Clarification needed: Does DCQL claims matching apply to non-SD payload claims or only to selective disclosures?
Summary
The spec does not explicitly state whether the claims array in a DCQL Credential Query applies only to selectively disclosable claims or to all claims in a credential (including non-SD JWT payload claims). While this can be inferred from several passages, an explicit normative statement would remove ambiguity for implementers.
Background
For SD-JWT VC credentials, there are two categories of claims:
- Non-SD payload claims — always present in the signed JWT (e.g.
iss, vct, cnf). The Wallet has no ability to withhold these.
- Selective disclosures (SDs) — claims the Wallet can choose to reveal or withhold per-presentation.
The question is: when a Verifier specifies a claims array in the DCQL query, does the Wallet evaluate those paths against SDs only, or against both SDs and non-SD payload claims?
Evidence that claims applies to SDs only
Several passages suggest claims is scoped to selective disclosures:
Section 6.4 opening paragraph:
"For formats supporting selective disclosure, these rules support selecting a minimal dataset... Wallets MUST NOT send selectively disclosable claims that have not been selected according to the rules below."
The MUST NOT prohibition is explicitly scoped to selectively disclosable claims only.
Section 6.4 (same paragraph):
"A single Presentation of a Credential MAY contain more than the claims selected in the particular DCQL Credential Query if [...] the additional claims are not selectively disclosable."
This explicitly acknowledges that non-SD claims can appear in the presentation beyond what claims specifies.
Section 6.4.1, claims absent rule:
"If claims is absent, the Verifier is requesting no claims that are selectively disclosable; the Wallet MUST return only the claims that are mandatory to present (e.g., SD-JWT and Key Binding JWT for a Credential of format IETF SD-JWT VC)."
The definition of "no claims requested" is framed entirely as "no selectively disclosable claims" — and non-SD mandatory claims still come through regardless.
Section 15.4 (Selective Disclosure, Privacy Considerations):
"The DCQL helps facilitate selective disclosure by allowing the Verifier to specify the claims it is interested in, allowing the Wallet to disclose only the claims that are relevant to the Verifier's request."
The ambiguity
Despite the above, Section 6.4.1 also states:
"When a Claims Query contains a restriction on the values of a claim, the Wallet SHOULD NOT return the claim if its value does not match [...] the claim should be treated the same as if it did not exist in the Credential."
For a non-SD payload claim, the Wallet cannot suppress the claim from the response — it is baked into the signed JWT. So "treat as if it did not exist" can only mean disqualifying the entire credential from selection, not suppressing the claim from disclosure. This inconsistency further highlights the need for clarification.
Proposed clarification
We suggest adding an explicit normative statement to Section 6.4 or Section 6.4.1 along the lines of:
"The claims array governs which selectively disclosable claims the Wallet includes in the Presentation. Claims that are not selectively disclosable (e.g., non-SD JWT payload claims) are always included in the Presentation regardless of whether they appear in the claims array. When a values constraint is specified for a non-SD payload claim and the value does not match, the Wallet MUST treat the credential as not satisfying the query."
Impact
Without this clarification, Wallet implementations may diverge on:
- Whether to evaluate
claims paths against the full decoded credential or SDs only during credential selection.
- How to handle
values mismatches on non-SD payload claims — credential disqualification vs. claim suppression.
References
- Section 6.3 Claims Query
- Section 6.4 Selecting Claims and Credentials
- Section 6.4.1 Selecting Claims
- Section 15.4 Selective Disclosure
- Appendix B.3 IETF SD-JWT VC
Clarification needed: Does DCQL
claimsmatching apply to non-SD payload claims or only to selective disclosures?Summary
The spec does not explicitly state whether the
claimsarray in a DCQL Credential Query applies only to selectively disclosable claims or to all claims in a credential (including non-SD JWT payload claims). While this can be inferred from several passages, an explicit normative statement would remove ambiguity for implementers.Background
For SD-JWT VC credentials, there are two categories of claims:
iss,vct,cnf). The Wallet has no ability to withhold these.The question is: when a Verifier specifies a
claimsarray in the DCQL query, does the Wallet evaluate those paths against SDs only, or against both SDs and non-SD payload claims?Evidence that
claimsapplies to SDs onlySeveral passages suggest
claimsis scoped to selective disclosures:Section 6.4 opening paragraph:
The MUST NOT prohibition is explicitly scoped to selectively disclosable claims only.
Section 6.4 (same paragraph):
This explicitly acknowledges that non-SD claims can appear in the presentation beyond what
claimsspecifies.Section 6.4.1,
claimsabsent rule:The definition of "no claims requested" is framed entirely as "no selectively disclosable claims" — and non-SD mandatory claims still come through regardless.
Section 15.4 (Selective Disclosure, Privacy Considerations):
The ambiguity
Despite the above, Section 6.4.1 also states:
For a non-SD payload claim, the Wallet cannot suppress the claim from the response — it is baked into the signed JWT. So "treat as if it did not exist" can only mean disqualifying the entire credential from selection, not suppressing the claim from disclosure. This inconsistency further highlights the need for clarification.
Proposed clarification
We suggest adding an explicit normative statement to Section 6.4 or Section 6.4.1 along the lines of:
Impact
Without this clarification, Wallet implementations may diverge on:
claimspaths against the full decoded credential or SDs only during credential selection.valuesmismatches on non-SD payload claims — credential disqualification vs. claim suppression.References