Credential Query Validation Policy Reference
This reference documents the credential query validation policy for the validator service. The credential query policy validates that presentation submissions satisfy their corresponding credential queries, ensuring that credentials can fulfill the requested data requirements.
Policy Overview
Section titled “Policy Overview”The credential query validation policy ensures that submitted verifiable presentations contain the credentials and data elements required by credential queries. It validates the compatibility between what is requested in a credential query and what is provided in the presentation submission, supporting multiple credential query standards and formats.
Supported Standards
Section titled “Supported Standards”The credential query validation policy supports query validation across multiple credential query standards:
Standard | Organization | Specification | Query Format | Validation Aspect |
---|---|---|---|---|
DIF Presentation Exchange | DIF | Presentation Exchange | JSON | Validates presentations against presentation definitions |
DCQL | DIF | Decentralized Credential Query Language | DCQL Query Language | Validates credential presentations against DCQL queries |
ISO 18013-5 Device Request | ISO | ISO 18013-5 | CBOR Device Request | Validates mDL presentations against device request data requirements |
Supported Query Types
Section titled “Supported Query Types”The validator supports the following credential query types and their validation mechanisms:
Query Type | Description | Supported Formats | Primary Use Case |
---|---|---|---|
DIF.PresentationExchange | DIF Presentation Exchange standard | W3C VC, JWT VC, SD-JWT VC | General purpose credential presentation requests |
DCQL | Decentralized Credential Query Language | W3C VC, SD-JWT VC, mDL (mso_mdoc) | Flexible credential data queries with selective disclosure |
ISO18013-5.DeviceRequest | ISO 18013-5 mobile driving license requests | mDL (mso_mdoc) | Mobile driving license data verification |
Credential Query Validation Process
Section titled “Credential Query Validation Process”flowchart TD subgraph "Credential Query Validation" Input[Presentation Submission] --> DetectType[Detect Query Type] DetectType --> DIF{DIF PE?} DetectType --> DCQL{DCQL?} DetectType --> MDL{ISO18013-5?} DIF -->|Yes| ValidatePD[Validate Presentation Definition] ValidatePD --> ValidatePS[Validate Presentation Submission] ValidatePS --> EvaluatePresentation[Evaluate Presentation] EvaluatePresentation --> DifResult[DIF Result] DCQL -->|Yes| ParseDCQL[Parse DCQL Query] ParseDCQL --> CreateDCQLPresentation[Create DCQL Presentation] CreateDCQLPresentation --> EvaluateDCQL[Evaluate DCQL Query] EvaluateDCQL --> DcqlResult[DCQL Result] MDL -->|Yes| DecodeDeviceRequest[Decode Device Request] DecodeDeviceRequest --> ValidateVersion[Validate mDL Version] ValidateVersion --> ValidateDataElements[Validate Data Elements] ValidateDataElements --> MdlResult[mDL Result] DIF -->|No| Next1[Next Middleware] DCQL -->|No| Next2[Next Middleware] MDL -->|No| UnsupportedError[Unsupported Query Type] Next1 --> Next2 Next2 --> UnsupportedError DifResult --> Decision{Valid?} DcqlResult --> Decision MdlResult --> Decision UnsupportedError --> Decision Decision -->|Yes| Valid[Valid Query] Decision -->|No| Invalid[Invalid Query] end style Input fill:#f9f9f9,stroke:#333,stroke-width:1px style DetectType fill:#e1f5fe,stroke:#333,stroke-width:1px style DIF fill:#e1f5fe,stroke:#333,stroke-width:1px style DCQL fill:#e1f5fe,stroke:#333,stroke-width:1px style MDL fill:#e1f5fe,stroke:#333,stroke-width:1px style ValidatePD fill:#e8f5e8,stroke:#333,stroke-width:1px style ValidatePS fill:#e8f5e8,stroke:#333,stroke-width:1px style EvaluatePresentation fill:#e8f5e8,stroke:#333,stroke-width:1px style ParseDCQL fill:#fff3e0,stroke:#333,stroke-width:1px style CreateDCQLPresentation fill:#fff3e0,stroke:#333,stroke-width:1px style EvaluateDCQL fill:#fff3e0,stroke:#333,stroke-width:1px style DecodeDeviceRequest fill:#f3e5f5,stroke:#333,stroke-width:1px style ValidateVersion fill:#f3e5f5,stroke:#333,stroke-width:1px style ValidateDataElements fill:#f3e5f5,stroke:#333,stroke-width:1px style Valid fill:#dcedc8,stroke:#333,stroke-width:1px style Invalid fill:#ffcdd2,stroke:#333,stroke-width:1px
