With initiatives such as the European Digital Identity Wallet, the exchange of verifiable data via digital credentials using digital wallets is reaching mainstream adoption. While digital wallets gain adoption and the ecosystem grows, the flexibility and interoperability of querying verifiable data remains limited: digital credentials can only be directly queried based on JSON keys, thus hampering support for internationalization and alternative semantics. With this work, we present a practical approach to leverage Semantic Web technologies to combine the expressiveness of RDF with the semantic nature of W3C's recommended Verifiable Credentials and existing wallet protocols like OID4VP. We leverage SPARQL queries to request specific claims within the OID4VP protocol, which are evaluated over the combined RDF representation of the wallet credentials, to return Verifiable Presentations that contain the requested claims using selective disclosure. We applied named graphs with blank node graph names to ensure a uniform and globally unique connection between credentials and their corresponding claims and proof graphs when storing credentials in a wallet's Knowledge Graph. To retrieve which claims need to be selectively disclosed from their original credentials, we applied an initial conversion from RDF triple predicates to JSONPath pointers, thus currently supporting only a subset of SPARQL expressivity. Through the addition of a SPARQL query in the OID4VP authorization flow, we enable semantically enriched query evaluation over the stored credentials, opening the way to semantic alignment of multilingual vocabularies and similar ontologies used in diferent online ecosystems. Future work is needed to improve SPARQL support to enable querying over complex claim requirements, in terms of the query to JSONPath pointers, as well as addressing metadata requirements for the requested claims.
Digital credentials – i.e., tamper-evident digital assertions issued by a trusted authority to represent
claims about a subject – are gaining adoption: in government by the European Parliament [
Selective disclosure for Verifiable Credentials is made available by deriving Verifiable Presentations
(VPs) [
LGOBE
CEUR
ceur-ws.org
As credentials become increasingly integrated in digital data flows, we expect an increasing need to request and share flexible combinations of credentials.
At the heart of this flexibility requirement, the semantics of the exchanged data need to be well
understood. Here, the Verifiable Credential Data Model [
The reliance on JSONPath pointers – which are one-to-one coupled with the Verifiable Credential’s schema – imposes an implicit reliance on the issuer’s chosen context, which is typically influenced by the issuer’s local context such as language and culture. This limits the reusability of the pointer outside the issuer’s local context. Taking the example of a diploma credential: the European Learning Model1 specifies its model using English keys (e.g., accreditation linking to http://data.europa.eu/snb/ model/elm/accreditation); where the Flemish derived application profile 2 specifies the same terms, but using Flemish keys (e.g., Bewijs.accreditatie, also linking to http://data.europa.eu/snb/model/elm/ accreditation). We assume such discrepancies in JSON keys to occur more and more frequently, making interoperability dificult even when the underlying managed data models are correctly reused. Secondly, as JSONPath pointers use tree-based traversal, they do not support graph-based selections over multiple credentials. Even simple cases could require graph-based selections. Taking the example of proving ownership of a car: A person holding the credentials of both a valid license and insurance would require claim retrieval over multiple interlinked credentials, which would benefit from graph-based selection.
With this work, we present a novel method to leverage mature Semantic Web technologies to more
lfexibly but still efectively combine claims represented in Verifiable Credentials, leveraging a SPARQL
subset as a selective disclosure mechanism to automatically combine claims from multiple Verifiable
Credentials into a Verifiable Presentation. We apply our method to the maturing OpenID for Verifiable
Presentations protocol (OID4VP) [
In this section, we show how we can retrieve and combine arbitrary claims from multiple Verifiable
Credentials semantically – i.e., without needing to rely on the specific credential schemas used – by
extending the OID4VP authorization request [
SPARQL query over stored Verifiable Credentials, these credentials are stored in a graph store on the 1Retrieved via https://op.europa.eu/en/web/eu-vocabularies/dataset/-/resource?uri=http://publications.europa.eu/resource/ dataset/snb-model&version=3.2 at 10/07/2025. 2Retrieved via https://data.vlaanderen.be/doc/applicatieprofiel/leerprestatiecredential/ at 04/07/2025. 3Github repository for the POC is located at: https://github.com/KNowledgeOnWebScale/queryable-vcs poc.ipynb's implements following processes
INGEST QUERY COMPOSE
Verifier 1
INGEST 2
QUERY Create Conjunctive Graph
cg
wallet instance. Verifiable Credentials can be interpreted in RDF. However, as indicated by Braun et
al. [
To ensure we keep the link between claims and their originating credential, the ingestion of these
credentials into the graph store requires the contents of their default graph to be embedded in a named
graph [
wallet’s credentials, we envision the reuse of the OID4VP Authorization Request [
