2001/XMLSchema#boolean. The function SHALL return true if and only if the application of the corresponding function urn:oasis:names:tc:xacml:1.0:function:type-equal evaluated on the same arguments returns false. Otherwise, it SHALL return false. Finally, this specification defines the following list of functions for testing equality against a list of candidate values.
For type being one of string, boolean, integer, date, time, dateTime, or anyURI, the semantics of function urn:abc4trust:1.0:function:type-equal-oneof is defined as follows. The function SHALL take two or more arguments of data-type http://www.w3.org/2001/XMLSchema#type and SHALL return an http://www.w3.org/2001/XMLSchema#boolean. The function SHALL return true if and only if the application of the corresponding function urn:oasis:names:tc: xacml:1.0:function:type-equal evaluated on the first argument and one of the arguments other than the first returns true. Otherwise, it SHALL return false.
Note that not all predicate functions can be used for all attributes: the allowed predicate functions depend on the data type and on the chosen encoding of the credential attributes. See Section 4.2.1 for a list of which predicates can be used in combination with which data types and encodings.
Issuance of Privacy-ABCs is an interactive process between the User and the Issuer, possibly involving multiple exchanges of messages. This document specifies the contents, encoding, and processing of the messages; an application needs to define how to exchange them, e.g., by embedding them in existing messaging protocols. For example, WS-Trust14 specifies an issuance challenge-response pattern that can be used to carry the ABC issuance messages, embedding them in RequestSecurityToken and RequestSecurityTokenResponse messages.
An overview of a typical issuance interaction is given in the following Figure. The User initiates the interaction by sending an issuance request to the Issuer, optionally specifying the requested credential specification UID.
In the simplest case, the credential is issued “from scratch”, i.e., without relation to any existing credentials. Even in this case, the issuance protocol may consist of multiple exchanges of issuance messages.
In a more advanced setting, the new credential that is being issued may carry over attribute values, the user secret or the device secret from credentials that the User already owns, or may require attributes values to be generated jointly at random. We refer to Section 2.7 for more details on the possibilities of advanced issuance protocols.
In the advanced setting, the issuer responds to the initial request with its issuance policy, which specifies which issuance token the user must present in order to obtain the requested token, which features of existing credentials will be carried over to the new credential, and which attributes will be generated jointly at random. The user responds with an issuance token. Then, a number of interaction rounds may take place to perform the cryptographic issuance protocol. At the end of these rounds, the Issuer sends the final message allowing the User to construct the issued credential.
Some notes: The endpoint to contact, and its authentication requirements, are application specific. The issuance protocol SHOULD be done over a secure channel to protect the confidentiality of the attribute values. Since the exchange is multi-legged, the parties must keep the cryptographic state of each issuance instance between the message exchanges.
User authentication is out of scope of this document. Authentication information MAY be provided along the issuance messages.
Optionally, the Issuer may respond to the User’s initial request by sending the issuance policy. In an issuance policy, the Issuer describes which credentials he will issue based on which issuance token presented by the User. The newly issued credential can “carry over” certain features from the existing credentials used in generating the issuance token, without revealing these features to the Issuer. Namely, the newly issued credential can be bound to the same User, to the same device, or to the same revocation handle as one of the existing credentials. Also, attribute values in the new credential can be carried over from attributes in the existing credentials, without the Issuer being able to see these attribute values.
In case of an issuance “from scratch”, i.e., for which the User does not have to prove ownership of existing credentials or established pseudonyms, the issuance policy merely specifies the credential specification and the issuer parameters for the credential to be issued. The issuance policy is then used only locally by the Issuer to trigger the issuance protocol.
<abc:IssuancePolicy Version=”1.0”>
<abc:PresentationPolicy … > … </abc:PresentationPolicy>?
<abc:CredentialTemplate SameKeyBindingAs=”xs:anyURI”?>
<abc:CredentialSpecUID>…</abc:CredentialSpecUID>
<abc:IssuerParametersUID>…</abc:IssuerParametersUID>
<abc:UnknownAttributes>
<abc:CarriedOverAttribute TargetAttributeType=”xs:anyURI”>
<abc:SourceCredentialInfo Alias=”xs:anyURI” AttributeType=”xs:anyURI”/>
</abc:CarriedOverAttribute>*
<abc:JointlyRandomAttribute TargetAttributeType=”xs:anyURI”/>*
</abc:UnknownAttributes>?
</abc:CredentialTemplate>
</abc:IssuancePolicy>
The following describes the attributes and elements listed in the schema outlined above:
/abc:IssuancePolicy
This element describes an issuance policy.
/abc:IssuancePolicy/abc:PresentationPolicy
This optional element specifies which token has to be presented by the user in order to be issued a credential. See the /abc:PresentationPolicyAlternatives/abc:PresentationPolicy element in Section 4 for a description of the schema. The main goal of this policy and the issuance token returned in response of it is to carry over features from the existing credentials used to generate the presentation token into the newly issued credential.
Note that the presentation policy can also request for a self-signed of self-stated credential; see the IssuerParametersUID element in the PresentationPolicy for details. Using this feature, the Issuer can have self-signed and self-claimed attributes to be carried over into the newly issued credential. These attribute values will be visible to the Issuer if the issuance policy explicitly specifies that they must be revealed, or will be invisible to the Issuer otherwise.
/abc:IssuancePolicy/abc:CredentialTemplate/
This element provides a template for the to-be-issued credential. In case of issuance from scratch it will only specify the credential specification and the issuer parameters.
/abc:IssuancePolicy/abc:CredentialTemplate/@SameKeyBindingAs
When present, this XML attribute causes the newly issued credential to be bound to the same key as one of the credentials or pseudonyms in the presentation policy. The value of the attribute refers to the Alias attribute of the Pseudonym or Credential from which the key must be carried over.
/abc:IssuancePolicy/abc:CredentialTemplate/abc:CredentialSpecUID
This element contains the unique identifier of the credential specification of the newly issued credential.
/abc:IssuancePolicy/abc:CredentialTemplate/abc:IssuerParametersUID
This element contains the unique identifier of the issuer parameters of the newly issued credential.
/abc:IssuancePolicy/abc:CredentialTemplate/abc:UnknownAttributes
This element specifies the attributes that are unknown to the Issuer and that will either be carried over from another credential or jointly generated at random.
…/abc:CredentialTemplate/abc:UnknownAttributes/abc:CarriedOverAttribute
This element describes how an unknown attribute is established.
…/abc:UnknownAttributes/abc:CarriedOverAttribute/@TargetAttributeType
This attribute indicates to which attribute in the to-be-issued credential this template information applies to.
…/abc:UnknownAttributes/abc:CarriedOverAttribute/abc:SourceCredentialInfo
This element contains information about the source credential to transfer the info from.
…/abc:CarriedOverAttribute/abc:SourceCredentialInfo/@Alias
This attribute indicates the alias of the presented credential from which to carry-over the attribute value.
…/abc:CarriedOverAttribute/abc:SourceCredentialInfo/@AttributeType
This attribute indicates the attribute type of the presented credential from which to carry-over the attribute value (which could be different than the target attribute type, e.g., from the LastName attribute of the DriverLicense credential to the GivenName attribute of the StudentCard credential).
…/abc:UnknownAttributes/abc:JointlyRandomAttribute
This element indicates that a specific attribute of the newly issued credential must be generated jointly at random, i.e., so that the Issuer does not learn the value of the attribute, but so that the User cannot bias the uniform distribution of the value.
…/abc:UnknownAttributes/abc:JointlyRandomAttribute/@TargetAttributeType
The attribute type of the newly issued credential that must be assigned a jointly generated random value.
In case of advanced issuance, the User responds with an issuance token, that contains a presentation token and credential template satisfying the issuance policy of the Issuer. In order to satisfy the policy, the credential template in the issuance token must be the same as in the received issuance policy. See Section 4 for the schema of the presentation token and Section 4.5.1 for the schema of the credential template.
<abc:IssuanceToken Version="1.0">
<abc:IssuanceTokenDescription>
<abc:PresentationTokenDescription>…</abc:PresentationTokenDescription>
<abc:CredentialTemplate SameKeyBindingAs=”xs:anyURI”?>…</abc:CredentialTemplate>
</abc:IssuanceTokenDescription>
<abc:CryptoEvidence>…</abc:CryptoEvidence>
</abc:IssuanceToken>
The following describes the attributes and elements listed in the schema outlined above:
/abc:IssuanceToken
This element describes an issuance token.
/abc:IssuanceToken/@Version
This attribute indicates the token version number, it MUST be “1.0”.
/abc:IssuanceToken/abc:IssuanceTokenDescription
This element contains a technology-agnostic description of the revealed information and the new credential.
…/abc:IssuanceTokenDescription/abc:PresentationTokenDescription
This element contains a technology-agnostic description of the revealed information.
…/abc:IssuanceTokenDescription/abc:CredentialTemplate/
This element provides a template for the to-be-issued credential.
/abc:IssuanceToken/abc:CryptoEvidence/
This element provides the cryptographic evidence for the issuance token.
Any message that will be exchanged in the course of an issuance protocol is wrapped in an IssuanceMessage. That includes the issuance policy and issuance token (if requested by the issuer), as well as the subsequent interactions between the User and Issuer to execute the cryptographic protocol. The message contents in the remaining flows of the issuance protocol are mechanism-specific and therefore treated as opaque pieces of information that are exchanged between the Issuer and the User.
To allow the linkage of the different legs of a protocol, each message includes a Context attribute, which must have the same value on all legs (including the possible preceding issuance policy/token exchange).
<abc:IssuanceMessage Context="…">
…
</abc:IssuanceMessage>
The following describes the attributes and elements listed in the schema outlined above:
/abc:IssuanceMessage
This element contains either an issuance policy, issuance token or mechanism-specific cryptographic issuance data.
/abc:IssuanceMessage/@Context
The message MUST contain a context attribute and its value MUST match the one from the initial IssuanceMessage (if any).
To keep track of all issued credentials, the issuance log is stored on the issuer side. The issuance log entry contains the verified issuance token (if requested by the issuer), as well as the attribute values specified by the issuer.
<abc:IssuanceLogEntry Version=”1.0”>
<abc:IssuanceLogEntryUID>…</abc:IssuanceLogEntryUID>
<abc:IssuerParametersUID>…</abc:IssuerParametersUID>
<abc:IssuanceToken> … </abc:IssuanceToken>?
<abc:IssuerAttributes>
<abc:Attribute @Type=”xs:anyURI”>
<abc:AttributeValue>…</abc:AttributeValue>
</abc:Attribute>*
</abc:IssuerAttributes>?
</abc:IssuanceLogEntry>
The following describes the attributes and elements listed in the schema outlined above:
/abc:IssuanceLogEntry
This element contains the verified issuance token (if requested by the issuer), as well as the attribute values specified by the issuer.
/abc:IssuanceLogEntry/abc:IssuanceLogEntryUID
This element contains the identifier of the log entry.
/abc:IssuanceLogEntry/abc:IssuerParametersUID
This element contains the identifier of the Issuer’s parameters of the issued credential.
/abc:IssuanceLogEntry/abc:IssuanceToken
The is optional element contains the verified issuance token.
/abc:IssuanceLogEntry/abc:IssuerAttributes
This element contains the description of the attributes (if any) provided by the issuer in an issued credential.
/abc:IssuanceLogEntry/abc:IssuerAttributes/abc:Attribute
This element contains the description of an attribute provided by the issuer in an issued credential.
/abc:IssuanceLogEntry/abc:IssuerAttributes/abc:Attribute/@Type
This attribute contains the unique identifier of the attribute type of this credential. The attribute type is a URI, to which a semantics is associated by the definition of the attribute type. The definition of attribute types is outside the scope of this document; we refer to Section 7.5 in IMI1.0 for examples. The attribute type (e.g., http://example.com/firstname) is not to be confused with the data type (e.g., xs:string) that is specified by the DataType attribute in the CredentialSpecification.
…/abc:IssuerAttributes/abc:Attribute/abc:AttributeValue
This element contains the actual value of the issued credential attribute provided by the issuer.
To keep track of the revocation process on the upper level, the revocation history is stored on the revocation authority side. Revocation history contains information, including cryptographic data that is used by the revocation authority to support revocation (non-revocation evidence/revocation handle/revocation information generation and updates, keeping track of revocable credentials).
Credentials that are a subject for the verifier-driven revocation are also called revocable in this context. Registering a revocable credential means adding it to the list of the credentials that can be revoked by the revocation authority. This can also include generating fresh revocation handle and/or non-revocation evidence and updating revocation information, if required by the revocation mechanism. In case of the verifier-driven revocation the registration is optional.
<abc:RevocationHistory Version=”1.0”>
<abc:RevocationHistoryUID>…</abc:RevocationHistoryUID>
<abc:RevocationAuthorityParametersUID>…
</abc:RevocationAuthorityParametersUID>
<abc:CurrentState>…</abc:CurrentState>?
<abc:RevocationLogEntry @Revoked=”xs:boolean”>
<abc:RevocationLogEntryUID>…</abc:RevocationLogEntryUID>
<abc:RevocableAttribute @Type=”xs:anyURI”>
<abc:AttributeValue>…</abc:AttributeValue>
</abc:RevocableAttribute>*
<abc:DateCreated>…</abc:DateCreated>
<abc:CryptoParameters>…</abc:CryptoParameters>?
</abc:RevocationLogEntry>?
</abc:RevocationHistory>
The following describes the attributes and elements listed in the schema outlined above:
/abc:RevocationHistory
This element contains the information that is used by the revocation authority to support revocation and keep track of revocable credentials.
/abc:RevocationHistory/abc:RevocationHistoryUID
This element contains the identifier of the revocation history.
/abc:RevocationHistory/abc:RevocationAuthorityParametersUID
This element contains the identifier of the revocation authority parameters.
/abc:RevocationHistory/abc:CurrentState
This optional element contains the information (can also contain cryptographic and revocation mechanism specific data) that is used by the revocation authority to register and revoke credentials.
/abc:RevocationHistory/abc:RevocationLogEntry
This element contains information about credentials that were registered and revoked by the revocation authority and the corresponding cryptographic data.
/abc:RevocationHistory/abc:RevocationLogEntry/@Revoked
This attribute indicates whether the revocation authority registered a new revocable credential or revoked an existing one.
/abc:RevocationHistory/abc:RevocationLogEntry/abc:RevocationLogEntryUID
This element contains the identifier of the revocation log entry.
/abc:RevocationHistory/abc:RevocationLogEntry/abc:RevocableAttribute
This element contains the description of an attribute that is used to revoke the credential.
/abc:RevocationHistory/abc:RevocationLogEntry/abc:RevocableAttribute/@Type
This attribute contains the unique identifier of the attribute type of the credential attribute that is used to revoke the credential. The attribute type is a URI, to which a semantics is associated by the definition of the attribute type. The definition of attribute types is outside the scope of this document; we refer to Section 7.5 in IMI1.0 for examples. The attribute type (e.g., http://example.com/firstname) is not to be confused with the data type (e.g., xs:string) that is specified by the DataType attribute in the CredentialSpecification.
…/abc:RevocationLogEntry/abc:Attribute/abc:AttributeValue
This element contains the actual value of the credential attribute that is used to revoke the credential. (In case of issuer-driven revocation it contains a value of the revocation handle).
/abc:RevocationHistory/abc:RevocationLogEntry/abc:DateCreated
This element contains a timestamp when the credential was registered or revoked by the revocation authority.
/abc:RevocationHistory/abc:RevocationLogEntry/abc:CryptoParameters
This element contains mechanism-specific cryptographic data that is used to register or revoke credentials.
At the end of an issuance protocol, the User obtains a new credential. The contents of the new credential are reported back through a CredentialDescription element that adheres to the following schema:
<abc:CredentialDescription RevokedByIssuer=”xs:boolean”?>
<abc:CredentialUID>…</abc:CredentialUID>
<abc:FriendlyCredentialName lang=”xs:language”>
xs:string
</abc:FriendlyCredentialName>*
<abc:ImageReference>xs:anyURI</abc:ImageReference>?
<abc:CredentialSpecificationUID>…</abc:CredentialSpecificationUID> <abc:IssuerParametersUID>…</abc:IssuerParametersUID>
<abc:SecretReference>…</abc:SecretReference>?
<abc:Attribute>
<abc:AttributeUID>…</abc:AttributeUID>
<abc:AttributeDescription @Type=”xs:anyURI” @DataType=”xs:anyURI”
@Encoding=”xs:anyURI”>
<abc:FriendlyAttributeName lang=”xs:language”>
xs:string
</abc:FriendlyAttributeName>*
<abc:AttributeValue>…</abc:AttributeValue>
</abc:AttributeDescription>
</abc:Attribute>*
</abc:CredentialDescription>
The following describes the attributes and elements listed in the schema outlined above:
/abc:CredentialDescription
This element contains the description of an issued credential in a User’s credential portfolio.
/abc:CredentialDescription/@RevokedByIssuer
This flag indicates whether this credential was revoked by the issuer. This flag should be set to true as soon as the user knows that this credential was revoked. This flag should be set to false (or omitted) for non-revocable credentials. The default value of this flag is false.
The user's credential store may treat revoked credentials differently than non-revoked ones, in particular it may chose not to store them at all. Revoked credentials will also be skipped by the PolicyCredentialMatcher.
/abc:CredentialDescription/abc:CredentialUID
This element contains a unique local identifier (formatted as a URI) of the issued credential in the User’s credential portfolio. This identifier acts solely as a local reference within the User’s system; it is never included in a presentation token or in other artefacts sent across the network for obvious reasons of linkability.
/abc:CredentialDescription/abc:FriendlyCredentialName
This optional element provides a friendly textual name for the credential. The content of this element MUST be localized in a specific language.
/abc:CredentialDescription/abc:FriendlyCredentialName/@lang
A required language identifier, using the language codes specified in RFC 3066, in which the content of abc:FriendlyCredentialName element have been localized.
/abc:CredentialDescription/abc:ImageReference
This optional element contains a reference to the endpoint where the image for the credential can be obtained.
When implementing a Privacy-ABC system downloading images from the identity providers should be handled carefully. The reference to the external image resource must not be used every time the credential is presented. To avoid linkability when using the credential, the corresponding image must be downloaded and stored locally at the User’s side during the issuance.
/abc:CredentialDescription/abc:CredentialSpecificationUID
This element contains the identifier of the credential specification (formatted as a URI) to which the issued credential adheres.
/abc:CredentialDescription/abc:IssuerParametersUID
This element contains a reference to the issuer parameters of the Issuer who issued the credential.
/abc:CredentialDescription/abc:SecretReference
This optional element contains a unique local identifier (formatted as a URI) of the secret key to which the credential is bound, in case key binding is enabled for this credential. A User may have multiple secret keys; this reference helps in finding the key to which this credential is bound.
This identifier is just a reference to the secret key, not the secret key itself. It acts solely as a local reference within the User’s system; it is never included in a presentation token or in other artefacts sent across the network for obvious reasons of linkability.
/abc:CredentialDescription/abc:Attribute
This element contains the description of an attribute in an issued credential.
/abc:CredentialDescription/abc:Attribute/AttributeUID
This element contains a unique local identifier (formatted as a URI) of this attribute in this credential in the User’s credential portfolio. This identifier acts solely as a local reference within the User’s system; it is never included in a presentation token or in other artefacts sent across the network for obvious reasons of linkability.
/abc:CredentialDescription/abc:Attribute/abc:AttributeDescription
This element contains describes the generic description of the attribute, as specified in the /abc:CredentialSpecification/abc:AttributeDescriptions/ abc:AttributeDescription element for this attribute in the credential specification.
/abc:CredentialDescription/abc:Attribute/abc:AttributeDescription/@Type
This attribute contains the unique identifier of the attribute type of this credential. The attribute type is a URI, to which a semantics is associated by the definition of the attribute type. The definition of attribute types is outside the scope of this document; we refer to Section 7.5 in IMI1.0 for examples. The attribute type (e.g., http://example.com/firstname) is not to be confused with the data type (e.g., xs:string) that is specified by the DataType attribute.
/abc:CredentialDescription/abc:Attribute/abc:AttributeDescription/@DataType
This attribute contains the data type of the credential attribute. The supported attribute data types are a subset of XML Schema data types. We refer to Section 4.2.1 for an overview of the supported data types.
/abc:CredentialDescription/abc:Attribute/abc:AttributeDescription/@Encoding
To be embedded in a Privacy-ABC, credential attribute values must typically be mapped to fixed-length integers. The Encoding XML attribute specifies how the value of this credential attribute is mapped to such an integer. We refer to Section 4.2.1 for an overview of the supported encoding algorithms.
/abc:CredentialDescription/abc:Attribute/abc:FriendlyAttributeName
This optional element provides a friendly textual name for the attribute in the credential. The content of this element MUST be localized in a specific language.
/abc:CredentialDescription/abc:Attribute/abc:FriendlyAttributeName/@lang
A required language identifier, using the language codes specified in RFC 3066, in which the content of abc:FriendlyAttributeName element have been localized.
/abc:CredentialDescription/abc:Attribute/abc:AttributeValue
This element contains the actual value of the issued credential attribute.
The IdentitySelection component supports a User in choosing a preferred combination of credentials and/or pseudonyms if there are different possibilities to satisfy a given presentation policy or issuance policy. Also, this component is used to obtain User consent whenever personal data is revealed during presentation or issuance.
In this section, we specify the formats for data that the ABC engine sends to the IdentitySelection component, as well as the data formats that it expects in return.
The formats for data that are sent to the IdentitySelection component comprise a part that is common to both credential presentation and credential issuance. This common format is also suitable for data being sent to a (graphical) credential management component that allows a User to display the content of her credential repository.
<abc:UiPresentationArguments>
<abc:data>
<abc:credentialSpecifications>
<abc:credentialSpecification uri="xs:ID">
<abc:spec>...</abc:spec>
</abc:credentialSpecification>*
</abc:credentialSpecifications>?
<abc:issuers>
<abc:issuer uri="xs:ID">
<abc:revocationAuthorityUri>xs:URI
</abc:revocationAuthorityUri>
<abc:description>
<abc:description>...</abc:description>*
</abc:description>?
<abc:spec ref="xs:IDREF" />
</abc:issuer>*
</abc:issuers>?
<abc:revocationAuthorities>
<abc:revocationAuthority uri="xs:ID">
<abc:description>
<abc:description>...</abc:description>*
</abc:description>?
</abc:revocationAuthority>*
</abc:revocationAuthorities>?
<abc:credentials>
<abc:credential uri="xs:ID">
<abc:desc>...</abc:desc>
<abc:revocationAuthority ref="xs:IDREF" />
<abc:spec ref="xs:IDREF" />
<abc:issuer ref="xs:IDREF" />
</abc:credential>*
</abc:credentials>?
<abc:pseudonyms>
<abc:pseudonym uri="xs:ID">
<abc:pseudonym>...</abc:pseudonym>
<abc:metadata>...</abc:metadata>
</abc:pseudonym>*
</abc:pseudonyms>?
<abc:inspectors>
<abc:inspector uri="xs:ID">
<abc:description>
<abc:description>...</abc:description>*
</abc:description>?
</abc:inspector>*
</abc:inspectors>?
</abc:data>
<abc:tokenCandidatesPerPolicy>
<abc:tokenCandidatePerPolicy policyId="xs:int">
<abc:policy>...</abc:policy>
<abc:tokenCandidates>
<abc:tokenCandidate candidateId="xs:int">
<abc:tokenDescription>...</abc:tokenDescription>
<abc:credentials>
<abc:credential ref="xs:IDREF" />*
</abc:credentials>?
<abc:pseudonymCandidates>
<abc:pseudonymCandidate candidateId="xs:int">
<abc:pseudonyms>
<abc:pseudonym ref="xs:IDREF" />*
</abc:pseudonyms>?
</abc:pseudonymCandidate>+
</abc:pseudonymCandidates>
<abc:revealedFacts>
<abc:revealedFact>
<abc:descriptions>
<abc:description>...</abc:description>*
</abc:descriptions>?
</abc:revealedFact>*
</abc:revealedFacts>?
<abc:revealedAttributeValues>
<abc:revealedAttributeValue>
<abc:descriptions>
<abc:description>...</abc:description>*
</abc:descriptions>?
</abc:revealedAttributeValue>*
</abc:revealedAttributeValues>?
<abc:inspectableAttributes>
<abc:inspectableAttribute>
<abc:credential ref="xs:IDREF" />*
<abc:attributeType>xs:string</abc:attributeType>
<abc:dataHandlingPolicy>xs:string</abc:dataHandlingPolicy>
<abc:inspectionGrounds>xs:string</abc:inspectionGrounds>
<abc:inspectorAlternatives>
<abc:inspectorAlternative ref="xs:IDREF" />*
</abc:inspectorAlternatives>?
</abc:inspectableAttribute>*
</abc:inspectableAttributes>?
</abc:tokenCandidate>+
</abc:tokenCandidates>
</abc:tokenCandidatePerPolicy>+
</abc:tokenCandidatesPerPolicy>
</abc:UiPresentationArguments>
/abc:UiPresentationArguments
This XML root Element is sent by the ABC Engine to the user interface to perform identity selection for presentation. The user interface must then choose which combination of credentials and/or pseudonyms, all satisfying the policy, should be used to complete the presentation proof.
/abc:UiPresentationArguments/abc:data
This element contains information about all credential specifications, issuers, revocation authorities, credentials, pseudonyms and inspectors that are used in this XML. Data under this element must not appear twice. All data in this element should be referenced at least once in this XML.
/abc:UiPresentationArguments/abc:data/abc:credentialSpecifications
The wrapper for the list of credential specification.
/abc:UiPresentationArguments/abc:data/abc:credentialSpecifications/abc:credentialSpecification
An entry in the list of credential specifications.
/abc:UiPresentationArguments/abc:data/abc:credentialSpecifications/abc:credentialSpecification/@uri
This element must contain the specificationUid of the credential specification in the spec element. The subsequent XML code must refer to this credential specification by this uri.
/abc:UiPresentationArguments/abc:data/abc:credentialSpecifications/abc:spec
This element contains the actual credentialSpecification element, as output by the Key Manager. The contents MUST be of the type /abc:CredentialSpecification.
/abc:UiPresentationArguments/abc:data/abc:issuers
Wrapper for the list of issuers.
/abc:UiPresentationArguments/abc:data/abc:issuers/abc:issuer
An entry in the list of issuers.
/abc:UiPresentationArguments/abc:data/abc:issuers/abc:issuer/@uri
This element must contain the parametersUid of the issuer parameters of this particular issuer. The subsequent XML code must refer to this issuer by this uri.