When validating credential queries, the policy follows these steps:
- Query type detection - Identifies the type of credential query being validated
- Format-specific validation - Applies validation logic specific to the detected query type
- Presentation evaluation - Evaluates whether the presentation satisfies the query requirements
- Result determination - Returns validation results with detailed error information if validation fails
DIF Presentation Exchange Validation
Section titled “DIF Presentation Exchange Validation”For DIF Presentation Exchange queries, the policy:
- Validates presentation definition - Ensures the presentation definition is well-formed
- Validates presentation submission - Checks the presentation submission structure
- Evaluates presentation - Uses the PEX library to evaluate whether the presentation satisfies the definition
- Handles warnings - Processes evaluation warnings based on configuration
DCQL Validation
Section titled “DCQL Validation”For DCQL queries, the policy:
- Parses DCQL query - Validates and parses the DCQL query syntax
- Creates credential presentation - Transforms submitted credentials into DCQL presentation format
- Evaluates query - Determines if the presentation can satisfy the DCQL query requirements
- Supports multiple formats - Handles W3C VC, SD-JWT VC, and mDL credentials
ISO 18013-5 Device Request Validation
Section titled “ISO 18013-5 Device Request Validation”For mDL device requests, the policy:
- Decodes device request - Parses the CBOR-encoded device request
- Validates version compatibility - Ensures mDL version matches device request version
- Validates data elements - Checks that all requested data elements are present in the mDL
- Handles multiple documents - Validates against multiple document types if required
Error Handling
Section titled “Error Handling”The credential query policy returns specific errors for various validation scenarios:
Error Type | Description | Typical Cause |
---|---|---|
Credential Query Format Error | Query format is invalid or malformed | Invalid DIF PE definition, malformed DCQL query |
Presentation Submission Format Error | Presentation submission structure is invalid | Missing required fields, invalid submission format |
Presentation Submission Evaluation Error | Presentation cannot satisfy query requirements | Missing credentials, insufficient data elements |
Unsupported Query Type Error | Query type is not supported | Unknown or unsupported credential query format |
Configuration
Section titled “Configuration”The credential query validation policy can be configured through the validator configuration:
- Skip presentation submission policies - Allows bypassing credential query validation entirely
- Presentation evaluation warning handling - Configures how to handle evaluation warnings (valid/warning/error)
For detailed configuration options, parameters, and default values, see the Validator Configuration Reference.
Query Type Support Matrix
Section titled “Query Type Support Matrix”Credential Format | DIF PE | DCQL | ISO18013-5 | Notes |
---|---|---|---|---|
W3C VC (JSON-LD) | ✅ | ✅ | ❌ | Full support for W3C credentials |
JWT VC | ✅ | ✅ | ❌ | JWT-format verifiable credentials |
SD-JWT VC | ✅ | ✅ | ❌ | Selective disclosure JWT credentials |
mDL (mso_mdoc) | ✅ | ✅ | ✅ | Mobile driving license format |
IETF Digital Cred | ✅ | ✅ | ❌ | IETF digital credentials |
Best Practices
Section titled “Best Practices”When using credential query validation:
- Use appropriate query types - Choose the query type that best fits your use case and credential formats
- Handle warnings appropriately - Configure warning handling based on your security requirements
- Validate query structure - Ensure queries are well-formed before submission
- Consider selective disclosure - Use DCQL for scenarios requiring selective attribute disclosure
- Test with multiple formats - Validate your queries work with all supported credential formats