Credential Query Validation Policy Reference

This reference documents the credential query validation policy for the validator service. The credential query policy validates that presentation submissions satisfy their corresponding credential queries, ensuring that credentials can fulfill the requested data requirements.

Policy Overview

The credential query validation policy ensures that submitted verifiable presentations contain the credentials and data elements required by credential queries. It validates the compatibility between what is requested in a credential query and what is provided in the presentation submission, supporting multiple credential query standards and formats.

Supported Standards

The credential query validation policy supports query validation across multiple credential query standards:

Standard	Organization	Specification	Query Format	Validation Aspect
DIF Presentation Exchange	DIF	Presentation Exchange	JSON	Validates presentations against presentation definitions
DCQL	DIF	Decentralized Credential Query Language	DCQL Query Language	Validates credential presentations against DCQL queries
ISO 18013-5 Device Request	ISO	ISO 18013-5	CBOR Device Request	Validates mDL presentations against device request data requirements

Supported Query Types

The validator supports the following credential query types and their validation mechanisms:

Query Type	Description	Supported Formats	Primary Use Case
DIF.PresentationExchange	DIF Presentation Exchange standard	W3C VC, JWT VC, SD-JWT VC	General purpose credential presentation requests
DCQL	Decentralized Credential Query Language	W3C VC, SD-JWT VC, mDL (mso_mdoc)	Flexible credential data queries with selective disclosure
ISO18013-5.DeviceRequest	ISO 18013-5 mobile driving license requests	mDL (mso_mdoc)	Mobile driving license data verification

Credential Query Validation Process

flowchart TD
    subgraph "Credential Query Validation"
        Input[Presentation Submission] --> DetectType[Detect Query Type]
        DetectType --> DIF{DIF PE?}
        DetectType --> DCQL{DCQL?}
        DetectType --> MDL{ISO18013-5?}

        DIF -->|Yes| ValidatePD[Validate Presentation Definition]
        ValidatePD --> ValidatePS[Validate Presentation Submission]
        ValidatePS --> EvaluatePresentation[Evaluate Presentation]
        EvaluatePresentation --> DifResult[DIF Result]

        DCQL -->|Yes| ParseDCQL[Parse DCQL Query]
        ParseDCQL --> CreateDCQLPresentation[Create DCQL Presentation]
        CreateDCQLPresentation --> EvaluateDCQL[Evaluate DCQL Query]
        EvaluateDCQL --> DcqlResult[DCQL Result]

        MDL -->|Yes| DecodeDeviceRequest[Decode Device Request]
        DecodeDeviceRequest --> ValidateVersion[Validate mDL Version]
        ValidateVersion --> ValidateDataElements[Validate Data Elements]
        ValidateDataElements --> MdlResult[mDL Result]

        DIF -->|No| Next1[Next Middleware]
        DCQL -->|No| Next2[Next Middleware]
        MDL -->|No| UnsupportedError[Unsupported Query Type]

        Next1 --> Next2
        Next2 --> UnsupportedError

        DifResult --> Decision{Valid?}
        DcqlResult --> Decision
        MdlResult --> Decision
        UnsupportedError --> Decision

        Decision -->|Yes| Valid[Valid Query]
        Decision -->|No| Invalid[Invalid Query]
    end

    style Input fill:#f9f9f9,stroke:#333,stroke-width:1px
    style DetectType fill:#e1f5fe,stroke:#333,stroke-width:1px
    style DIF fill:#e1f5fe,stroke:#333,stroke-width:1px
    style DCQL fill:#e1f5fe,stroke:#333,stroke-width:1px
    style MDL fill:#e1f5fe,stroke:#333,stroke-width:1px
    style ValidatePD fill:#e8f5e8,stroke:#333,stroke-width:1px
    style ValidatePS fill:#e8f5e8,stroke:#333,stroke-width:1px
    style EvaluatePresentation fill:#e8f5e8,stroke:#333,stroke-width:1px
    style ParseDCQL fill:#fff3e0,stroke:#333,stroke-width:1px
    style CreateDCQLPresentation fill:#fff3e0,stroke:#333,stroke-width:1px
    style EvaluateDCQL fill:#fff3e0,stroke:#333,stroke-width:1px
    style DecodeDeviceRequest fill:#f3e5f5,stroke:#333,stroke-width:1px
    style ValidateVersion fill:#f3e5f5,stroke:#333,stroke-width:1px
    style ValidateDataElements fill:#f3e5f5,stroke:#333,stroke-width:1px
    style Valid fill:#dcedc8,stroke:#333,stroke-width:1px
    style Invalid fill:#ffcdd2,stroke:#333,stroke-width:1px

When validating credential queries, the policy follows these steps:

Query type detection - Identifies the type of credential query being validated
Format-specific validation - Applies validation logic specific to the detected query type
Presentation evaluation - Evaluates whether the presentation satisfies the query requirements
Result determination - Returns validation results with detailed error information if validation fails

DIF Presentation Exchange Validation

For DIF Presentation Exchange queries, the policy:

Validates presentation definition - Ensures the presentation definition is well-formed
Validates presentation submission - Checks the presentation submission structure
Evaluates presentation - Uses the PEX library to evaluate whether the presentation satisfies the definition
Handles warnings - Processes evaluation warnings based on configuration

DCQL Validation

For DCQL queries, the policy:

Parses DCQL query - Validates and parses the DCQL query syntax
Creates credential presentation - Transforms submitted credentials into DCQL presentation format
Evaluates query - Determines if the presentation can satisfy the DCQL query requirements
Supports multiple formats - Handles W3C VC, SD-JWT VC, and mDL credentials

ISO 18013-5 Device Request Validation

For mDL device requests, the policy:

Decodes device request - Parses the CBOR-encoded device request
Validates version compatibility - Ensures mDL version matches device request version
Validates data elements - Checks that all requested data elements are present in the mDL
Handles multiple documents - Validates against multiple document types if required

Error Handling

The credential query policy returns specific errors for various validation scenarios:

Error Type	Description	Typical Cause
Credential Query Format Error	Query format is invalid or malformed	Invalid DIF PE definition, malformed DCQL query
Presentation Submission Format Error	Presentation submission structure is invalid	Missing required fields, invalid submission format
Presentation Submission Evaluation Error	Presentation cannot satisfy query requirements	Missing credentials, insufficient data elements
Unsupported Query Type Error	Query type is not supported	Unknown or unsupported credential query format

Configuration

The credential query validation policy can be configured through the validator configuration:

Skip presentation submission policies - Allows bypassing credential query validation entirely
Presentation evaluation warning handling - Configures how to handle evaluation warnings (valid/warning/error)

For detailed configuration options, parameters, and default values, see the Validator Configuration Reference.

Query Type Support Matrix

Credential Format	DIF PE	DCQL	ISO18013-5	Notes
W3C VC (JSON-LD)	✅	✅	❌	Full support for W3C credentials
JWT VC	✅	✅	❌	JWT-format verifiable credentials
SD-JWT VC	✅	✅	❌	Selective disclosure JWT credentials
mDL (mso_mdoc)	✅	✅	✅	Mobile driving license format
IETF Digital Cred	✅	✅	❌	IETF digital credentials

Best Practices

When using credential query validation:

Use appropriate query types - Choose the query type that best fits your use case and credential formats
Handle warnings appropriately - Configure warning handling based on your security requirements
Validate query structure - Ensure queries are well-formed before submission
Consider selective disclosure - Use DCQL for scenarios requiring selective attribute disclosure
Test with multiple formats - Validate your queries work with all supported credential formats