We assume that the SPARQL query is formed based on the native RDF representation of the credentials over which the query is evaluated (Listing 1). Querying the credential metadata currently means that the requester must be made aware of how the wallet links the claims with the credential metadata (i.e., via the minted credential graphs). Given this was introduced in Step 1 (combining multiple credentials in one Knowledge Graph), this is no longer aligned with the VC standard. Extending the VC standard to support these types of metadata queries is out of the scope of this paper, and we focus on querying the claims themselves. 1 PREFIX ex: <http://example.org/> 2 SELECT * 3 WHERE { 4 ?s ex:degreeTitle ?z ; 5 ex:driversLicense ?x ; 6 ex:jobPosition ?y 7 }
Listing 1: Querying claims from diferent credentials
the credential wallet, an incoming SPARQL query must be converted to take into account the internal RDF representation of the stored credentials. To achieve this, the query statements are embedded in the GRAPH keyword to direct the queried statements to the named graphs storing the credential claims (Listing 2). This aligns the queries with the conversion performed in Step 1. Within the context of this proof of concept, our considered query examples are chosen with simplicity in mind, allowing us to discuss the system as a whole. Hence, future research is needed to support more complex query mapping scenarios (e.g., in the case of VCs that have a more complex structure).
Step 4: Construct the Verifiable Presentation Having found the relevant credentials for the
requested claims, we can rely on mature JSON-LD compaction algorithms [
ing side, the Verifiable Presentation returned from the authorization request can now be validated based on its signature and the identity of its issuer. The original query, as shown in Listing 1, can now be evaluated over the Verifiable Presentation’s native RDF representation to receive the verified results for the query.
With this initial work, we demonstrate a practical solution for the selective disclosure of claims via Verifiable Presentations based on SPARQL queries applied to the OID4VP protocol, by taking into account the underlying RDF semantics of Verifiable Credentials. The result of the query is a presentation of claims from the original credentials, which is then, at the requesting side, re-processed with the same mappings to provide a query response. As such, we ensure that claims are verified correctly.
The addition of a sparql_query as an alternative to the dcql_query parameter is a mild intrusion in the OID4VP authorization request flow. We provide a straightforward adoption path for integrating SPARQL queries without impacting the overall flow or functionality. Our method allows for more flexible querying of claims, but does not influence authorization decisions, as the authorization mechanisms are based on the claims that are being returned, not on the internal query evaluation process. The evaluation of the returned presentations for their metadata and query results occurs outside the existing protocol stack.
Integrating the semantics of credentials into the request flow enables the use of existing Web standards such as OWL for schema alignment, facilitating alignment of credentials over multiple languages and ecosystems. Where initial wallet implementations can rely on ecosystem enforcement of standardized schemas (e.g. ISO standards), further adoption is likely to cause divergence between data models. Standardized mappings can be provided at an ecosystem level, and ad hoc mappings can be passed by a requesting party to allow wider matching of requested claims to stored credentials.
Although the provided implementation validates its feasibility, the avenues for future work are manifold.
A JSONPath-to-SPARQL transformation could be devised to serve as a proxy for existing OID4VP clients (i.e., reinterpreting the dcql_query parameter as a SPARQL query), resulting in a completely OID4VP-compatible solution.
Introducing SPARQL support strains the current Verifiable Credentials Data Model, as the native RDF representation requires additional transformations to allow for unambiguous query evaluation matching claims with the credential they originate from, supporting only a subset of the current RDF and SPARQL capabilities. Further investigation is needed to assess the possibility for the Verifiable Credential model to support native querying over both claims and metadata in its RDF representation.
We currently need to rely on JSON-based Verifiable Credential libraries to create the Verifiable
Presentation (i.e., the reverse transformation into JSONPaths in Step 4). The work of Braun et al. [
In terms of functionality requirements, the proposed approach imposes an overhead on the wallet instance: for managing Verifiable Credentials as a knowledge graph, and for matching a user query over that knowledge graph to individual claim requirements over the stored credentials. Research is needed towards the added benefit of semantic cross-credential querying and ontology alignment outweighs this added cost.
The described research activities were supported by SolidLab Vlaanderen (Flemish Government, EWI and RRF project VV023/10), and Interreg project SecuWeb (0100085).
During the preparation of this work, the author(s) used GPT-4o to: Grammar and spelling check. After using these tool(s)/service(s), the author(s) reviewed and edited the content as needed and take(s) full responsibility for the publication’s content.