/abc:UiPresentationArguments/abc:data/abc:issuers/abc:issuer/abc:revocationAuthorityUri
This element must contain a copy of the revocationParametersUID element of the issuer parameters of this particular issuer.
/abc:UiPresentationArguments/abc:data/abc:issuers/abc:issuer/abc:description
Wrapper for the list of friendly issuer descriptions. The contents of this list must be a copy of the list of friendlyIssuerDescriptions in the issuer parameters of this particular issuer.
/abc:UiPresentationArguments/abc:data/abc:issuers/abc:issuer/abc:description/abc:description
An entry in the list of friendly issuer descriptions. It must be a copy of the corresponding entry of friendlyIssuerDescriptions in the issuer parameters of this particular issuer. The contents MUST be of the type /abc:CredentialSpecification/abc:FriendlyCredentialName.
/abc:UiPresentationArguments/abc:data/abc:issuers/abc:issuer/abc:spec
Wrapper for the reference to the credential specification associated with this issuer.
/abc:UiPresentationArguments/abc:data/abc:issuers/abc:issuer/abc:spec/@ref
This is a reference to the credential specification associated with this issuer. It must be equal to the credentialSpecUID element of the issuer parameters of this particular issuer. It refers to /abc:UiPresentationArguments/abc:data/abc:credentialSpecifications/abc:credentialSpecification/@uri.
/abc:UiPresentationArguments/abc:data/abc:revocationAuthorities
Wrapper for the list of revocation authorities.
/abc:UiPresentationArguments/abc:data/abc:revocationAuthorities/abc:revocationAuthority
An entry in the list of revocation authorities.
/abc:UiPresentationArguments/abc:data/abc:revocationAuthorities/abc:revocationAuthority/@uri
This element must contain the parametersUid of the revocation authority parameters of this particular revocation authority. The subsequent XML code must refer to this revocation authority by this uri.
/abc:UiPresentationArguments/abc:data/abc:revocationAuthorities/abc:revocationAuthority/abc:description
Wrapper for the list of friendly revocation authority descriptions. Since revocation authorities yet don't have a friendly description, this element currently only contains dummy text. In the future, the contents of this list should be a copy of the list of friendly descriptions in the revocation authority parameters of this particular revocation authority.
/abc:UiPresentationArguments/abc:data/abc:revocationAuthorities/abc:revocationAuthority/abc:description/abc:description
An entry in the list of friendly revocation authority descriptions. Current, this element contains only dummy text. In the future, it shouldt be a copy of the corresponding entry of the friendly description in the revocation authority parameters of this particular revocation authority. The contents MUST be of the type /abc:CredentialSpecification/abc:FriendlyCredentialName.
/abc:UiPresentationArguments/abc:data/abc:credentials
Wrapper for the list of credentials.
/abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential
An entry in the list of credentials.
/abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential/@uri
This element must contain the credentialUid of the credential description of this particular credential. The subsequent XML code must refer to this credential by this uri.
/abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential/abc:desc
This element contains the actual credentialDescription element corresponding to this credential, as output by the Credential Manager. The contents MUST be of the type /abc:CredentialDescription.
/abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential/abc:revocationAuthority
Wrapper for the reference to the revocation authority responsible for issuer-driven revocation for this credential.
/abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential/abc:revocationAuthority/@ref
This is a reference to the revocation authority responsible for issuer-driven revocation for this credential. It must be equal to the revocationParametersUID element of the issuer parameters associated with this credential. It refers to /abc:UiPresentationArguments/abc:data/abc:revocationAuthorities/abc:revocationAuthority/@uri.
/abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential/abc:spec
Wrapper for the reference to the credential specification of this credential.
/abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential/abc:spec/@ref
This is a reference to the credential specification associated with this credential. It must be equal to the credentialSpecificationUID element of the credential description of this credential. It refers to /abc:UiPresentationArguments/abc:data/abc:credentialSpecifications/abc:credentialSpecification/@uri.
/abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential/abc:issuer
Wrapper for the reference to the issuer associated with this credential.
/abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential/abc:issuer/@ref
This is a reference to the issuer associated with this credential. It must be equal to the issuerParametersUID element of the credential description of this credential. It refers to /abc:UiPresentationArguments/abc:data/abc:issuers/abc:issuer/@uri.
/abc:UiPresentationArguments/abc:data/abc:pseudonyms
Wrapper for the list of pseudonyms. This list contains:
/abc:UiPresentationArguments/abc:data/abc:pseudonyms/abc:pseudonym
An entry in the list of pseudonyms.
/abc:UiPresentationArguments/abc:data/abc:pseudonyms/abc:pseudonym/@uri
This element must contain the pseudonymUID of this pseudonym. The subsequent XML code must refer to this pseudonym by this uri.
/abc:UiPresentationArguments/abc:data/abc:pseudonyms/abc:pseudonym/abc:pseudonym
This element contains the actual pseudonym(-without-metadata) element corresponding to the PseudonymWithMetadata element of this pseudonym. For existing pseudonyms, this is a copy of the pseudonym element of the pseudonymWithMetadata element output by the Credential Manager.
For newly created pseudonyms, the fields SecretReference, Exclusive, Scope, and PseudonymUID will be set automatically; the PseudonymValue field will be left out.
The contents MUST be of the type /abc:PseudonymWithMetadata/abc:Pseudonym.
/abc:UiPresentationArguments/abc:data/abc:pseudonyms/abc:pseudonym/abc:metadata
This element contains the pseudonymMetadata element corresponding to the PseudonymWithMetadata element of this pseudonym. For existing pseudonyms, this is a copy of the pseudonymMetadata element of the pseudonymWithMetadata element output by the Credential Manager.
For newly created pseudonyms, this field contains dummy values.
The contents MUST be of the type /abc:PseudonymWithMetadata/abc:PseudonymMetadata.
/abc:UiPresentationArguments/abc:data/abc:inspectors
Wrapper for the list of inspectors.
/abc:UiPresentationArguments/abc:data/abc:inspectors/abc:inspector
An entry in the list of inspectors.
/abc:UiPresentationArguments/abc:data/abc:inspectors/abc:inspector/@uri
This element must contain the publicKeyUID of the public key of this inspector. The subsequent XML code must refer to this inspector by this uri.
/abc:UiPresentationArguments/abc:data/abc:inspectors/abc:inspector/abc:description
Wrapper for the list of friendly inspector descriptions. The contents of this list must be a copy of the list of friendlyInspectorDescriptions in the inspector public key of this inspector.
/abc:UiPresentationArguments/abc:data/abc:inspectors/abc:inspector/abc:description/abc:description
An entry in the list of friendly inspector descriptions. It must be a copy of the corresponding entry of friendlyInspectorDescriptions in the inspector public key of this particular inspector. The contents MUST be of the type /abc:CredentialSpecification/abc:FriendlyCredentialName.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy
Wrapper for the list of token candidates per policy.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy
An entry in the list of token candidates per policy. Each entry refers to one of the policy alternatives. Policy alternatives which cannot be satisfied are skipped.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/@policyId
An identifier for the tokencandidatePerPolicy. It is assigned sequentially, and is needed in the return value.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:policy
A copy of the presentation policy to which this tokenCandidatePerPolicy refers to. The contents MUST be of the type /abc:PresentationPolicyAlternatives/abc:PresentationPolicy.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates
Wrapper for the list of token candidates for this policy.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate
An entry in the list of token candidate for this policy. One token candidate is established for each acceptable credential assignment.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/@candidateId
An identifier for this token candidate. It is assigned sequentially, and reset for each policy. It is needed in the return value.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:tokenDescription
A partially filled out presentation token description for this candidate token. The pseudonym choice and the inspector choice are not yet set. The contents MUST be of the type /abc:PresentationToken/abc:PresentationTokenDescription.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:credentials
Wrapper for the list of credentials for this credential assignment of this candidate token. If no credentials need to be shown in this policy, then this list will be empty.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:credentials/abc:credential
An entry in the list of credentials for the credential assignment of this candidate token. The nth item in this list corresponds to the nth credential in the policy. Each entry is a wrapper for a reference to a credential.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:credentials/abc:credential/@ref
A reference to a credential. This refers to /abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential/@uri.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:pseudonymCandidates
A wrapper for a list of alternative pseudonym assignments for this candidate token. This list also includes pseudonyms assignments containing newly established pseudonyms.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:pseudonymCandidates/abc:pseudonymCandidate
An entry in the list of alternative pseudonym assignments for this candidate token. The user interface has to chose one alternative among the ones proposed. If no pseudonyms need to be shown in this policy, then the list will contain exactly one pseudonym candidate (consisting of an empty list of pseudonyms).
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:pseudonymCandidates/abc:pseudonymCandidate/@candidateId
An identifier for this pseudonym candidate. It is assigned sequentially, and reset for each token candidate. It is needed in the return value.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:pseudonymCandidates/abc:pseudonymCandidate/abc:pseudonyms
A wrapper for the list of pseudonyms in this pseudonym candidate. If no pseudonyms need to be shown in this policy, then the list will be empty.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:pseudonymCandidates/abc:pseudonymCandidate/abc:pseudonyms/abc:pseudonym
An entry in the list of pseudonyms for this pseudonym candidate. The nth item in this list corresponds to the nth pseudonym in the policy. Each entry is a wrapper for a reference to a pseudonym.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:pseudonymCandidates/abc:pseudonymCandidate/abc:pseudonyms/abc:pseudonym/@ref
A reference to a pseudonym. It refers to /abc:UiPresentationArguments/abc:data/abc:pseudonyms/abc:pseudonym/@uri.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:revealedFacts
A wrapper for the list of revealed facts for this token candidate. One or more revealed facts may be created for each predicate in the presentation token, and describe what is being revealed on the cryptographic layer (which might be more information than can be deduced from the presentation token description alone).
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:revealedFacts/abc:revealedFact
An entry in the list of revealed facts for this token candidates.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:revealedFacts/abc:revealedFact/abc:descriptions
A wrapper for a list of human-readable descriptions of this revealed fact. The entries all contain the same description, with each entry being in a different language.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:revealedFacts/abc:revealedFact/abc:descriptions/abc:description
An entry in the list of human-readable descriptions of this revealed fact. The contents MUST be of the type /abc:CredentialSpecification/abc:FriendlyCredentialName.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:revealedAttributeValues
A wrapper for the list of revealed attribute values for this token candidate. There will be exactly one entry for each attribute whose value is being revealed to the verifier by the crypto engine (which might be more attributes than can be deduced from the presentation token description alone).
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:revealedAttributeValues/abc:revealedAttributeValue
An entry in the list of revealed attribute values for this token candidate.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:revealedAttributeValues/abc:revealedAttributeValue/abc:descriptions
A wrapper for list of human-readable descriptions of this revealed attribute value. The entries contain the same description, with each entry being in a different language.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:revealedAttributeValues/abc:revealedAttributeValue/abc:descriptions/abc:description
An entry in the list of human-readable descriptions of this revealed attribute. The contents MUST be of the type /abc:CredentialSpecification/abc:FriendlyCredentialName.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes
A wrapper for the list of inspectable attributes in this token candidate.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute
An entry in the list of inspectable attributes in this token candidate.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute/abc:credential
A wrapper for the reference to the credential which contains this inspectable attribute.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute/abc:credential/@ref
The reference to the credential which contains this inspectable attribute. It refers to /abc:UiPresentationArguments/abc:data/abc:credentials/abc:credential/@uri.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute/abc:attributeType
The attribute type of this inspectable attribute.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute/abc:dataHandlingPolicy
A copy of the data handling policy for this inspectable attribute.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute/abc:inspectionGrounds
A copy of the inspection grounds of this inspectable attribute.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute/abc:inspectorAlternatives
A wrapper for the list of inspector alternatives for this inspectable attribute. For each inspectable attribute, the user interface has to choose one inspector among this list.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute/abc:inspectorAlternatives/abc:inspectorAlternative
An entry in the list of inspector alternatives for this inspectable attribute. This entry is a wrapper to a reference to an inspector.
/abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute/abc:inspectorAlternatives/abc:inspectorAlternative/@ref
Reference to an inspectior for this inspectable attribute among the list of possible alternatives. It refers to /abc:UiPresentationArguments/abc:data/abc:inspectors/abc:inspector/@uri.
<abc:UiPresentationReturn>
<abc:chosenPolicy>xs:int</abc:chosenPolicy>
<abc:chosenPresentationToken>xs:int</abc:chosenPresentationToken>
<abc:metadataToChange>
<abc:entry>
<abc:key>xs:string</abc:key>
<abc:value>...</abc:value>
</abc:entry>*
</abc:metadataToChange>
<abc:chosenPseudonymList>xs:int</abc:chosenPseudonymList>?
<abc:chosenInspectors>xs:string</abc:chosenInspectors>*
</abc:UiPresentationReturn>
/abc:UiPresentationReturn
This XML root Element that the user interface sends back to the ABC Engine to complete identity selection for presentation. It contains the choice of credentials and pseudonyms that should be used to complete the presentation proof.
/abc:UiPresentationReturn/abc:chosenPolicy
The ID of the policy chosen by the user interface. It refers to /abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/@policyId.
/abc:UiPresentationReturn/abc:chosenPresentationToken
The ID of the presentation token candidate (within the selected policy) chosen by the user interface. It refers to /abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/@candidateId.
