9.3. Credential Issuers Establishing Trust in the Wallet Provider
+Wallets begin by discovering the identity of Credential Issuers through the federation's trust infrastructure. This involves retrieving the Credential Issuer's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor. The Credential Issuer’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication.¶
In the example represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation.¶
-
+------+ +------------+ +------------+ +-----------------+
|Wallet| |Trust Anchor| |Intermediate| |Credential Issuer|
@@ -1950,16 +1959,13 @@
+---┴--+ +------┴-----+ +------┴-----+ +--------┴--------+
|Wallet| |Trust Anchor| |Intermediate| |Credential Issuer|
+------+ +------------+ +------------+ +-----------------+
-~~~~
-**Figure 4**: Federation Credential Issuer listing, the Wallet Instance browse the entire federation collecting all the Credential Issuers.
-
-
-The diagram above shows how a Wallet navigates the federation, collecting and validating the Trust Chain for each Credential Issuer (CI), and creating a discovery page including each Credential Issuer using the information, such as the credential types and logo obtained through their Trust Chain.
-
-The diagram below illustrates how a Wallet establishes trust with a Credential Issuer by verifying its link (even if indirect) to a Trust Anchor and validating which Credentials it is authorized to issue. This may happen in a credential offer flow, for instance, where the Wallet is used by an End-User starting from the Credential Issuer website and without any discovery phases started before within the Wallet.
-
-~~~~ ascii-art
- +------+ +-----------------+ +-------------------------+
+
¶
+Figure 4: Federation Credential Issuer listing, the Wallet Instance browse the entire federation collecting all the Credential Issuers.¶
+The diagram above shows how a Wallet navigates the federation, collecting and validating the Trust Chain for each Credential Issuer (CI), and creating a discovery page including each Credential Issuer using the information, such as the credential types and logo obtained through their Trust Chain.¶
+The diagram below illustrates how a Wallet establishes trust with a Credential Issuer by verifying its link (even if indirect) to a Trust Anchor and validating which Credentials it is authorized to issue. This may happen in a credential offer flow, for instance, where the Wallet is used by an End-User starting from the Credential Issuer website and without any discovery phases started before within the Wallet.¶
+ +------+ +-----------------+ +-------------------------+
|Wallet| |Credential Issuer| |Intermediate/Trust Anchor|
+---+--+ +--------+--------+ +------------+------------+
| Fetch CI's Entity Configuration | |
@@ -2020,27 +2026,36 @@
+---+--+ +--------+--------+ +------------+------------+
|Wallet| |Credential Issuer| |Intermediate/Trust Anchor|
+------+ +-----------------+ +-------------------------+
-~~~~
-**Figure 5**: Federation Entity Discovery, the Wallet Instance evaluates the trust with a Credential Issuer.
-
-
-## Credential Issuers Establishing Trust in the Wallet Provider
-
-...
-
-## Credential Issuers Establishing Trust in the Wallet
-
-...
-
-## Wallet Establishing Trust in the Credential Verifier
-
-The Federation Entity Discovery starts with the Wallet Instance fetching the Credential Verifier's Entity Configuration to identify authority hints, pointing to Federation Entities that can issue Subordinate Statements about the Credential Verifier. The Wallet Instance then follows these hints and collects the Subordinate Statements and validating each one. The process continues until the Wallet Instance reaches the Trust Anchor. Finally, the Wallet Instance compiles the validated Trust Chain. If the Trust Chain is valid, the Wallet Instance processes the Credential Verifier final metadata.
-
-Note: While this section exemplifies the journey of discovery from the perspective of an OpenID Wallet Instance, it is important to understand that this approach can be applied to every kind of entity type within the federation.
-
-
-~~~ ascii-art
- +------+ +-------------------+ +-------------------------+
+
¶
+Figure 5: Federation Entity Discovery, the Wallet Instance evaluates the trust with a Credential Issuer.¶
+ +...¶
+...¶
+The Federation Entity Discovery starts with the Wallet Instance fetching the Credential Verifier's Entity Configuration to identify authority hints, pointing to Federation Entities that can issue Subordinate Statements about the Credential Verifier. The Wallet Instance then follows these hints and collects the Subordinate Statements and validating each one. The process continues until the Wallet Instance reaches the Trust Anchor. Finally, the Wallet Instance compiles the validated Trust Chain. If the Trust Chain is valid, the Wallet Instance processes the Credential Verifier final metadata.¶
+Note: While this section exemplifies the journey of discovery from the perspective of an OpenID Wallet Instance, it is important to understand that this approach can be applied to every kind of entity type within the federation.¶
+ +------+ +-------------------+ +-------------------------+
|Wallet| |Credential Verifier| |Intermediate/Trust Anchor|
+---┬--+ +--------+----------+ +----------+--------------+
| Fetch Entity Configuration | |
@@ -2101,9 +2116,9 @@
+---+--+ +--------+--------+ +----------+--------------+
|Wallet| |Credential Issuer| |Intermediate/Trust Anchor|
+------+ +-----------------+ +-------------------------+
-
¶
+¶
Figure 6: Federation Entity Discovery, the Wallet Instance evaluates the trust with a Credential Verifier.¶
+Figure 6: Federation Entity Discovery, the Wallet Instance evaluates the trust with a Credential Verifier.¶