Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sections about credential issuers establishing trust with wallet solution #31

Merged
merged 3 commits into from
Sep 30, 2024
Merged

sections about credential issuers establishing trust with wallet solution #31

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7043f45
sections about credential issuers establishing trust with wallet solu…
peppelinux Sep 21, 2024
65acb84
Apply suggestions from code review
peppelinux Sep 22, 2024
1154008
Apply suggestions from code review
peppelinux Sep 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions openid-federation-wallet-1_0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -520,11 +520,22 @@ sequenceDiagram

## Credential Issuers Establishing Trust in the Wallet Provider

...
The evaluation of trust by the Credential Issuer towards the Wallet Provider is conducted exactly as other types of entities. This process can be achieved through Federation Entity Discovery, where the Trust Chain is constructed starting from the Entity Configuration of the Wallet Provider. Alternatively, trust can be established via a signed data object issued by Wallet Provider, which includes the `trust_chain` parameter. This parameter contains a pre-constructed and verifiable Trust Chain, which MUST be validated using one of the the public keys of the Trust Anchor.
peppelinux marked this conversation as resolved.
Show resolved Hide resolved

In the Federation Entity Discovery approach, the Credential Issuer retrieves the Entity Configuration of the Wallet Provider and follows the `authority_hints` to build the Trust Chain in the usual manner.

When using a signed data object, the Wallet Provider includes a `trust_chain` parameter within the object. This parameter holds a pre-constructed Trust Chain that the Credential Issuer validates. This method allows for a streamlined trust evaluation process, as the trust chain is provided directly by the wallet provider and can be quickly validated.
peppelinux marked this conversation as resolved.
Show resolved Hide resolved


## Credential Issuers Establishing Trust in the Wallet

...
During the issuance phase, the Wallet Instance authenticates with the Credential Issuer using a Client authentication mechanism that includes a proof issued by its Wallet Provider.

This proof is a signed data object that confirms the match of a Wallet Instance to a Wallet Solution, as attested by the Wallet Provider. This proof contains all the information the Credential Issuer requires regarding the security and compliance of the Wallet Instance and the cryptographic proof of possession of this attestation provided by the Wallet Instance presenting it.

To establish trust with the Wallet Instance, the Credential Issuer MUST first establish trust with the Wallet Provider that is the issuer of the verifiable attestation, as described in the previous section.

The verifiable attestation issued by the Wallet Provider to the Wallet Instance MUST be cryptographically validated using the cryptographic material provided by the federation Trust Chain. The Credential Issuer evaluates the adequacy of these verifiable attestations using mechanisms and rules that might depend upon different regulations and frameworks that are out of the scope of this specification.

## Wallet Establishing Trust in the Credential Verifier

Expand Down
Loading