/abc:UiPresentationReturn/abc:metadataToChange
This element contains a list of entries (key-value pairs) of PseudonymMetadata that the user interface wishes to change. It should contain an entry for all newly created pseudonyms which were selected.
/abc:UiPresentationReturn/abc:metadataToChange/abc:entry
A key-value pair.
/abc:UiPresentationReturn/abc:metadataToChange/abc:entry/abc:key
The key corresponds to the pseudonymUID of the pseudonym whose metatdata the user interface wishes to change. It refers to /abc:UiPresentationArguments/abc:data/abc:pseudonyms/abc:pseudonym/@uri.
/abc:UiPresentationReturn/abc:metadataToChange/abc:entry/abc:value
The value corresponds to the new metadata of the pseudonym. The ABC Engine will instruct the Credential Manager to replace the old metadata of that pseudonym by the given value. The user interface should take the value in /abc:UiPresentationArguments/abc:data/abc:pseudonyms/abc:pseudonym/abc:metadata as a template for creating the new metadata. The contents MUST be of the type /abc:PseudonymWithMetadata/abc:PseudonymMetadata.
/abc:UiPresentationReturn/abc:chosenPseudonymList
The ID of the chosen pseudonym candidate list (for the chosen candidate token). It refers to /abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:pseudonymCandidates/abc:pseudonymCandidate/@candidateId. If the policy does not require showing pseudonyms, then this field may be left out.
/abc:UiPresentationReturn/abc:chosenInspectors
The list of inspectors that the user interface chose. This list should contain one entry per inspectable attribute (for the chosen candidate token). For each inspectable attribute, one inspector should be chosen among the list of alternatives. The list entries must refer to /abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute/abc:inspectorAlternatives/abc:inspectorAlternative/@ref.
<abc:UiIssuanceArguments>
<abc:data>...</abc:data>
<abc:tokenCandidates>...</abc:tokenCandidates>
<abc:policy>...</abc:policy>
</abc:UiIssuanceArguments>
/abc:UiIssuanceArguments
This XML root Element is sent by the ABC Engine to the user interface to perform identity selection for issuance. The user interface must then choose which combination of credentials and/or pseudonyms, all satisfying the policy, should be used to complete the issuance proof.
/abc:UiIssuanceArguments/abc:data
See /abc:UiPresentationArguments/abc:data.
/abc:UiIssuanceArguments/abc:tokenCandidates
The semantics of this element are analogous to /abc:UiPresentationArguments/abc:tokenCandidatesPerPolicy/abc:tokenCandidatePerPolicy/abc:tokenCandidates, except that they refer to the unique issuance policy instead of one alternative of the presentation policies. References therein point to /abc:UiIssuanceArguments/abc:data and not to /abc:UiPresentationArguments/abc:data.
/abc:UiIssuanceArguments/abc:policy
This element contains a copy of the issuance policy. The contents MUST be of the type /abc:IssuancePolicy.
<abc:UiIssuanceReturn>
<abc:chosenIssuanceToken>xs:int</abc:chosenIssuanceToken>
<abc:metadataToChange>
<abc:entry>
<abc:key>xs:string</abc:key>
<abc:value>...</abc:value>
</abc:entry>*
</abc:metadataToChange>
<abc:chosenPseudonymList>xs:int</abc:chosenPseudonymList>?
<abc:chosenInspectors>xs:string</abc:chosenInspectors>*
</abc:IssuanceReturn>
/abc:UiIssuanceReturn
This XML root Element that the user interface sends back to the ABC Engine to complete identity selection for issuance. It contains the choice of credentials and pseudonyms that should be used to complete the issuance proof.
/abc:UiIssuanceReturn/abc:chosenIssuanceToken
The ID of the issuance token candidate chosen by the user interface. It refers to /abc:UiIssuanceArguments/abc:tokenCandidates/abc:tokenCandidate/@candidateId.
/abc:UiIssuanceReturn/abc:metadataToChange
See /abc:UiPresentationReturn/abc:metadataToChange.
/abc:UiIssuanceReturn/abc:metadataToChange/abc:entry
See /abc:UiPresentationReturn/abc:metadataToChange/abc:entry.
/abc:UiIssuanceReturn/abc:metadataToChange/abc:entry/abc:key
The key corresponds to the pseudonymUID of the pseudonym whose metatdata the user interface wishes to change. It refers to /abc:UiIssuanceArguments/abc:data/abc:pseudonyms/abc:pseudonym/@uri.
/abc:UiIssuanceReturn/abc:metadataToChange/abc:entry/abc:value
The value corresponds to the new metadata of the pseudonym. The ABC Engine will instruct the Credential Manager to replace the old metadata of that pseudonym by the given value. The user interface should take the value in /abc:UiIssuanceArguments/abc:data/abc:pseudonyms/abc:pseudonym/abc:metadata as a template for creating the new metadata. The contents MUST be of the type /abc:PseudonymWithMetadata/abc:PseudonymMetadata.
/abc:UiIssuanceReturn/abc:chosenPseudonymList
The ID of the chosen pseudonym candidate list (for the chosen candidate token). It refers to /abc:UiIssuanceArguments/abc:tokenCandidates/abc:tokenCandidate/abc:pseudonymCandidates/abc:pseudonymCandidate/@candidateId. If no pseudonym needs to be shown for this policy, this field may be left out.
/abc:UiIssuanceReturn/abc:chosenInspectors
The list of inspectors that the user interface chose. This list should contain one entry per inspectable attribute (for the chosen candidate token). For each inspectable attribute, one inspector should be chosen among the list of alternatives. The list entries must refer to /abc:UiIssuanceArguments/abc:tokenCandidates/abc:tokenCandidate/abc:inspectableAttributes/abc:inspectableAttribute/abc:inspectorAlternatives/abc:inspectorAlternative/@ref.
<xs:complexType name="attributeInfoCollection">
<xs:sequence>
<xs:element ref="ns1:name"/>
<xs:element ref="ns1:attributes"/>
</xs:sequence>
</xs:complexType>
A collection of attribute information.
name
Name of the collection.
attributes
The attributes of the collection.
<xs:complexType name="attributeInformation">
<xs:sequence>
<xs:element ref="ns1:name"/>
<xs:element ref="ns1:mapping"/>
<xs:element ref="ns1:encoding"/>
<xs:element ref="ns1:friendly-descriptions"/>
</xs:sequence>
</xs:complexType>
name
Name of the attribute.
mapping
Mapping of the attribute (specifies to which p2abc type this attribute will be mapped).
encoding
Encoding of the attribute (specifies which p2abc encoding will be used to encode the attribute's value).
friendly-descriptions
List of friendly descriptions.
<xs:complexType name="languageValuePair">
<xs:sequence>
<xs:element ref="ns1:language"/>
<xs:element ref="ns1:value"/>
</xs:sequence>
</xs:complexType>
Essentially a KeyValue-Pair with language (key) and value.
Contains the information required for authentication. Abstract type.
<xs:complexType name="authenticationInformation" abstract="true">
<xs:sequence/>
</xs:complexType>
A request for authentication.
<xs:complexType name="authenticationRequest">
<xs:sequence>
<xs:element ref="ns1:auth-info-simple"/>
</xs:sequence>
</xs:complexType>
auth-info-simple
Simple authentication information.
<xs:complexType name="authInfoSimple">
<xs:complexContent>
<xs:extension base="authenticationInformation">
<xs:sequence>
<xs:element ref="ns1:username"/>
<xs:element ref="ns1:password"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
username
Username (plaintext).
password
Password (plaintext).
A collection of credentials.
<xs:complexType name="credentialCollection">
<xs:sequence>
<xs:element ref="ns1:credentials"/>
</xs:sequence>
</xs:complexType>
Request to issue a credential.
<xs:complexType name="issuanceRequest">
<xs:sequence>
<xs:element ref="ns1:auth-request"/>
<xs:element ref="ns1:credential-specification-uid"/>
</xs:sequence>
</xs:complexType>
auth-request
Authentication request (Issuance requires authentication).
credential-specification-uid
UID of the credential specification used to issue the credential.
Collection of PresentationPolicyAlternatives.
<xs:complexType name="presentationPolicyAlternativesCollection">
<xs:sequence>
<xs:element ref="ns1:presentation-policy-alternatives-list"/>
<xs:element ref="ns1:uris" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ns1:redirect-uris" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
presentation-policy-alternatives-list
List of PresentationPolicyAlternatives.
uris
List of resource URIs.
redirect-uris
List of redirect URIS.
Note: Order in all three lists must match the order in the other lists. That is: The first element in redirect-uris is the redirect URI for the first element in the presentation-policy-alternative-list.
<xs:complexType name="queryRuleCollection">
<xs:sequence>
<xs:element ref="ns1:query-rules"/>
<xs:element ref="ns1:uris" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
Collection of QueryRules.
query-rules
List of QueryRules.
uris
List of CredentialSpecification URIs.
Note: Order in all lists must match the order in the other lists.
<xs:complexType name="queryRule">
<xs:sequence>
<xs:element ref="ns1:query-string"/>
</xs:sequence>
</xs:complexType>
Contains the query string used by the Attribute*Providers to retreive the attribute values. Provider dependant behaviour.
query-string
Query string.
<xs:complexType name="settings">
<xs:sequence>
<xs:element ref="ns1:credential-specification-list"/>
<xs:element ref="ns1:issuer-parameters-list"/>
<xs:element name="system-parameters" type="ns1:SystemParameters" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
Settings used to configure services according to the issuance service.
credential-specification-list
List of all credential specifications.
issuer-parameters-list
List of all issuer parameters
system-parameters
The system parameters.
Given below are the schemas as XSD to which all artifacts exchanged by services and p2abcengine conform.
