-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How should we go about issuance? #167
Comments
In presentations, the verifier wants to select claims for the holder to disclose and be protected against replays with nonces / pops. In issuance, the issuer wants to be assured the holder controls a key, and has consented to the claims that will be bound to that key... The holder wants to know which media types are supported, and what credential types are supported. So there is some symmetry around proof of possession, media types, and credential schemas / types (known structures). There is also: https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html Are you asking what are the essential parameters a browser API would need to collect in order to submit an issuance request to some backend? What is the threat model you have in mind for issuance? Is it necessary for the holder to encrypt their pop key or other credential information to the issuer? Should the browser or OS be able to observe specific claims or credential types, or should they just see an encrypted request for issuance? |
I've been thinking about issuance in the Web Platform API as very similar to a presentation (pass the OID4VCI request to the app platform), except that there isn't really a response back through the web platform outside of some form of "ack". We should think about what that "ack" actually contains (e.g. what would an issuer's web frontend need/want). Much of the complexity lives in the app platforms wallet selector. |
Ok, here is something to get the discussion started. WDYT? // Prompts the user to select a wallet to have the digital credential issued, and sends the request to the wallet
// Throws an exception if the user denied the request or didn't have an accepting wallet installed indistinguishably
const credential = await navigator.credentials.create({
digital: {
protocol: "openid4vci",
data: {
// the openid4vci request body, omitted for brevity
},
}
});
// TODO(goto): should we use the navigator.credentials.store(new DigitalCredential()) instead of create()? |
|
Are you referring to this [1] // TODO(goto): should we use the navigator.credentials.store(new DigitalCredential()) instead of create()? |
Sorry, looks like I saw an earlier version before it was edited. |
We deliberately left issuance aside while we were trying to figure out presentation, so kicking this issue off just to make sure it doesn't fall through the cracks :)
As thing start to settle with presentation, we should starting thinking how to go about issuance. There are a lot of things and a lot of considerations, so we'll likely want to break this into smaller steps, but kicking this off just to get the ball rolling.
The text was updated successfully, but these errors were encountered: