Credential Query Validation Policy Reference
This reference documents the credential query validation policy for the validator service. The credential query policy validates that presentation submissions satisfy their corresponding credential queries, ensuring that credentials can fulfill the requested data requirements.
Policy Overview
The credential query validation policy ensures that submitted verifiable presentations contain the credentials and data elements required by credential queries. It validates the compatibility between what is requested in a credential query and what is provided in the presentation submission, supporting multiple credential query standards and formats.
Supported Standards
The credential query validation policy supports query validation across multiple credential query standards:
| Standard | Organization | Specification | Query Format | Validation Aspect |
|---|---|---|---|---|
| DIF Presentation Exchange | DIF | Presentation Exchange | JSON | Validates presentations against presentation definitions |
| DCQL | DIF | Decentralized Credential Query Language | DCQL Query Language | Validates credential presentations against DCQL queries |
| ISO 18013-5 Device Request | ISO | ISO 18013-5 | CBOR Device Request | Validates mDL presentations against device request data requirements |
Supported Query Types
The validator supports the following credential query types and their validation mechanisms:
| Query Type | Description | Supported Formats | Primary Use Case |
|---|---|---|---|
| DIF.PresentationExchange | DIF Presentation Exchange standard | W3C VC, JWT VC, SD-JWT VC | General purpose credential presentation requests |
| DCQL | Decentralized Credential Query Language | W3C VC, SD-JWT VC, mDL (mso_mdoc) | Flexible credential data queries with selective disclosure |
| ISO18013-5.DeviceRequest | ISO 18013-5 mobile driving license requests | mDL (mso_mdoc) | Mobile driving license data verification |
Credential Query Validation Process
When validating credential queries, the policy follows these steps:
- Query type detection - Identifies the type of credential query being validated
- Format-specific validation - Applies validation logic specific to the detected query type
- Presentation evaluation - Evaluates whether the presentation satisfies the query requirements
- Result determination - Returns validation results with detailed error information if validation fails
DIF Presentation Exchange Validation
For DIF Presentation Exchange queries, the policy:
- Validates presentation definition - Ensures the presentation definition is well-formed
- Validates presentation submission - Checks the presentation submission structure
- Evaluates presentation - Uses the PEX library to evaluate whether the presentation satisfies the definition
- Handles warnings - Processes evaluation warnings based on configuration
DCQL Validation
For DCQL queries, the policy:
- Parses DCQL query - Validates and parses the DCQL query syntax
- Creates credential presentation - Transforms submitted credentials into DCQL presentation format
- Evaluates query - Determines if the presentation can satisfy the DCQL query requirements
- Supports multiple formats - Handles W3C VC, SD-JWT VC, and mDL credentials
ISO 18013-5 Device Request Validation
For mDL device requests, the policy:
- Decodes device request - Parses the CBOR-encoded device request
- Validates version compatibility - Ensures mDL version matches device request version
- Validates data elements - Checks that all requested data elements are present in the mDL
- Handles multiple documents - Validates against multiple document types if required
Error Handling
The credential query policy returns specific errors for various validation scenarios:
| Error Type | Description | Typical Cause |
|---|---|---|
| Credential Query Format Error | Query format is invalid or malformed | Invalid DIF PE definition, malformed DCQL query |
| Presentation Submission Format Error | Presentation submission structure is invalid | Missing required fields, invalid submission format |
| Presentation Submission Evaluation Error | Presentation cannot satisfy query requirements | Missing credentials, insufficient data elements |
| Unsupported Query Type Error | Query type is not supported | Unknown or unsupported credential query format |
Configuration
The credential query validation policy can be configured through the validator configuration:
- Skip presentation submission policies - Allows bypassing credential query validation entirely
- Presentation evaluation warning handling - Configures how to handle evaluation warnings (valid/warning/error)
For detailed configuration options, parameters, and default values, see the Validator Configuration Reference.
Query Type Support Matrix
| Credential Format | DIF PE | DCQL | ISO18013-5 | Notes |
|---|---|---|---|---|
| W3C VC (JSON-LD) | ✅ | ✅ | ❌ | Full support for W3C credentials |
| JWT VC | ✅ | ✅ | ❌ | JWT-format verifiable credentials |
| SD-JWT VC | ✅ | ✅ | ❌ | Selective disclosure JWT credentials |
| mDL (mso_mdoc) | ✅ | ✅ | ✅ | Mobile driving license format |
| IETF Digital Cred | ✅ | ✅ | ❌ | IETF digital credentials |
Best Practices
When using credential query validation:
- Use appropriate query types - Choose the query type that best fits your use case and credential formats
- Handle warnings appropriately - Configure warning handling based on your security requirements
- Validate query structure - Ensure queries are well-formed before submission
- Consider selective disclosure - Use DCQL for scenarios requiring selective attribute disclosure
- Test with multiple formats - Validate your queries work with all supported credential formats