<xs:import schemaLocation="schema2.xsd"/>
<xs:element name="ABCEBoolean" type="tns:ABCEBoolean"/>
<xs:element name="ApplicationData" type="tns:ApplicationData"/>
<xs:element name="Attribute" type="tns:Attribute"/>
<xs:element name="AttributeDescription" type="tns:AttributeDescription"/>
<xs:element name="AttributeDescriptions" type="tns:AttributeDescriptions"/>
<xs:element name="AttributeInLogEntry" type="tns:AttributeInLogEntry"/>
<xs:element name="AttributeInToken" type="tns:AttributeInToken"/>
<xs:element name="AttributeList" type="tns:AttributeList"/>
<xs:element name="AttributePredicate" type="tns:AttributePredicate"/>
<xs:element name="BigIntegerParameter" type="tns:BigIntegerParameter"/>
<xs:element name="CandidateIssuanceToken" type="tns:CandidateIssuanceToken"/>
<xs:element name="CandidateIssuanceTokenList" type="tns:CandidateIssuanceTokenList"/>
<xs:element name="CandidatePresentationToken" type="tns:CandidatePresentationToken"/>
<xs:element name="CandidatePresentationTokenList" type="tns:CandidatePresentationTokenList"/>
<xs:element name="CarriedOverAttribute" type="tns:CarriedOverAttribute"/>
<xs:element name="CommittedAttribute" type="tns:CommittedAttribute"/>
<xs:element name="CommittedKey" type="tns:CommittedKey"/>
<xs:element name="Credential" type="tns:Credential"/>
<xs:element name="CredentialDescription" type="tns:CredentialDescription"/>
<xs:element name="CredentialDescriptions" type="tns:CredentialDescriptions"/>
<xs:element name="CredentialDescriptionsEntry" type="tns:CredentialDescriptionsEntry"/>
<xs:element name="CredentialInToken" type="tns:CredentialInToken"/>
<xs:element name="CredentialInTokenWithCommitments" type="tns:CredentialInTokenWithCommitments"/>
<xs:element name="CredentialSpecification" type="tns:CredentialSpecification"/>
<xs:element name="CredentialSpecificationAndSystemParameters" type="tns:CredentialSpecificationAndSystemParameters"/>
<xs:element name="CredentialTemplate" type="tns:CredentialTemplate"/>
<xs:element name="CredentialUidList" type="tns:CredentialUidList"/>
<xs:element name="CryptoParams" type="tns:CryptoParams"/>
<xs:element name="Error" type="tns:Error"/>
<xs:element name="FriendlyDescription" type="tns:FriendlyDescription"/>
<xs:element name="InspectorChoiceList" type="tns:InspectorChoiceList"/>
<xs:element name="InspectorDescription" type="tns:InspectorDescription"/>
<xs:element name="InspectorDescriptions" type="tns:InspectorDescriptions"/>
<xs:element name="InspectorDescriptionsEntry" type="tns:InspectorDescriptionsEntry"/>
<xs:element name="InspectorPublicKey" type="tns:InspectorPublicKey"/>
<xs:element name="InspectorSecretKey" type="tns:SecretKey"/>
<xs:element name="IntegerParameter" type="tns:IntegerParameter"/>
<xs:element name="IssuanceLogEntry" type="tns:IssuanceLogEntry"/>
<xs:element name="IssuanceMessage" type="tns:IssuanceMessage"/>
<xs:element name="IssuanceMessageAndBoolean" type="tns:IssuanceMessageAndBoolean"/>
<xs:element name="IssuancePolicy" type="tns:IssuancePolicy"/>
<xs:element name="IssuancePolicyAndAttributes" type="tns:IssuancePolicyAndAttributes"/>
<xs:element name="IssuanceProtocolMetadata" type="tns:IssuanceProtocolMetadata"/>
<xs:element name="IssuanceToken" type="tns:IssuanceToken"/>
<xs:element name="IssuerParameters" type="tns:IssuerParameters"/>
<xs:element name="IssuerParametersInput" type="tns:IssuerParametersInput"/>
<xs:element name="IssuerPublicKeyTemplate" type="tns:IssuerPublicKeyTemplate"/>
<xs:element name="IssuerSecretKey" type="tns:SecretKey"/>
<xs:element name="JointlyRandomAttribute" type="tns:JointlyRandomAttribute"/>
<xs:element name="KeyBindingInfo" type="tns:KeyBindingInfo"/>
<xs:element name="KeyPair" type="tns:KeyPair"/>
<xs:element name="Message" type="tns:Message"/>
<xs:element name="Metadata" type="tns:Metadata"/>
<xs:element name="NonRevocationEvidence" type="tns:NonRevocationEvidence"/>
<xs:element name="NonRevocationEvidenceUpdate" type="tns:NonRevocationEvidenceUpdate"/>
<xs:element name="Parameter" type="tns:Parameter"/>
<xs:element name="PolicyDescription" type="tns:PolicyDescription"/>
<xs:element name="PolicyDescriptions" type="tns:PolicyDescriptions"/>
<xs:element name="PolicyDescriptionsEntry" type="tns:PolicyDescriptionsEntry"/>
<xs:element name="PresentationPolicy" type="tns:PresentationPolicy"/>
<xs:element name="PresentationPolicyAlternatives" type="tns:PresentationPolicyAlternatives"/>
<xs:element name="PresentationPolicyAlternativesAndPresentationToken" type="tns:PresentationPolicyAlternativesAndPresentationToken"/>
<xs:element name="PresentationToken" type="tns:PresentationToken"/>
<xs:element name="PresentationTokenDescription" type="tns:PresentationTokenDescription"/>
<xs:element name="PresentationTokenDescriptionWithCommitments" type="tns:PresentationTokenDescriptionWithCommitments"/>
<xs:element name="PresentationTokenWithCommitments" type="tns:PresentationTokenWithCommitments"/>
<xs:element name="PrivateKey" type="tns:PrivateKey"/>
<xs:element name="Pseudonym" type="tns:Pseudonym"/>
<xs:element name="PseudonymChoiceList" type="tns:PseudonymChoiceList"/>
<xs:element name="PseudonymDescription" type="tns:PseudonymDescription"/>
<xs:element name="PseudonymDescriptionValue" type="tns:PseudonymDescriptionValue"/>
<xs:element name="PseudonymDescriptions" type="tns:PseudonymDescriptions"/>
<xs:element name="PseudonymDescriptionsEntry" type="tns:PseudonymDescriptionsEntry"/>
<xs:element name="PseudonymInPolicy" type="tns:PseudonymInPolicy"/>
<xs:element name="PseudonymInToken" type="tns:PseudonymInToken"/>
<xs:element name="PseudonymMetadata" type="tns:PseudonymMetadata"/>
<xs:element name="PseudonymValue" type="xs:base64Binary"/>
<xs:element name="PseudonymWithMetadata" type="tns:PseudonymWithMetadata"/>
<xs:element name="PublicKey" type="tns:PublicKey"/>
<xs:element name="RevocationAuthorityParameters" type="tns:RevocationAuthorityParameters"/>
<xs:element name="RevocationAuthoritySecretKey" type="tns:SecretKey"/>
<xs:element name="RevocationHistory" type="tns:RevocationHistory"/>
<xs:element name="RevocationInformation" type="tns:RevocationInformation"/>
<xs:element name="RevocationMessage" type="tns:RevocationMessage"/>
<xs:element name="RevocationReferences" type="tns:RevocationReferences"/>
<xs:element name="ScopeExclusivePseudonym" type="tns:ScopeExclusivePseudonym"/>
<xs:element name="Secret" type="tns:Secret"/>
<xs:element name="SecretDescription" type="tns:SecretDescription"/>
<xs:element name="SelectIssuanceTokenDescription" type="tns:SelectIssuanceTokenDescription"/>
<xs:element name="SelectPresentationTokenDescription" type="tns:SelectPresentationTokenDescription"/>
<xs:element name="Signature" type="tns:Signature"/>
<xs:element name="SignatureToken" type="tns:SignatureToken"/>
<xs:element name="SmartcardPinRequests" type="tns:SmartcardPinRequests"/>
<xs:element name="SmartcardSystemParameters" type="tns:SmartcardSystemParameters"/>
<xs:element name="StandardPseudonym" type="tns:StandardPseudonym"/>
<xs:element name="StringParameter" type="tns:StringParameter"/>
<xs:element name="SystemParameters" type="tns:SystemParameters"/>
<xs:element name="SystemParametersTemplate" type="tns:SystemParametersTemplate"/>
<xs:element name="TestApplicationData" type="tns:TestApplicationData"/>
<xs:element name="TestCryptoParams" type="tns:TestCryptoParams"/>
<xs:element name="TestIssuanceMessage" type="tns:TestIssuanceMessage"/>
<xs:element name="TestReference" type="tns:TestReference"/>
<xs:element name="TestSystemParameters" type="tns:TestSystemParameters"/>
<xs:element name="Token" type="tns:Token"/>
<xs:element name="URISet" type="tns:URISet"/>
<xs:element name="UnknownAttributes" type="tns:UnknownAttributes"/>
<xs:element name="UriParameter" type="tns:UriParameter"/>
<xs:element name="VerificationCall" type="tns:VerificationCall"/>
<xs:element name="VerifierIdentity" type="tns:VerifierIdentity"/>
<xs:element name="VerifierParameters" type="tns:VerifierParameters"/>
<xs:element name="VerifierParametersTemplate" type="tns:VerifierParametersTemplate"/>
<xs:element name="ZkProof" type="tns:ZkProof"/>
<xs:element name="attribute" type="attributeInformation"/>
<xs:element name="attribute-info-collection" type="attributeInfoCollection"/>
<xs:element name="auth-info" type="authenticationInformation"/>
<xs:element name="auth-info-simple" type="authInfoSimple"/>
<xs:element name="auth-request" type="authenticationRequest"/>
<xs:element name="credential" type="tns:Credential"/>
<xs:element name="credential-collection" type="credentialCollection"/>
<xs:element name="credential-specification" type="tns:CredentialSpecification"/>
<xs:element name="credential-specification-uid" type="xs:string"/>
<xs:element name="encoding" type="xs:string"/>
<xs:element name="friendly-description" type="languageValuePair"/>
<xs:element name="issuance-request" type="issuanceRequest"/>
<xs:element name="issuer-parameters" type="tns:IssuerParameters"/>
<xs:element name="langValuePair" type="languageValuePair"/>
<xs:element name="language" type="xs:string"/>
<xs:element name="mapping" type="xs:string"/>
<xs:element name="name" type="xs:string"/>
<xs:element name="password" type="xs:string"/>
<xs:element name="presentation-policy-alternatives" type="tns:PresentationPolicyAlternatives"/>
<xs:element name="presentation-policy-alternatives-collection" type="presentationPolicyAlternativesCollection"/>
<xs:element name="query-rule" type="queryRule"/>
<xs:element name="query-rule-collection" type="queryRuleCollection"/>
<xs:element name="query-string" type="xs:string"/>
<xs:element name="redirect-uris" type="xs:string"/>
<xs:element name="settings" type="settings"/>
<xs:element name="uris" type="xs:string"/>
<xs:element name="username" type="xs:string"/>
<xs:element name="value" type="xs:string"/>
<xs:complexType name="ABCEBoolean">
<xs:sequence/>
<xs:attribute name="value" type="xs:boolean"/>
</xs:complexType>
<xs:complexType name="adapter1">
<xs:complexContent>
<xs:extension base="xmlAdapter">
<xs:sequence/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="adapter2">
<xs:complexContent>
<xs:extension base="xmlAdapter">
<xs:sequence/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="adapter3">
<xs:complexContent>
<xs:extension base="xmlAdapter">
<xs:sequence/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="adapter4">
<xs:complexContent>
<xs:extension base="xmlAdapter">
<xs:sequence/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="ApplicationData" mixed="true">
<xs:sequence>
<xs:any processContents="lax" namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="AttributeInPolicy">
<xs:sequence>
<xs:element name="InspectorAlternatives" minOccurs="0">
<xs:complexType>
<xs:sequence>
<xs:element name="InspectorPublicKeyUID" type="xs:anyURI" form="unqualified" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="InspectionGrounds" type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="AttributeType" type="xs:anyURI" use="required"/>
<xs:attribute name="DataHandlingPolicy" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="CredentialInPolicy">
<xs:sequence>
<xs:element name="CredentialSpecAlternatives">
<xs:complexType>
<xs:sequence>
<xs:element name="CredentialSpecUID" type="xs:anyURI" form="unqualified" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="IssuerAlternatives">
<xs:complexType>
<xs:sequence>
<xs:element name="IssuerParametersUID" form="unqualified" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="RevocationInformationUID" type="xs:anyURI"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DisclosedAttribute" type="tns:AttributeInPolicy" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Alias" type="xs:anyURI"/>
<xs:attribute name="SameKeyBindingAs" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="AttributePredicate">
<xs:sequence>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="Attribute">
<xs:complexType>
<xs:sequence/>
<xs:attribute name="CredentialAlias" type="xs:anyURI" use="required"/>
<xs:attribute name="AttributeType" type="xs:anyURI" use="required"/>
<xs:attribute name="DataHandlingPolicy" type="xs:anyURI"/>
</xs:complexType>
</xs:element>
<xs:element name="ConstantValue" type="xs:anyType"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="Function" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="SecretDescription">
<xs:sequence>
<xs:element name="SecretUID" type="xs:anyURI"/>
<xs:element name="FriendlySecretDescription" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="Metadata" type="tns:Metadata" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="DeviceBoundSecret" type="xs:boolean"/>
</xs:complexType>
<xs:complexType name="FriendlyDescription">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="lang" type="xs:language" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="Metadata">
<xs:sequence>
<xs:any processContents="lax" namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="IssuancePolicyAndAttributes">
<xs:sequence>
<xs:element name="IssuancePolicy" type="tns:IssuancePolicy"/>
<xs:element name="Attribute" type="tns:Attribute" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="IssuancePolicy">
<xs:sequence>
<xs:element name="PresentationPolicy" type="tns:PresentationPolicy"/>
<xs:element name="CredentialTemplate" type="tns:CredentialTemplate"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="PresentationPolicy">
<xs:sequence>
<xs:element name="Message" type="tns:Message" minOccurs="0"/>
<xs:element name="Pseudonym" type="tns:PseudonymInPolicy" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="Credential" type="tns:CredentialInPolicy" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AttributePredicate" type="tns:AttributePredicate" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="VerifierDrivenRevocation" type="tns:VerifierDrivenRevocationInPolicy" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="PolicyUID" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="Message">
<xs:sequence>
<xs:element name="Nonce" type="xs:base64Binary" minOccurs="0"/>
<xs:element name="FriendlyPolicyName" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="FriendlyPolicyDescription" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="VerifierIdentity" type="tns:VerifierIdentity" minOccurs="0"/>
<xs:element name="ApplicationData" type="tns:ApplicationData" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="VerifierIdentity" mixed="true">
<xs:sequence>
<xs:any processContents="lax" namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PseudonymInPolicy">
<xs:sequence>
<xs:element name="PseudonymValue" type="xs:base64Binary" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Exclusive" type="xs:boolean"/>
<xs:attribute name="Scope" type="xs:string" use="required"/>
<xs:attribute name="Alias" type="xs:anyURI"/>
<xs:attribute name="SameKeyBindingAs" type="xs:anyURI"/>
<xs:attribute name="Established" type="xs:boolean"/>
</xs:complexType>
<xs:complexType name="VerifierDrivenRevocationInPolicy">
<xs:sequence>
<xs:element name="RevocationParametersUID" type="xs:anyURI"/>
<xs:element name="Attribute" type="tns:AttributeInRevocation" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="AttributeInRevocation">
<xs:sequence/>
<xs:attribute name="AttributeType" type="xs:anyURI" use="required"/>
<xs:attribute name="CredentialAlias" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="CredentialTemplate">
<xs:sequence>
<xs:element name="CredentialSpecUID" type="xs:anyURI"/>
<xs:element name="IssuerParametersUID" type="xs:anyURI"/>
