Installation

1. Download the Open Policy Agent as described here.

2. Set the permissions of the downloaded file to allow execution:

chmod 755 ./opa

Path Configuration

1. Move the downloaded executable to a location in your system's PATH to make it accessible from any directory. A common location for custom binaries on macOS is ~/.local/bin. You can move it there with the following command:

mv opa ~/.local/bin/opa

Verify Setup

1. Test the setup by running a simple expression with OPA:

opa eval "1*2+3"

1. If everything is working correctly, you should see output like this:

{
   "result": [
      {
         "expressions": [
            {
               "value": 5,
               "text": "1*2+3",
               "location": {
                  "row": 1,
                  "col": 1
               }
            }
         ]
      }
   ]
}

Next Steps

1. Creating a dynamic policy

2. Verifying a verifiable credential using a dynamic policy

The Open Policy Agent (https://www.openpolicyagent.org) is an open source, general-purpose policy engine that unifies policy enforcement. OPA provides a high-level declarative language called Rego that lets you specify policy as code in order to offload policy decision-making from your business logic.

The SSI Kit offers an integration with OPA and therefore allows the flexible validation of W3C Verifiable Credentials by the execution of Rego policies.

Integration of the Open Policy Agent with the SSI Kit

The following graphic illustrates the technical architecture how a custom application can verify credentials by utilizing the Open Policy Agent.

In order to verify W3C Verifiable Credentials and Presentations, the SSI Kit offers the Auditor API. This API serves as integration point for a Verifier application, but also can be used for testing by the built-in CLI tool. In either way a Verifiable Credential (VC) is forwarded to the SSI Kit in order to have it verified.

The SSI Kit loads a Rego Policy either from a file-system, database or a trusted registry that most likely is implemented using Distributed Ledger Technology.

Further on the SSI Kit generates the verification request which is processed by the OPA engine. This request consists of the policy, the input-data to be verified and the action. The input-data is just the relevant data-points of the credential - typically the nested JSON-object "credentialSubject" or part of it. The "action" is the request that should be granted by the policy.

The Open Policy Agent processes the verification request and returns the result to the SSI Kit. The SSI Kit evaluates the result and composes an aggregated credential validation response (as also other validation checks are performed) for the calling party.

Getting Started

• Setup - Install the OPA execution engine on your machine

• Dynamic Verification Policies - Create and use dynamic verification polices with your VCs

• Demo - Understand how to use REGO with walt.id tools through a video tutorial.