Retrieve a pension credential from Kela (the Finish Social Security Institution)

• Download one of the compliant personal wallets and go to one (or all) of the 4 issuers (see below)

Present the pension credential to HSL (Helsinki Region Transport)

• Go to one (or all) of the 4 relying parties (see below) and scan the QR code

Broader context:

Although the use case describes a simple flow with just one issuer and one verifier, Findynet sees lots of potential for growth in the ecosystem. Firstly, pensioners could use their pension credentials in many other places in addition to proving their eligibility for discount in public transport. For example, museums, swimming halls, gyms, and restaurants could accept the credential. In production use, at least the issuers should be members of verifiable discount eligibility ecosystem. In other ecosystems, it may be important that also verifiers are ecosystem members. Even if they are not members of an ecosystem or there is no authority vouching for verifiers in the OpenID Federation trust framework, they could still issue their own OpenID Federation entity statements that wallets could show to the holders. 3 Secondly, also students, disabled people, veterans, and other groups could get similar credentials from various issuers, and use them to get similar discounts as pensioners.

<Coming soon>

An introductory video with an overview of the Discount Eligibility Sandbox, walking users through the replay scenarios.

Users in the sandbox use personal digital wallets compatible with the interop specifications, allowing them to receive, manage, and share credentials. The following wallet has been tested on corformity:

• Sphereon

More information on the Personal Wallets page.

Each participating organization in this use case has an organizational wallet to hold, issue, and/or verify credentials. The organizational wallets for this use case are hosted by the following wallet providers:

• Lissi

• Paradym

• Sicpa

• WaltID

More information on the Organizational Wallets page.

Wallet implementations must conform to the following specifications:

DIIP v3 Specification

• OpenID for Verifiable Credential Issuance Implementer's Draft 1

• OpenID for Verifiable Presentations - Draft 20

• Self-Issued OpenID Provider (SIOP) v2 - Draft 13

• DIF Presentation Exchange v2.0.0

• Selective Disclosure JWT (SD-JWT) VC Draft 4

• did:web (For resolving the Issuers)

• did:jwk (For human DIDs)

• Signature Algorithm: ES256 (ECDSA using P-256 and SHA-256)

• Credential status: OAuth Status List - Draft 2

Wallet implementations may show how they support OpenID Federation to advice users that the issuer and the verifier are approved participants in the ecosystem (based on the subordinate statements of the Trust Anchor). OpenID Federation 1.0 - draft 39

• OpenID Federation instructions

Additional Requirements

• Resolution of DID Domain Linkage in JSON Web Token (JWT) Proof Format

• Resolution of DIF Linked Verifiable Presentation in JWT Proof Format

For both SIOPv2 and OpenID4VP the following specifics are used within the specs

• Cross-Device Flow

• Using Static Configuration Values

• Using the did & client_id_scheme

• Use the vp_token and id_token Authorization Responses
  
  

The issuer in this use case is the Social Security Institution of Finland (Kela) who issues a credential asserting that the subject is entitled to a pension benefit paid by Kela.

In this sandbox setup the role of Kela is fulfilled by for different (hosted) organizational wallet providers. each of them configured to issue the Kela pension credential:

• Lissi: https://issuer.lissi.pensiondemo.findy.fi/

• Paradym: https://issuer.paradym.pensiondemo.findy.fi/

• SICPA: https://issuer.sicpa.pensiondemo.findy.fi/

• Walt.id: https://issuer.waltid.pensiondemo.findy.fi/

Hover over “Log in” link on the top of the page, select any identity from the select list and you will get a credential offer as a QR code.

The verifier in this use case is the Helsinki Region Transport (HSL). They use the credential to ensure that their customer is eligible for discounted tickets in public transport.

In this sandbox setup the role of HSL is fulfilled by for different (hosted) organizational wallet providers. each of them configured to do the same presentation request:

• Lissi: https://verifier.lissi.pensiondemo.findy.fi/

• Paradym: https://verifier.paradym.pensiondemo.findy.fi/

• SICPA: https://verifier.sicpa.pensiondemo.findy.fi/walt.id: https://verifier.waltid.pensiondemo.findy.fi/

The verifiers show a presentation request as a QR code.

<coming soon>

Links to automated test scripts in FIDES Test Bed.