<xs:element name="UnknownAttributes" type="tns:UnknownAttributes" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="SameKeyBindingAs" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="UnknownAttributes">
<xs:sequence>
<xs:element name="CarriedOverAttribute" type="tns:CarriedOverAttribute" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="JointlyRandomAttribute" type="tns:JointlyRandomAttribute" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CarriedOverAttribute">
<xs:sequence>
<xs:element name="SourceCredentialInfo" type="tns:AttSourceCredentialInfo"/>
</xs:sequence>
<xs:attribute name="TargetAttributeType" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="AttSourceCredentialInfo">
<xs:sequence/>
<xs:attribute name="Alias" type="xs:anyURI" use="required"/>
<xs:attribute name="AttributeType" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="JointlyRandomAttribute">
<xs:sequence/>
<xs:attribute name="TargetAttributeType" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="Attribute">
<xs:sequence>
<xs:element name="AttributeUID" type="xs:anyURI"/>
<xs:element name="AttributeDescription" type="tns:AttributeDescription"/>
<xs:element name="AttributeValue" type="xs:anyType"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="AttributeDescription">
<xs:sequence>
<xs:element name="FriendlyAttributeName" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AllowedValue" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Type" type="xs:anyURI" use="required"/>
<xs:attribute name="DataType" type="xs:string" use="required"/>
<xs:attribute name="Encoding" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="SelectPresentationTokenDescription">
<xs:sequence>
<xs:element name="PolicyDescriptions" type="tns:PolicyDescriptions"/>
<xs:element name="CredentialDescriptions" type="tns:CredentialDescriptions"/>
<xs:element name="PseudonymDescriptions" type="tns:PseudonymDescriptions"/>
<xs:element name="InspectorDescriptions" type="tns:InspectorDescriptions"/>
<xs:element name="CandidatePresentationTokenList" type="tns:CandidatePresentationTokenList"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PolicyDescriptions">
<xs:sequence>
<xs:element name="entry" type="tns:PolicyDescriptionsEntry" nillable="true" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PolicyDescriptionsEntry">
<xs:sequence>
<xs:element name="key" type="xs:anySimpleType"/>
<xs:element name="value" type="tns:PolicyDescription"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PolicyDescription">
<xs:sequence>
<xs:element name="PolicyUID" type="xs:anyURI"/>
<xs:element name="Message" type="tns:Message"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CredentialDescriptions">
<xs:sequence>
<xs:element name="entry" type="tns:CredentialDescriptionsEntry" nillable="true" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CredentialDescriptionsEntry">
<xs:sequence>
<xs:element name="key" type="xs:anySimpleType"/>
<xs:element name="value" type="tns:CredentialDescription"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CredentialDescription">
<xs:sequence>
<xs:element name="CredentialUID" type="xs:anyURI"/>
<xs:element name="FriendlyCredentialName" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="ImageReference" type="xs:anyURI" minOccurs="0"/>
<xs:element name="CredentialSpecificationUID" type="xs:anyURI"/>
<xs:element name="IssuerParametersUID" type="xs:anyURI"/>
<xs:element name="SecretReference" type="xs:anyURI" minOccurs="0"/>
<xs:element name="Attribute" type="tns:Attribute" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="RevokedByIssuer" type="xs:boolean"/>
</xs:complexType>
<xs:complexType name="PseudonymDescriptions">
<xs:sequence>
<xs:element name="entry" type="tns:PseudonymDescriptionsEntry" nillable="true" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PseudonymDescriptionsEntry">
<xs:sequence>
<xs:element name="key" type="xs:anySimpleType"/>
<xs:element name="value" type="tns:PseudonymDescriptionValue"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PseudonymDescriptionValue">
<xs:sequence>
<xs:element name="PseudonymDescription" type="tns:PseudonymDescription"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PseudonymDescription">
<xs:sequence>
<xs:element name="PseudonymMetadata" type="tns:PseudonymMetadata"/>
</xs:sequence>
<xs:attribute name="Exclusive" type="xs:boolean"/>
<xs:attribute name="Scope" type="xs:string" use="required"/>
<xs:attribute name="PseudonymUID" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="PseudonymMetadata">
<xs:sequence>
<xs:element name="HumanReadableData" type="xs:string"/>
<xs:element name="FriendlyPseudonymDescription" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="Metadata" type="tns:Metadata"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="InspectorDescriptions">
<xs:sequence>
<xs:element name="entry" type="tns:InspectorDescriptionsEntry" nillable="true" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="InspectorDescriptionsEntry">
<xs:sequence>
<xs:element name="key" type="xs:anySimpleType"/>
<xs:element name="value" type="tns:InspectorDescription"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="InspectorDescription">
<xs:sequence>
<xs:element name="InspectorUID" type="xs:anyURI"/>
<xs:element name="FriendlyInspectorDescription" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CandidatePresentationTokenList">
<xs:sequence>
<xs:element name="CandidatePresentationToken" type="tns:CandidatePresentationToken" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CandidatePresentationToken">
<xs:sequence>
<xs:element name="Token" type="tns:Token"/>
<xs:element name="FriendlyTokenDescription" type="tns:FriendlyDescription" maxOccurs="unbounded"/>
<xs:element name="CredentialUidList" type="tns:CredentialUidList"/>
<xs:element name="PseudonymChoiceList" type="tns:PseudonymChoiceList"/>
<xs:element name="InspectorChoiceList" type="tns:InspectorChoiceList"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="Token">
<xs:sequence/>
<xs:attribute name="PolicyUID" type="xs:anyURI" use="required"/>
<xs:attribute name="TokenUID" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="CredentialUidList">
<xs:sequence>
<xs:element name="CredentialUid" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PseudonymChoiceList">
<xs:sequence>
<xs:element name="URISet" type="tns:URISet" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="URISet">
<xs:sequence>
<xs:element name="URI" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="InspectorChoiceList">
<xs:sequence>
<xs:element name="URISet" type="tns:URISet" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PresentationTokenDescriptionWithCommitments">
<xs:sequence>
<xs:element name="Message" type="tns:Message" minOccurs="0"/>
<xs:element name="Pseudonym" type="tns:PseudonymInToken" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="Credential" type="tns:CredentialInTokenWithCommitments" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AttributePredicate" type="tns:AttributePredicate" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="VerifierDrivenRevocation" type="tns:VerifierDrivenRevocationInToken" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="CryptoEvidence" type="tns:CryptoParams"/>
</xs:sequence>
<xs:attribute name="PolicyUID" type="xs:anyURI" use="required"/>
<xs:attribute name="TokenUID" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="PseudonymInToken">
<xs:sequence>
<xs:element name="PseudonymValue" type="xs:base64Binary" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Exclusive" type="xs:boolean"/>
<xs:attribute name="Scope" type="xs:string" use="required"/>
<xs:attribute name="Alias" type="xs:anyURI"/>
<xs:attribute name="SameKeyBindingAs" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="CredentialInTokenWithCommitments">
<xs:sequence>
<xs:element name="CredentialSpecUID" type="xs:anyURI"/>
<xs:element name="IssuerParametersUID" type="xs:anyURI"/>
<xs:element name="RevocationInformationUID" type="xs:anyURI" minOccurs="0"/>
<xs:element name="DisclosedAttribute" type="tns:AttributeInToken" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="CommittedKey" type="tns:CommittedKey" minOccurs="0"/>
<xs:element name="CommittedAttribute" type="tns:CommittedAttribute" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Alias" type="xs:anyURI"/>
<xs:attribute name="SameKeyBindingAs" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="AttributeInToken">
<xs:sequence>
<xs:element name="InspectorPublicKeyUID" type="xs:anyURI" minOccurs="0"/>
<xs:element name="InspectionGrounds" type="xs:string" minOccurs="0"/>
<xs:element name="AttributeValue" type="xs:anySimpleType" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="AttributeType" type="xs:anyURI" use="required"/>
<xs:attribute name="DataHandlingPolicy" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="CommittedKey">
<xs:sequence>
<xs:element name="Commitment" type="tns:CryptoParams" minOccurs="0"/>
<xs:element name="CommittedValue" type="tns:CryptoParams" minOccurs="0"/>
<xs:element name="OpeningInformation" type="tns:CryptoParams" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CryptoParams">
<xs:sequence>
<xs:any processContents="lax" namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CommittedAttribute">
<xs:sequence>
<xs:element name="Commitment" type="tns:CryptoParams" minOccurs="0"/>
<xs:element name="CommittedValue" type="tns:CryptoParams" minOccurs="0"/>
<xs:element name="OpeningInformation" type="tns:CryptoParams" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="AttributeType" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="VerifierDrivenRevocationInToken">
<xs:sequence>
<xs:element name="RevocationInformationUID" type="xs:anyURI"/>
<xs:element name="Attribute" type="tns:AttributeInRevocation" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PrivateKey">
<xs:sequence>
<xs:element name="Parameter" type="tns:Parameter" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="PublicKeyId" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="Parameter">
<xs:sequence>
<xs:element name="FriendlyDescription" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Name" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="IntegerParameter">
<xs:complexContent>
<xs:extension base="tns:Parameter">
<xs:sequence>
<xs:element name="Value" type="xs:int"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="UriParameter">
<xs:complexContent>
<xs:extension base="tns:Parameter">
<xs:sequence>
<xs:element name="Value" type="xs:anyURI"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="BigIntegerParameter">
<xs:complexContent>
<xs:extension base="tns:Parameter">
<xs:sequence>
<xs:element name="Value" type="xs:integer"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="StringParameter">
<xs:complexContent>
<xs:extension base="tns:Parameter">
<xs:sequence>
<xs:element name="Value" type="xs:string"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="AttributeList">
<xs:sequence>
<xs:element name="Attributes" type="tns:Attribute" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="AttributeDescriptions">
<xs:sequence>
<xs:element name="AttributeDescription" type="tns:AttributeDescription" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="MaxLength" type="xs:unsignedInt" use="required"/>
</xs:complexType>
<xs:complexType name="RevocationHistory">
<xs:sequence>
<xs:element name="RevocationHistoryUID" type="xs:anyURI"/>
<xs:element name="RevocationAuthorityParametersUID" type="xs:anyURI"/>
<xs:element name="CurrentState" type="tns:CryptoParams" minOccurs="0"/>
<xs:element name="RevocationLogEntry" type="tns:RevocationLogEntry" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="RevocationLogEntry">
<xs:sequence>
<xs:element name="RevocationLogEntryUID" type="xs:anyURI"/>
<xs:element name="RevocableAttribute" type="tns:AttributeInLogEntry" maxOccurs="unbounded"/>
<xs:element name="DateCreated" type="xs:dateTime"/>
<xs:element name="CryptoParameters" type="tns:CryptoParams" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Revoked" type="xs:boolean" use="required"/>
</xs:complexType>
<xs:complexType name="AttributeInLogEntry">
<xs:sequence>
<xs:element name="AttributeValue" type="xs:anyType"/>
</xs:sequence>
<xs:attribute name="AttributeType" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="KeyBindingInfo">
<xs:sequence>
<xs:any processContents="lax" namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="SystemParametersTemplate">
<xs:sequence>
<xs:element name="Parameter" type="tns:Parameter" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
<xs:attribute name="SystemParametersId" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="IssuerParametersInput">
<xs:sequence>
<xs:element name="ParametersUID" type="xs:anyURI"/>
<xs:element name="FriendlyIssuerDescription" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AlgorithmID" type="xs:string"/>
<xs:element name="CredentialSpecUID" type="xs:anyURI"/>
<xs:element name="HashAlgorithm" type="xs:string"/>
<xs:element name="RevocationParametersUID" type="xs:anyURI" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="TestApplicationData">
<xs:sequence>
<xs:element name="Data" type="xs:anySimpleType" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="NonRevocationEvidence">
<xs:sequence>
<xs:element name="NonRevocationEvidenceUID" type="xs:anyURI"/>
<xs:element name="RevocationAuthorityParametersUID" type="xs:anyURI"/>
<xs:element name="CredentialUID" type="xs:anyURI"/>
<xs:element name="Created" type="xs:dateTime" minOccurs="0"/>
<xs:element name="Expires" type="xs:dateTime" minOccurs="0"/>
<xs:element name="Epoch" type="xs:int" minOccurs="0"/>
<xs:element name="Attribute" type="tns:Attribute" maxOccurs="unbounded"/>
<xs:element name="CryptoParams" type="tns:CryptoParams" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="KeyPair">
<xs:sequence>
<xs:element name="PrivateKey" type="tns:PrivateKey"/>
<xs:element name="PublicKey" type="tns:PublicKey"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PublicKey">
<xs:sequence>
<xs:element name="Parameter" type="tns:Parameter" maxOccurs="unbounded"/>
<xs:element name="FriendlyDescription" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
<xs:attribute name="Technology" type="xs:anyURI" use="required"/>
<xs:attribute name="SystemParametersId" type="xs:string" use="required"/>
<xs:attribute name="PublicKeyId" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="PresentationPolicyAlternativesAndPresentationToken">
<xs:sequence>
<xs:element name="PresentationPolicyAlternatives" type="tns:PresentationPolicyAlternatives"/>
<xs:element name="PresentationToken" type="tns:PresentationToken"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PresentationPolicyAlternatives">
<xs:sequence>
<xs:element name="PresentationPolicy" type="tns:PresentationPolicy" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="PresentationToken">
<xs:sequence>
<xs:element name="PresentationTokenDescription" type="tns:PresentationTokenDescription"/>
<xs:element name="CryptoEvidence" type="tns:CryptoParams"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="PresentationTokenDescription">
<xs:sequence>
<xs:element name="Message" type="tns:Message" minOccurs="0"/>
<xs:element name="Pseudonym" type="tns:PseudonymInToken" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="Credential" type="tns:CredentialInToken" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AttributePredicate" type="tns:AttributePredicate" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="VerifierDrivenRevocation" type="tns:VerifierDrivenRevocationInToken" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="PolicyUID" type="xs:anyURI" use="required"/>
