Skip to main content

EAA ConformanceETSI TS 119 472-1 (v1.2.1) clause 5.2.1.2

EAA-5.2.1.2-03:SD-JWT VC EAA must include vct#integrity

  • shall
  • Ordinary EAA
  • QEAA
  • PuB-EAA
  • SD-JWT VC
  • Issuer
  • Verifier

Spec text

A SD-JWT VC EAA shall incorporate the claim vct#integrity as specified in IETF SD-JWT VC, clause 6.

ETSI TS 119 472-1 (v1.2.1), clause 5.2.1.2, page 28.

In plain English

Alongside vct, an SD-JWT VC EAA must include vct#integrity, an integrity hash over the Type Metadata document the vct resolves to. The claim binds the EAA to a specific, frozen view of its type.

Why it matters

Without vct#integrity an attacker who controls the metadata host (or DNS, or a proxy) can swap in a hostile schema that subtly changes the meaning of attribute names or removes constraints the issuer relied on. The integrity hash converts a live URL into a content-addressed reference.

Common mistakes

  • Omitting vct#integrity while still serving Type Metadata that may change.
  • Hashing a freshly-rendered metadata document each time rather than the canonical bytes.
  • Updating Type Metadata without coordinating a rotation of vct#integrity values.

Conformance check

Auto-tested. Use the action in the sidebar to run a Self-Assessment for this control.

Last reviewed against ETSI TS 119 472-1 v1.2.1 on 2026-05-01.

iGrant.io’s EAA Issuer SDK handles this control out of the box. Talk to our team about closing your conformance gaps.

Chat on WhatsAppEmail support