Ecosystem Capabilities

Audience & Purpose


Audience	Enterprise architects, technical leads, procurement teams evaluating the SD-JWT .NET ecosystem
Purpose	Single-page capability assessment for adoption decisions
Scope	All implemented, planned, and proposed features across the ecosystem
Success	Reader can determine whether the ecosystem meets their requirements without reading any other document

Capability	Status	Package	Specification	Details
SD-JWT (Selective Disclosure JWT)	Implemented	`SdJwt.Net`	RFC 9901	Deep Dive
SD-JWT VC (Verifiable Credentials)	Implemented	`SdJwt.Net.Vc`	draft-ietf-oauth-sd-jwt-vc-15	Deep Dive
mdoc / mDL (ISO Mobile Documents)	Implemented	`SdJwt.Net.Mdoc`	ISO 18013-5	Deep Dive
JWS JSON Serialization	Implemented	`SdJwt.Net`	RFC 9901 Section 5	Deep Dive

Capability	Status	Package	Specification	Details
Pre-Authorized Code Flow	Implemented	`SdJwt.Net.Oid4Vci`	OpenID4VCI 1.0	Deep Dive
Authorization Code Flow	Implemented	`SdJwt.Net.Oid4Vci`	OpenID4VCI 1.0	Deep Dive
Batch Credential Issuance	Implemented	`SdJwt.Net.Oid4Vci`	OpenID4VCI 1.0	Deep Dive
Deferred Credential Issuance	Implemented	`SdJwt.Net.Oid4Vci`	OpenID4VCI 1.0	Deep Dive
Credential Offer	Implemented	`SdJwt.Net.Oid4Vci`	OpenID4VCI 1.0	Deep Dive
Notification Endpoint	Implemented	`SdJwt.Net.Oid4Vci`	OpenID4VCI 1.0	Deep Dive
Proof Validation (JWT / CWT)	Implemented	`SdJwt.Net.Oid4Vci`	OpenID4VCI 1.0	Deep Dive
mdoc Credential Issuance (`mso_mdoc`)	Implemented	`SdJwt.Net.Mdoc`	ISO 18013-5 + OpenID4VCI	Deep Dive

Capability	Status	Package	Specification	Details
OpenID4VP Authorization Requests	Implemented	`SdJwt.Net.Oid4Vp`	OpenID4VP 1.0	Deep Dive
JAR (JWT Authorization Requests)	Implemented	`SdJwt.Net.Oid4Vp`	OpenID4VP 1.0	Deep Dive
Transaction Data Binding	Implemented	`SdJwt.Net.Oid4Vp`	OpenID4VP 1.0	Deep Dive
Key Binding JWT (KB-JWT)	Implemented	`SdJwt.Net`	RFC 9901	Deep Dive
Presentation Exchange (DIF PEX)	Implemented	`SdJwt.Net.PresentationExchange`	DIF PEX v2.1.1	Deep Dive
W3C Digital Credentials API	Implemented	`SdJwt.Net.Oid4Vp`	W3C DC API	Deep Dive
Delivery via QR Codes & Deep Links	Proposed	-	OID4VP transport	Proposal
Bundles / Batch (multi-credential sessions)	Proposed	-	OID4VP + PEX	Proposal

Capability	Status	Package	Specification	Details
Token Status List (revocation/suspension)	Implemented	`SdJwt.Net.StatusList`	draft-ietf-oauth-status-list-18	Deep Dive
Multi-bit Status Values (Valid/Revoked/Suspended)	Implemented	`SdJwt.Net.StatusList`	draft-ietf-oauth-status-list-18	Deep Dive
Status List Freshness Validation	Implemented	`SdJwt.Net.StatusList`	draft-ietf-oauth-status-list-18	Deep Dive
Set Revocation & Suspension	Proposed	-	Extends StatusList	Proposal
Set Expiration & Validity Controls	Proposed	-	Data-function driven	Proposal
Expiration & Revocation Checks (Bitstring Status List v1.0)	Proposed	-	Bitstring Status List v1.0	Proposal
Credential Status Validation (wallet-side)	Proposed	-	StatusList + Wallet integration	Proposal
Token Introspection (RFC 7662)	Proposed	-	RFC 7662	Proposal

Capability	Status	Package	Specification	Details
OpenID Federation (Trust Chains)	Implemented	`SdJwt.Net.OidFederation`	OpenID Federation 1.0	Guide
HAIP Level 1 (High)	Implemented	`SdJwt.Net.HAIP`	HAIP 1.0	Deep Dive
HAIP Level 2 (Very High)	Implemented	`SdJwt.Net.HAIP`	HAIP 1.0	Deep Dive
HAIP Level 3 (Sovereign)	Implemented	`SdJwt.Net.HAIP`	HAIP 1.0	Deep Dive
EU Trust Lists (LOTL)	Implemented	`SdJwt.Net.Eudiw`	eIDAS 2.0	Deep Dive
Issuer Trust Validation (DID/PKI/IACA-DSC)	Proposed	-	DID + PKI + IACA	Proposal
Trust Registries (eIDAS2, EBSI, custom)	Proposed	-	eIDAS2 / EBSI	Proposal
QTSPs (Qualified Signature Support)	Proposed	-	eIDAS Regulation	Proposal

