Glossary

Certificate Authority (CA)

An organization responsible for the creation, issuance, revocation, and management of certificates, as defined in Proof's Certificate Policy. The term applies equally to Root CAs, Intermediate CAs, and Issuing CAs. See Proof Certificate Authority.

CRL

Certificate Revocation List. A regularly updated, time-stamped list of revoked certificates created and digitally signed by the issuing CA. Verifiers consult the CRL or OCSP to confirm a certificate is still valid. Proof's CRL is at http://crl.proof.com.

Disclosure

A base64url-encoded JSON array of [salt, claim_name, claim_value] representing a single selectively-disclosable claim of an SD-JWT VC, defined in RFC 9901. The Holder sends only the Disclosures the Verifier asks for. The Verifier confirms each Disclosure hashes to a digest in the credential's _sd array.

Holder

An entity that receives Verifiable Credentials and has control over them to present them to Verifiers as Presentations, as defined in OID4VP. The term covers the user, the wallet software, and the underlying hardware.

Holder Binding

The Holder's ability to prove legitimate possession of a credential, as defined in OID4VP. Three forms exist: cryptographic (private-key proof), claims-based (proving claims like name and date of birth, often by presenting another credential), and biometric (fingerprint or face). Proof uses cryptographic Holder Binding via the Key Binding JWT.

Issuer

An entity that issues Verifiable Credentials, as defined in OID4VCI. In OAuth 2.0 terms, the Issuer acts as a Resource Server and may also act as an Authorization Server. Proof is the Issuer of ProofCredentialV1 and operates a public Certificate Authority that signs every credential it issues.

Issuing CA

A CA certificate issued by a Root or Intermediate CA that issues end-entity certificates to Subscribers, as defined in Proof's Certificate Policy. Proof's Verifiable Credential operations rely on two Issuing CAs valid for 5 years: Proof Organization Authenticity Issuing CA R1 and Proof Individual Authenticity Issuing CA R1. See Proof Certificate Authority.

JWK

JSON Web Key. A JSON object that represents a cryptographic key, defined in RFC 7517. Proof's JWKS at https://api.proof.com/openid-connect/jwks lists the public keys Proof uses to sign Verifiable Credentials.

Key Binding JWT (KB-JWT)

A JWT signed by the Holder's private key during a presentation, defined in RFC 9901. It carries the Verifier's nonce, the aud, an iat, an sd_hash over the SD-JWT, and (optionally) transaction_data. The Verifier validates it with the public key in the credential's cnf.jwk claim.

OCSP

Online Certificate Status Protocol. An online certificate-checking protocol that lets Verifiers ask whether a single certificate is still valid. Proof's OCSP responder is at http://ocsp.proof.com.

OID4VCI

OpenID for Verifiable Credential Issuance. The protocol for issuing Verifiable Credentials directly into a Holder's wallet. See the specification. Proof's implementation is in development; see Issue a Credential.

OID4VP

OpenID for Verifiable Presentations. The protocol for requesting and receiving Verifiable Presentations from a Holder's wallet. See the specification. Proof implements OID4VP; see Verify a Credential.

Relying Party (RP)

A service that requests and verifies Verifiable Credentials. In OID4VP, the Verifier is described as "a specific case of an OAuth 2.0 Client, just like a Relying Party (RP) in OpenID Connect Core."

Root CA

A top-level, self-signed CA certificate that issues other CA certificates, as defined in Proof's Certificate Policy. The corresponding private key is kept offline. Proof Root CA R1 is published at http://cert.proof.com/proof-root-ca-r1.crt.

SD-JWT

Selective Disclosure JWT. A composite structure consisting of an Issuer-signed JWT and zero or more Disclosures, defined in RFC 9901. The mechanism that powers SD-JWT VC.

SD-JWT VC

A Verifiable Credential encoded in the SD-JWT format. Specified in draft-ietf-oauth-sd-jwt-vc-16 on top of RFC 9901. The format Proof uses to issue every Verifiable Credential. See SD-JWT VC Format.

Selective Disclosure

The process by which a Holder discloses to a Verifier a subset of the claims contained in a JWT issued by an Issuer, as defined in RFC 9901. For Proof's credentials, the Holder's wallet picks the requested subset and sends only the matching Disclosures.

transaction_data

A parameter on an OID4VP Authorization Request that binds external context, such as a wire transfer, a payment mandate, or an itemized purchase, into the credential presentation. Defined in the OID4VP specification. Proof publishes a catalog of supported templates; see Transaction Data Templates.

Verifiable Credential (VC)

An Issuer-signed credential whose authenticity can be cryptographically verified, as defined in OID4VP. The format is open: VCs can be encoded as W3C VCs, ISO mdocs, or SD-JWT VCs. The IETF (in SD-JWT VC draft 16) uses the equivalent term Verifiable Digital Credential.

Verifiable Intent

A specification for delegated authority that lets a Holder authorize a third party (such as an AI agent) to act on their behalf with a verifiable scope. See the specification and Delegate Authority.

Verifiable Presentation (VP)

A Presentation with a cryptographic proof of Holder Binding, as defined in OID4VP. For Proof's credentials, this is the Issuer-signed JWT plus the disclosed Disclosures plus a Key Binding JWT, returned to the Verifier in a vp_token.

Verifier

An entity that requests, receives, and validates Presentations, as defined in OID4VP. The Verifier is a specific case of an OAuth 2.0 Client. In most flows the Verifier and the Relying Party are the same actor.

Wallet

An entity used by the Holder to receive, store, present, and manage Verifiable Credentials and key material, as defined in OID4VP. Wallets can be local apps, remote self-hosted services, or third-party services. Proof operates a Cloud Wallet for ProofCredentialV1 Holders.

x5c

A JOSE header carrying the X.509 certificate chain associated with a signing key, defined in RFC 7515. In Proof's credentials, x5c chains from the credential signing key up through Proof Organization Authenticity Issuing CA R1 to Proof Root CA R1. See Proof Certificate Authority.