<xs:attribute name="TokenUID" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="CredentialInToken">
<xs:sequence>
<xs:element name="CredentialSpecUID" type="xs:anyURI"/>
<xs:element name="IssuerParametersUID" type="xs:anyURI"/>
<xs:element name="RevocationInformationUID" type="xs:anyURI" minOccurs="0"/>
<xs:element name="DisclosedAttribute" type="tns:AttributeInToken" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Alias" type="xs:anyURI"/>
<xs:attribute name="SameKeyBindingAs" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="TestCryptoParams">
<xs:sequence>
<xs:element name="Data" type="xs:anySimpleType" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="VerificationCall">
<xs:sequence>
<xs:element name="PresentationPolicyAlternatives" type="tns:PresentationPolicyAlternatives"/>
<xs:element name="PresentationToken" type="tns:PresentationToken"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="NonRevocationEvidenceUpdate">
<xs:sequence>
<xs:element name="NonRevocationEvidenceUpdateUID" type="xs:anyURI"/>
<xs:element name="NonRevocationEvidenceUID" type="xs:anyURI"/>
<xs:element name="RevocationAuthorityParametersUID" type="xs:anyURI"/>
<xs:element name="Created" type="xs:dateTime" minOccurs="0"/>
<xs:element name="Expires" type="xs:dateTime" minOccurs="0"/>
<xs:element name="CryptoParams" type="tns:CryptoParams" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="IssuanceProtocolMetadata">
<xs:sequence/>
<xs:attribute name="Counter" type="xs:integer" use="required"/>
</xs:complexType>
<xs:complexType name="SystemParameters">
<xs:sequence>
<xs:any processContents="lax" namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
<xs:attribute name="SystemParametersURI" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="SecretKey">
<xs:sequence>
<xs:element name="secretKeyUID" type="xs:anyURI"/>
<xs:element name="CryptoParams" type="tns:CryptoParams" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="IssuanceLogEntry">
<xs:sequence>
<xs:element name="IssuanceLogEntryUID" type="xs:anyURI"/>
<xs:element name="IssuerParametersUID" type="xs:anyURI"/>
<xs:element name="IssuanceToken" type="tns:IssuanceToken" minOccurs="0"/>
<xs:element name="IssuerAttributes" type="tns:AttributeInLogEntry" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="IssuanceToken">
<xs:sequence>
<xs:element name="IssuanceTokenDescription" type="tns:IssuanceTokenDescription"/>
<xs:element name="CryptoEvidence" type="tns:CryptoParams"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="IssuanceTokenDescription">
<xs:sequence>
<xs:element name="PresentationTokenDescription" type="tns:PresentationTokenDescription"/>
<xs:element name="CredentialTemplate" type="tns:CredentialTemplate"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="TestSystemParameters">
<xs:sequence>
<xs:element name="Data" type="xs:anySimpleType" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="RevocationAuthorityParameters">
<xs:sequence>
<xs:element name="ParametersUID" type="xs:anyURI"/>
<xs:element name="RevocationMechanism" type="xs:anyURI"/>
<xs:element name="RevocationInfoReference" type="tns:Reference" minOccurs="0"/>
<xs:element name="NonRevocationEvidenceReference" type="tns:Reference" minOccurs="0"/>
<xs:element name="NonRevocationEvidenceUpdateReference" type="tns:Reference" minOccurs="0"/>
<xs:element name="CryptoParams" type="tns:CryptoParams" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="Reference">
<xs:sequence>
<xs:element name="References" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="ReferenceType" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="InspectorPublicKey">
<xs:sequence>
<xs:element name="PublicKeyUID" type="xs:anyURI"/>
<xs:element name="AlgorithmID" type="xs:string"/>
<xs:element name="FriendlyInspectorDescription" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="CryptoParams" type="tns:CryptoParams"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="ZkProof">
<xs:sequence>
<xs:element name="Module" type="tns:ModuleInZkProof" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AttributeValue" type="tns:ValueInZkProof" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="Challenge" type="xs:integer" minOccurs="0"/>
<xs:element name="SValue" type="tns:ValueInZkProof" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ModuleInZkProof">
<xs:sequence>
<xs:element name="HashContribution" type="xs:base64Binary" minOccurs="0"/>
<xs:element name="DValue" type="tns:ValueWithHashInZkProof" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="RevealedAttribute" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="NValue" type="tns:ValueInZkProof" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="TValue" type="tns:ValueInZkProof" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="SValue" type="tns:ValueInZkProof" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Name" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="ValueWithHashInZkProof">
<xs:simpleContent>
<xs:extension base="xs:base64Binary">
<xs:attribute name="Name" type="xs:string" use="required"/>
<xs:attribute name="Type" type="xs:string" use="required"/>
<xs:attribute name="HashContribution" type="xs:base64Binary"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="ValueInZkProof">
<xs:simpleContent>
<xs:extension base="xs:base64Binary">
<xs:attribute name="Name" type="xs:string" use="required"/>
<xs:attribute name="Type" type="xs:string" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="CredentialSpecificationAndSystemParameters">
<xs:sequence>
<xs:element name="CredentialSpecification" type="tns:CredentialSpecification"/>
<xs:element name="SystemParameters" type="tns:SystemParameters"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CredentialSpecification">
<xs:sequence>
<xs:element name="SpecificationUID" type="xs:anyURI"/>
<xs:element name="FriendlyCredentialName" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefaultImageReference" type="xs:anyURI" minOccurs="0"/>
<xs:element name="AttributeDescriptions" type="tns:AttributeDescriptions"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
<xs:attribute name="KeyBinding" type="xs:boolean" use="required"/>
<xs:attribute name="Revocable" type="xs:boolean" use="required"/>
</xs:complexType>
<xs:complexType name="VerifierParametersTemplate">
<xs:sequence>
<xs:element name="Parameter" type="tns:Parameter" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
<xs:attribute name="SystemParametersId" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="Credential">
<xs:sequence>
<xs:element name="CredentialDescription" type="tns:CredentialDescription"/>
<xs:element name="NonRevocationEvidenceUID" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="CryptoParams" type="tns:CryptoParams"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="SelectIssuanceTokenDescription">
<xs:sequence>
<xs:element name="PolicyDescriptions" type="tns:PolicyDescriptions"/>
<xs:element name="CredentialDescriptions" type="tns:CredentialDescriptions"/>
<xs:element name="PseudonymDescriptions" type="tns:PseudonymDescriptions"/>
<xs:element name="InspectorDescriptions" type="tns:InspectorDescriptions"/>
<xs:element name="CandidateIssuanceTokenList" type="tns:CandidateIssuanceTokenList"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CandidateIssuanceTokenList">
<xs:sequence>
<xs:element name="CandidateIssuanceToken" type="tns:CandidateIssuanceToken" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CandidateIssuanceToken">
<xs:sequence>
<xs:element name="Token" type="tns:Token"/>
<xs:element name="FriendlyTokenDescription" type="tns:FriendlyDescription" maxOccurs="unbounded"/>
<xs:element name="CredentialUidList" type="tns:CredentialUidList"/>
<xs:element name="PseudonymChoiceList" type="tns:PseudonymChoiceList"/>
<xs:element name="InspectorChoiceList" type="tns:InspectorChoiceList"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="IssuerParameters">
<xs:sequence>
<xs:element name="ParametersUID" type="xs:anyURI"/>
<xs:element name="FriendlyIssuerDescription" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AlgorithmID" type="xs:string"/>
<xs:element name="SystemParameters" type="tns:SystemParameters"/>
<xs:element name="SystemParametersURI" type="xs:anyURI" minOccurs="0"/>
<xs:element name="CredentialSpecUID" type="xs:anyURI"/>
<xs:element name="HashAlgorithm" type="xs:string"/>
<xs:element name="CryptoParams" type="tns:CryptoParams"/>
<xs:element name="KeyBindingInfo" type="tns:KeyBindingInfo" minOccurs="0"/>
<xs:element name="RevocationParametersUID" type="xs:anyURI" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="IssuanceMessageAndBoolean">
<xs:sequence>
<xs:element name="IssuanceMessage" type="tns:IssuanceMessage"/>
<xs:element name="LastMessage" type="xs:boolean"/>
<xs:element name="IssuanceLogEntryURI" type="xs:anyURI"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="IssuanceMessage">
<xs:sequence>
<xs:any processContents="lax" namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Context" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="RevocationInformation">
<xs:sequence>
<xs:element name="InformationUID" type="xs:anyURI"/>
<xs:element name="RevocationAuthorityParameters" type="xs:anyURI"/>
<xs:element name="Created" type="xs:dateTime" minOccurs="0"/>
<xs:element name="Expires" type="xs:dateTime" minOccurs="0"/>
<xs:element name="CryptoParams" type="tns:CryptoParams" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="StandardPseudonym">
<xs:sequence>
<xs:element name="deviceUid" type="xs:anyURI"/>
<xs:element name="openingInformation" type="xs:integer"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="RevocationReferences">
<xs:sequence>
<xs:element name="RevocationInfoReference" type="tns:Reference" minOccurs="0"/>
<xs:element name="NonRevocationEvidenceReference" type="tns:Reference" minOccurs="0"/>
<xs:element name="NonRevocationEvidenceUpdateReference" type="tns:Reference" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="SmartcardPinRequests">
<xs:sequence>
<xs:element name="SmartcardPinRequest" type="tns:SmartcardPinRequest" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="SmartcardPinRequest">
<xs:sequence/>
</xs:complexType>
<xs:complexType name="SignatureToken">
<xs:sequence>
<xs:element name="Parameter" type="tns:Parameter" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ScopeExclusivePseudonym">
<xs:sequence>
<xs:element name="deviceUid" type="xs:anyURI"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="VerifierParameters">
<xs:sequence>
<xs:element name="Parameter" type="tns:Parameter" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
<xs:attribute name="SystemParametersId" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="Secret">
<xs:sequence>
<xs:element name="SecretDescription" type="tns:SecretDescription"/>
<xs:element name="SystemParameters" type="tns:SmartcardSystemParameters" minOccurs="0"/>
<xs:element name="SecretKey" type="xs:integer" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="SmartcardSystemParameters">
<xs:sequence>
<xs:element name="primeModulus" type="xs:integer"/>
<xs:element name="generator" type="xs:integer"/>
<xs:element name="subgroupOrder" type="xs:integer"/>
<xs:element name="zkChallengeSizeBytes" type="xs:int"/>
<xs:element name="zkStatisticalHidingSizeBytes" type="xs:int"/>
<xs:element name="deviceSecretSizeBytes" type="xs:int"/>
<xs:element name="signatureNonceLengthBytes" type="xs:int"/>
<xs:element name="zkNonceSizeBytes" type="xs:int"/>
<xs:element name="zkNonceOpeningSizeBytes" type="xs:int"/>
<xs:any processContents="lax" namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PseudonymWithMetadata">
<xs:sequence>
<xs:element name="Pseudonym" type="tns:Pseudonym"/>
<xs:element name="PseudonymMetadata" type="tns:PseudonymMetadata" minOccurs="0"/>
<xs:element name="CryptoParams" type="tns:CryptoParams" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="Pseudonym">
<xs:sequence>
<xs:element name="PseudonymValue" type="xs:base64Binary" minOccurs="0"/>
<xs:element name="SecretReference" type="xs:anyURI"/>
</xs:sequence>
<xs:attribute name="Exclusive" type="xs:boolean"/>
<xs:attribute name="Scope" type="xs:string" use="required"/>
<xs:attribute name="PseudonymUID" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="IssuerPublicKeyTemplate">
<xs:sequence>
<xs:element name="Parameter" type="tns:Parameter" maxOccurs="unbounded"/>
<xs:element name="FriendlyDescription" type="tns:FriendlyDescription" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
<xs:attribute name="Technology" type="xs:anyURI" use="required"/>
<xs:attribute name="SystemParametersId" type="xs:string" use="required"/>
<xs:attribute name="PublicKeyPrefix" type="xs:anyURI" use="required"/>
</xs:complexType>
<xs:complexType name="TestReference">
<xs:sequence>
<xs:element name="Data" type="xs:anySimpleType" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="TestIssuanceMessage">
<xs:sequence>
<xs:element name="Data" type="xs:anySimpleType" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="RevocationMessage">
<xs:sequence>
<xs:element name="RevocationAuthorityParametersUID" type="xs:anyURI"/>
<xs:element name="CryptoParams" type="tns:CryptoParams" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Context" type="xs:anyURI"/>
</xs:complexType>
<xs:complexType name="Error">
<xs:sequence>
<xs:element name="ErrorUID" type="xs:anyURI"/>
<xs:element name="ErrorParams" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PresentationTokenWithCommitments">
<xs:sequence>
<xs:element name="PresentationTokenDescriptionWithCommitments" type="tns:PresentationTokenDescriptionWithCommitments"/>
<xs:element name="CryptoEvidence" type="tns:CryptoParams"/>
</xs:sequence>
<xs:attribute name="Version" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="Signature">
<xs:sequence>
<xs:element name="canReuseToken" type="xs:boolean"/>
<xs:element name="SignatureToken" type="tns:SignatureToken" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://abc4trust.eu/wp2/abcschemav1.0">
http://abc4trust.eu/wp2/abcschemav1.0" schemaLocation="schema1.xsd"/>
This method reloads the configuration of the webservice(s) and will completely wipe all storage of the webservice(s). Use with extreme caution!
This method is available when the service is running.
This method can be used to test authentication by sending an authentication request.
Returns the settings of this issuance service. Settings includes issuer parameters, credential specifications and the system parameters. This method is usually called by a user service or a verification service to download the settings.
This method is called by a user to initiate an issuance protocol. The user must provide an issuance request containing his authentication information and the UID of the corresponding credential specification. The issuer will then try to authenticate the user by using an authentication source (e.g. LDAP) and fetch the attributes required by the credential specification from an attribute source (e.g. LDAP) and initiates the round based issuance protocol.
If authentication of the user fails this method will return the status code FORBIDDEN. If the issuer is missing the credential specification, the issuance policy or the query rule this method will return status code NOT_FOUND.