Capability	Status	Package	Specification	Details
Issuer Metadata (credential branding)	Proposed	-	OID4VCI display metadata	Proposal
Embedded Display Data (per-instance visuals)	Proposed	-	Credential rendering	Proposal

Capability	Status	Package	Specification	Details
Generic Wallet (plugin architecture)	Implemented	`SdJwt.Net.Wallet`	Project design	Deep Dive
SD-JWT VC Format Plugin	Implemented	`SdJwt.Net.Wallet`	RFC 9901 + SD-JWT VC	Deep Dive
mdoc Format Plugin	Implemented	`SdJwt.Net.Wallet`	ISO 18013-5	Deep Dive
EUDIW (EU Digital Identity Wallet)	Implemented	`SdJwt.Net.Eudiw`	eIDAS 2.0	Deep Dive
ARF Profile Validation	Implemented	`SdJwt.Net.Eudiw`	EU ARF	Deep Dive
PID Credential Handling	Implemented	`SdJwt.Net.Eudiw`	EU ARF	Deep Dive
QEAA Handling	Implemented	`SdJwt.Net.Eudiw`	EU ARF	Deep Dive
RP Registration Validation	Implemented	`SdJwt.Net.Eudiw`	EU ARF	Deep Dive

Capability	Status	Package	Specification	Details
Capability Token Minting (SD-JWT)	Implemented	`SdJwt.Net.AgentTrust.Core`	Project design	Deep Dive
Capability Token Verification	Implemented	`SdJwt.Net.AgentTrust.Core`	Project design	Deep Dive
Policy Engine (rule-based allow/deny)	Implemented	`SdJwt.Net.AgentTrust.Policy`	Project design	Deep Dive
Delegation Chain Enforcement	Implemented	`SdJwt.Net.AgentTrust.Policy`	Project design	Deep Dive
ASP.NET Core Inbound Guard	Implemented	`SdJwt.Net.AgentTrust.AspNetCore`	Project design	Deep Dive
MAF/MCP Outbound Propagation	Implemented	`SdJwt.Net.AgentTrust.Maf`	Project design	Deep Dive
Audit Receipts	Implemented	`SdJwt.Net.AgentTrust.Core`	Project design	Deep Dive
Replay Prevention (Nonce Store)	Implemented	`SdJwt.Net.AgentTrust.Core`	Project design	Deep Dive

Capability	Status	Package	Details
ECDSA P-256/384/521	Implemented	`SdJwt.Net`	All core cryptographic operations
SHA-256/384/512 enforcement	Implemented	`SdJwt.Net`	MD5/SHA-1 blocked at validation layer
Constant-time comparisons	Implemented	`SdJwt.Net`	`CryptographicOperations.FixedTimeEquals`
CSPRNG for all entropy	Implemented	`SdJwt.Net`	`RandomNumberGenerator` throughout
Replay attack prevention	Implemented	`SdJwt.Net`	Nonce + `iat` freshness validation
Algorithm allow-list enforcement	Implemented	`SdJwt.Net.HAIP`	HAIP validator blocks weak algorithms
Wallet Attestation	Implemented	`SdJwt.Net.HAIP`	HAIP Level 2+

Capability	Status	Details
.NET 8.0	Implemented	Full support with modern optimizations
.NET 9.0	Implemented	Latest features and optimal performance
.NET 10.0	Implemented	Full support
.NET Standard 2.1	Implemented	Backward compatibility
Windows / Linux / macOS	Implemented	x64, ARM64, Apple Silicon
Container Ready	Implemented	Docker, Kubernetes
Cloud Native	Implemented	Azure, AWS, GCP

Tag	Meaning
Implemented	Code complete, tested, available in NuGet packages
Planned	Approved for development, design complete
Proposed	Design proposal written, awaiting approval

Package	Purpose	Spec
`SdJwt.Net`	Core SD-JWT (RFC 9901)	Final
`SdJwt.Net.Vc`	SD-JWT VC profile	draft-15
`SdJwt.Net.StatusList`	Token Status List	draft-18
`SdJwt.Net.Oid4Vci`	OpenID4VCI issuance	1.0 Final
`SdJwt.Net.Oid4Vp`	OpenID4VP presentation + DC API	1.0
`SdJwt.Net.PresentationExchange`	DIF PEX credential query	v2.1.1
`SdJwt.Net.OidFederation`	OpenID Federation trust	1.0
`SdJwt.Net.HAIP`	High Assurance Interoperability	1.0
`SdJwt.Net.Mdoc`	ISO 18013-5 mdoc/mDL	2021
`SdJwt.Net.Wallet`	Generic wallet with plugins	-
`SdJwt.Net.Eudiw`	EU Digital Identity Wallet	eIDAS 2.0
`SdJwt.Net.AgentTrust.Core`	Capability token mint/verify	-
`SdJwt.Net.AgentTrust.Policy`	Policy engine + delegation	-
`SdJwt.Net.AgentTrust.AspNetCore`	Inbound verification middleware	-
`SdJwt.Net.AgentTrust.Maf`	MAF/MCP outbound propagation	-