Conversation
sorotokin
approved these changes
Mar 25, 2026
davidz25
force-pushed
the
mpzpass
branch
3 times, most recently
from
1bac522 to
45dae96
Compare
The Multipaz `.mpzpass` file format provides a standardized, lightweight mechanism for the exchange of low-assurance verifiable credentials. In scenarios where strict cryptographic device-binding introduces unnecessary friction — such as when a user expects their digital assets to seamlessly synchronize across their entire ecosystem of devices — this format offers a pragmatic, portable solution. It is engineered specifically for use cases where the risk of credential sharing is negligible, such as event and movie ticketing, transit passes, or generic membership cards. This format explicitly trades anti-cloning guarantees for portability. Because the credential data and any associated keys are stored in a highly portable container, the credential can be trivially copied. For high-value credentials where cloning or replay attacks are active threat vectors (e.g., mobile driving licenses or financial instruments), this file format is inherently unsuitable. In those high-assurance scenarios, issuers must leverage a robust provisioning protocol like [OpenID4VCI](https://github.com/openid/OpenID4VCI) to ensure secure delivery and hardware-backed device-binding at the time of issuance. This PR has three main components - Defintion of the format with example files, in the `mpzpass` directory - Support routines and import/export in the core Multipaz library - Support in TestApp for generating and importing `.mpzpass` files Additionally, extend `SimplePresentmentSource` to support more than one domain for a given credential type. This is needed because if using this to import a credential with a software-backed key and the app already has a domain for with and without user authentication (and the domain is picked according to a setting of whether user authentication should be used), the software-backed credential (which never has any user authentication) need to be consulted in both cases. This PR also fixes problems with the compose TestApp on iOS and it also makes Credential.replacementForDeleted() internal which it should have been from the start. Test: Unit test and manually tested on both Android and iOS. Signed-off-by: David Zeuthen <zeuthen@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Multipaz
.mpzpassfile format provides a standardized, lightweight mechanism for the exchange of low-assurance verifiable credentials.In scenarios where strict cryptographic device-binding introduces unnecessary friction — such as when a user expects their digital assets to seamlessly synchronize across their entire ecosystem of devices — this format offers a pragmatic, portable solution. It is engineered specifically for use cases where the risk of credential sharing is negligible, such as event and movie ticketing, transit passes, or generic membership cards.
This format explicitly trades anti-cloning guarantees for portability. Because the credential data and any associated keys are stored in a highly portable container, the credential can be trivially copied.
For high-value credentials where cloning or replay attacks are active threat vectors (e.g., mobile driving licenses or financial instruments), this file format is inherently unsuitable. In those high-assurance scenarios, issuers must leverage a robust provisioning protocol like OpenID4VCI to ensure secure delivery and hardware-backed device-binding at the time of issuance.
This PR has three main components
mpzpassdirectory.mpzpassfilesThis PR also fixes problems with the compose TestApp on iOS and it also makes Credential.replacementForDeleted() internal which it should have been from the start.
Test: Unit test and manually tested on both Android and iOS.