This method will search for an issuance policy and a query rule using the UID of the credential specification as the key. If the issuance policy could not be found a default issuance policy will be used which asks the user to reveal nothing in particular.
This method performs one step in an interactive issuance protocol. On input an incoming issuance message m received from the User, it returns the outgoing issuance message that is to be sent back to the User, a boolean indicating whether this is the last message in the protocol, and the UID of the stored issuance log entry that contains an issuance token together with the attribute values provided by the issuer to keep track of the issued credentials. The Context attribute of the outgoing message has the same value as that of the incoming message, allowing the Issuer to link the different messages of this issuance protocol.
Deletes a credential specification that was stored under the UID provided as part of the path.
ParametersDeletes an attribute from a credential specification.
ParametersDeletes a friendly description from an attribute of credential specification.
ParametersAdds a friendly description to an attribute of a credential specification.
ParametersStore a credential specification at this service. The UID given as part of the path must match the UID of the passed credential specification.
ParametersRetrieve a credential specification.
ParametersGenerates issuer parameters for a specified credential specification. The generated issuer parameters will automatically be stored at this issuance service.
ParametersDeletes issuer parameters.
ParametersStores a query rule and associates it with the specified credential
specification. A query rule is stored at the issuance service with the
given credential specification UID which the issuance service will use
to look up the corresponding query rule.
Deletes a query rule.
ParametersRetrieves a previously stored query rule.
ParametersLists all query rules stored at this issuance service.
Stores an issuance policy and associates it with a credential specification.
ParametersRetrieve an issuance policy that was previously stored.
ParametersThis method can be used to obtain information about attributes from the attribute source (i.e. LDAP, JDBC or something else). This method will return an AttributeInfoCollection that can be passed to generateCredentialSpecification(AttributeInfoCollection)
ParametersGenerate a credential specification based on the supplied AttributeInfoCollection.
This method generates a fresh set of system parameters for the given security level, expressed as the bitlength of a symmetric key with comparable security, and cryptographic mechanism. Issuers can generate their own system parameters, but can also reuse system parameters generated by a different entity. More typically, a central party (e.g., a standardization body) will generate and publish system parameters for a number of different key lengths that will be used by many Issuers. Security levels 80 and 128 MUST be supported; other values MAY also be supported.
Currently, the supported mechanism URIs are urn:abc4trust:1.0:algorithm:idemix for Identity Mixer
This method will overwrite any existing system parameters.
This method generates a fresh issuance key and the corresponding Issuer parameters. The issuance key is stored in the Issuer's key store, the Issuer parameters are returned as output of the method. The input to this method specify the credential specification credspec of the credentials that will be issued with these parameters, the system parameters syspars, the unique identifier uid of the generated parameters, the hash algorithm identifier hash, and, optionally, the parameters identifier for any Issuer-driven Revocation Authority.
Currently, the only supported hash algorithm is SHA-256 with identifier urn:abc4trust:1.0:hashalgorithm:sha-256.
This method reloads the configuration of the webservice(s) and will completely wipe all storage of the webservice(s). Use with extreme caution!
This method, on input of a presentation policy decides whether the credentials in the User’s credential store could be used to produce a valid presentation token satisfying the policy. If so, this method returns true, otherwise, it returns false.
This method, on input a presentation policy alternatives, returns an argument to be passed to the UI for choosing how to satisfy the policy, or returns an error if the policy cannot be satisfied (if the canBeSatisfied method would have returned false). For returning such an argument, this method will investigate whether the User has the necessary credentials and/or established pseudonyms to create one or more (e.g., by satisfying different alternatives in the policy, or by using different sets of credentials to satisfy one alternative) presentation tokens that satisfiy the policy.
The return value of this method should be passed to the User Interface (or to some other component that is capable of rendering a UiPresentationReturn object from a UiPresentationArguments object). The return value of the UI must then be passed to the method createPresentationToken(UiPresentationReturn) for creating a presentation token.
Performs the next step to complete creation of presentation tokens. This method should be called when the user interface is done with its selection.
Download and load settings from an issuer or any settings provider. This method will cause the user service to make a GET request to the specified url and download the contents which must be valid Settings. DO NOT use this method with untrusted URLs or issuers (or any other settings providers) with DIFFERENT system parameters as this method will overwrite existing system parameters. See also {@link #getSettings()}.
ParametersReturns the settings of the service as obtained from an issuance service. Settings includes issuer parameters, credential specifications and the system parameters. This method may thus be used to retrieve all credential specifications stored at the user service and their corresponding issuer parameters. The return type of this method is Settings. The user service is capable of downloading settings from an issuer (or from anything that provides settings). To download settings use /loadSetting?url=... ( {@link #loadSettings(String)}).
Returns all obtained credentials as a
CredentialCollection.
Retrieve a credential.
ParametersThis method performs one step in an interactive issuance protocol. On input an incoming issuance message im obtained from the Issuer, it either returns the outgoing issuance message that is to be sent back to the Issuer, an object that must be sent to the User Interface (UI) to allow the user to decide how to satisfy a policy (or confirm the only choice), or returns a description of the newly issued credential at successful completion of the protocol. In the first case, the Context attribute of the outgoing message has the same value as that of the incoming message, allowing the Issuer to link the different messages of this issuance protocol.
If this is the first time this method is called for a given context, the method expects the issuance message to contain an issuance policy, and returns an object that is to be sent to the UI (allowing the user to chose his preferred way of generating the presentation token, or to confirm the only possible choice).
This method throws an exception if the policy cannot be satisfied with the user's current credentials.
If this method returns an IssuanceMessage, that message should be
forwarded to the Issuer. If this method returns a
CredentialDescription, then the issuance protocol was successful. If
this method returns a UiIssuanceArguments, that object must be
forwarded to the UI (or to some other component that is capable of
rendering a UiIssuanceReturn object from a UiIssuanceArguments
object); the method issuanceProtocolStep(UiIssuanceReturn) should then
be invoked with the object returned by the UI.
This method performs the next step in the issuance protocol after the
UI is done with its selection.
This method deletes the credential with the given identifier from the credential store. If deleting is not possible (e.g. if the referred credential does not exist) the method returns false, and true otherwise.
ParametersStores a credential specification under the given UID.
ParametersRetreive a credential specification stored at this service.
ParametersDeletes a credential specification.
ParametersStore (and overwrite existing) system parameters at the service. This method returns true if the system parameters were successfully stored.
Store (and overwrite existing) issuer parameters at the service (using the given identifier). This method returns true if the system parameters were successfully stored.
ParametersDeletes issuer parameters.
ParametersThis method extracts the IssuanceMessage from an IssuanceMessageAndBoolean and returns the IssuanceMessage.
This method reloads the configuration of the webservice(s) and will completely wipe all storage of the webservice(s). Use with extreme caution!
This method verifies a given presentation token against a given PresentationPolicyAlternatives. This method will return a PresentationTokenDescription.
This method adds a credential specification alternative to a presentation policy inside PresentationPolicyAlternatives.
ParametersDeletes a credential specification alternative from a presentation policy inside a PresentationPolicyAlternatives.
ParametersAdds an issuer alternative to a presentation policy inside a PresentationPolicyAlternatives.
ParametersDeletes an issuer alternative from a presentation policy inside a PresentationPolicyAlternatives.
ParametersAdds a presentation policy alternative to a PresentationPolicyAlternatives.
ParametersDelete a presentation policy alternative from a PresentationPolicyAlternatives.
ParametersCreates a resource under the URI given as part of the path. This will create an empty PresentationPolicyAlternatives stored under the resource URI as the key.
ParametersAdds an alias to a presentation policy in a
PresentationPolicyAlternatives
.
Deletes an alias from a presentation policy inside a PresentationPolicyAlternatives.
ParametersDeletes a predicate from a PresentationPolicyAlternatives.
ParametersAdd a predicate to a presentation policy in a PresentationPolicyAlternatives. The predicate p is a function (e.g. integer-less) with two argument. An attribute at as lvalue and a constant value (e.g. 123) as rvalue. This method does not allow comparing attributes with other attributes as of now.
ParametersStores system parameters at this service.
Deletes issuer parameters.
ParametersStores issuer parameters at this service. The UID given as part of the path must match the UID of the passed issuer parameters.
ParametersGiven a presentation policy template creates a presentation policy (while also embedding nonce bytes).
Stores a credential specification at this service. The UID given as part of the path must match the UID of the passed credential specification.
ParametersRetreive a credential specification stored at this service.
ParametersDeletes a credential specification.
ParametersDeletes a resource. This means, it deletes the associated redirect URI and PresentationPolicyAlternatives.
ParametersStores PresentationPolicyAlternatives using the resource URI as part of the path as the key (i.e. associates the PresentationPolicyAlternatives with the resource URI)
ParametersRetrieves PresentationPolicyAlternatives.
ParametersLists all presentation policies stored at this service.
Stores a redirect URI (URL) and associates it with a resource.
ParametersRetrieves a redirect URI.
ParametersFirst step for a user to request a resource. This method will look-up the corresponding presentation policy alternatives and return them for the user to create presentation tokens for.
ParametersThe second step for a user to request access to a resource. This method will verify the presentation token for the user and if successful return the redirect URI and an access token.
ParametersVerifies that an access token is valid. This means, that a user successfully verified his credentials at this service for a resource. This method will return the name/URI of the resource the user requested. Once verified the access token is deleted.
ParametersDownload and load settings from an issuer or any settings provider. This method will cause the user service to make a GET request to the specified url and download the contents which must be valid Settings. DO NOT use this method with untrusted URLs or issuers (or any other settings providers) with DIFFERENT system parameters as this method will overwrite existing system parameters. (see {@link #getSettings()})
Parameterse
Returns the settings of the service as obtained from an issuance service. Settings includes issuer parameters, credential specifications and the system parameters. This method may thus be used to retrieve all credential specifications stored at the user service and their corresponding issuer parameters. The return type of this method is Settings.
The user service is capable of downloading settings from an issuer (or from anything that provides settings). To download settings use /loadSettings?url=...
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
AuthenticationRequest
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
Settings
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
IssuanceRequest
Headers
Content-Type: application/xml
Body
IssuanceMessageAndBoolean
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
IssuanceMessage
Headers
Content-Type: application/xml
Body
IssuanceMessageAndBoolean
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/x-www-form-urlencoded
Body
?i=22
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/x-www-form-urlencoded
Body
?i=22&language=en
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/x-www-form-urlencoded
Body
?i=22&description=Attribute&language=en&value=Friendly%20Description
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
CredentialSpecification
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
CredentialSpecification
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
QueryRule
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
QueryRule
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
QueryRuleCollection
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
IssuancePolicy
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
IssuancePolicy
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
AttributeInfoCollection
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
AttributeInfoCollection
Headers
Content-Type: applicaiton/xml
Body
CredentialSpecification
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
IssuerParametersInput
Headers
Content-Type: application/xml
Body
IssuerParameters
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
PresentationPolicyAlternatives
Headers
Content-Type: application/xml
Body
ABCEBoolean
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
PresentationPolicyAlternatives
Headers
Content-Type: application/xml
Body
UiPresentationArguments
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
UiPresentationReturn
Headers
Content-Type: application/xml
Body
PresentationToken
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
Settings
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
CredentialCollection
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
Credential
Headers
Content-Type: text/plain
The credential could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
IssuanceMessage
Headers
Content-Type: application/xml
Body
IssuanceReturn
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
UiIssuanceReturn
Headers
Content-Type: application/xml
Body
IssuanceMessage
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
ABCEBoolean
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
The credentialSpecificationUid does not match; the actual UID or is invalid.
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
CredentialSpecification
Headers
Content-Type: text/plain
The credential specification could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
SystemParameters
Headers
Content-Type: application/xml
Body
ABCEBoolean
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
IssuerParameters
Headers
Content-Type: application/xml
Body
ABCEBoolean
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
IssuanceMessageAndBoolean
Headers
Content-Type: application/xml
Body
IssuanceMessage
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
PresentationPolicyAlternativesAndPresentationToken
Headers
Content-Type: application/xml
Body
PresentationTokenDescription
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Either the alias, the resource or the presentation policy could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Either the alias, the resource or the presentation policy could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Either the alias, the resource or the presentation policy could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Either the alias, the esource or the presentation policy could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Either the alias, the resource or the presentation policy could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Either the alias, the resource or the presentation policy could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Either the alias, the resource or the presentation policy could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Either the alias, the resource or the presentation policy could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Either the alias, the resource or the presentation policy could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Either the resource, the attribute, the alias or the presentation policy could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
SystemParameters
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
IssuerParameters
Headers
Content-Type: text/plain
The issuerParemetersUid does not match the actual issuer parameters' UID.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
PresentationPolicyAlternatives
Headers
Content-Type: application/xml
Body
PresentationPolicyAlternatives
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
CredentialSpecification
Headers
Content-Type: text/plain
UID given on the path does not match the actual UID.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
CredentialSpecification
Headers
Content-Type: text/plain
The credential specification could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
PresentationPolicyAlternatives
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
PresentationPolicyAlternatives
Headers
Content-Type: text/plain
PresentationPolicyAlternatives could not be found.
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
PresentationPolicyAlternativesCollection
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
String
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
String
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
PresentationToken
Headers
Content-Type: application/xml
Body
String
Headers
Content-Type: text/plain
FORBIDDEN (Access to resource denied)
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
String
Headers
Content-Type: text/plain
Token not valid.
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: text/plain
Headers
Content-Type: application/xml
Body
Settings
Headers
Content-Type: text/plain