A few issues have been fixed that were preventing users from creating and revoking API Keys.

Encryption keys in OpenID4VP authorization requests client_metadata.jwks.keys array now contain the alg parameter (ECDH-ES) when encryption is enabled on a request. This helps wallet implementations find the correct key for encryption.

An issue has been resolved where mediator events were not correctly delivered from the mediator instance to the Paradym webhook sender, which resulted in mediated didcomm messages not correctly being delivered.

To better integrate with external certificate authorities Paradym now supports defining the required capabilities when creating a certificate signing request. The certificate signing request will be adjusted based on capabilities, and validated against the requested capabilities when the certificate is imported.

Currently one a single signMdl capability is supported, which can only be used for issuerSignCredential certificates and is enabled by default for this certificate type.

The signMdl capability enables signing ISO 18013-5 mDLs, and ensures the mdlDS extended key usage is present in the certificate signing request and imported certificate. When this capability is enabled, the imported certificate must adhere to Document Signer Certificate requirements as defined in ISO 18013-5 Table B.3.

This capability only covers signing mDLs. Without this capability on the certificate, you cannot issue mDLs. ISO 23220-4 is a pending standard that defines generic mDoc signing capabilities, and introduces a new mdocDS extended key usage. In the future an additional capability will be added for this, which will impact non-mDL signing.

Paradym now supports version 1 of the OpenID for Verifiable Credentials suite of specifications.

Existing projects will keep using the existent version (from now on called "legacy"), which is based on draft 21 of the OpenID for Verifiable Presentations specification, and drafts 11 through 14 of the OpenID for Verifiable Credential Issuance specification.

New projects will automatically be configured to use version 1. The OpenID4VC version can be changed on a per project basis in the dashboard under Settings → Profile. Old projects can also be upgraded by updating the configuration.

Upgrading to V1 of OpenID4VC is a one-time operation, and cannot be reverted. If migration is not possible but already want to use V1 you can create a new project. In the future all legacy projects will be migrated to V1.

Some notable changes when updating to V1 of OpenID4VC:

• Response encryption is enabled by default for OpenID4VP. Previously, this was only the case for when requesting mDOCs.
• SD-JWT VCs and associated Token Status Lists signed with X509 certificates do not include an iss field anymore.
• SD-JWT VCs, associated Token Status Lists, and OpenID4VP requests signed with an X509 certificate do not include the root certificate in the x5c header anymore to adhere to HAIP requirements.
• OpenID4VP requests signed with an X509 certificate now use the x509_hash client id prefix instead of the x509_san_dns to adhere to HAIP requirements.

Paradym now supports creating Certificate Signing Requests (CSRs) for externally signed certificates. This allows you to use certificates signed by external certificate authorities instead of only using root certificates created within Paradym.

The certificate signing requests are based on PKCS#10, a common format for requesting an external signature on a certificate.

Certificate signing requests can be created for both issuer (issuerSignCredential) and verifier (verifierSignRequest) leaf certificates through the API or dashboard. Once your CSR is signed by an external certificate authority, you can import the resulting certificate back into Paradym. Certificate signing requests are automatically removed after 30 days if no certificate has been imported.

To start using certificate signing requests, check out the Trust -> My Certificates tab in the Paradym dashboard, Create a certificate signing request through the API, or read more in the Certificates documentation.

Creating externally signed certificates is not available in the Free tier, and only available to the Pro and Custom tiers.

An issue has been fixed where mDoc credential templates where using revoked or inactive certificates.

All previously created mDoc credential templates have been updated to use an existent, active, issuer root certificate, if existent.

An issue has been fixed where AnonCreds credential templates with revocation enabled would not properly create new revocation registries and revocation status lists.

Project members must now accept an invitation before they are added to a project. This enhances security, and prevents users from being added to projects without their consent.

When you add a member to a project, either through the API or dashboard, an invitation email will be sent, requesting the user to join the project.

An invitation is valid for 7 days, and a total of three invitations can be sent to an user, after which you must wait for an invitation to expire.

To revoke an invitation before it is accepted, you can make a POST request to https://api.paradym.id/v1/projects/{projectId}/members/remove. See the API Reference for detailed usage information.

Note: It is still the case that only the owner of the project is able to add and remove members from a project.

To improve the security of Paradym, we now only accept requests from clients using TLS 1.2+. TLS 1.2 is supported by all modern browsers and clients, as well as iOS and Android versions.

If you are experiencing issues, or are not able to upgrade to TLS 1.2+ you can reach out to us in the Paradym Slack or by sending an email to contact@animo.id.