You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The figure below illustrates the process by which a client,
137
137
such as a wallet instance,
138
-
requests and obtains a Status Assertion from the Issuer.
138
+
requests and obtains a Status Assertion from the issuer.
139
139
140
140
~~~ ascii-art
141
141
+----------------+ +------------------+
@@ -248,6 +248,8 @@ be considered as having a valid status, unless there exists some specific Verifi
248
248
The expiration datetime MUST be
249
249
superior to the Status Assertion issuance datetime and it MUST end before
250
250
the expiration datetime of the Digital Credential;
251
+
- MAY contain the _not before time_ parameter, specifying the time
252
+
from which the Status Assertion MUST be considered valid and evaluable.
251
253
- MUST enable the offline use cases by employing validation using
252
254
a cryptographic signature and the cryptographic public key of the
253
255
Issuer.
@@ -506,6 +508,7 @@ table below:
506
508
| **error_description** | OPTIONAL. Text that clarifies the nature of the error in relation to the `error` value. | {{RFC7519}} Section 4.1.7 |
507
509
508
510
## Rationale About The Unsigned Status Assertion Errors
511
+
509
512
To mitigate potential resource exhaustion attacks where an adversary could issue hundreds of fake Status Assertion Requests to force an Issuer to sign numerous Status Assertion Errors, it is advisable to set the header parameter`alg` value to `none` for Status Assertion Errors that do not require signatures. This approach conserves computational resources and prevents abuse, especially in scenarios where the Issuer's implementation could be vulnerable to resource exhaustion attacks. However, even if it is out of the scopes of this specification determine in which the Status Error Assertion signatures are necessary, when the Issuer signs the Status Assertion Errors the Client that received them MUST validate the signature.
510
513
511
514
## Status Assertion Error Values
@@ -661,7 +664,13 @@ Digital Credential. If true, the Verifier SHOULD:
661
664
by matching the JWS Header parameter `typ` set to `status-assertion+jwt`
662
665
and looking for the `credential_hash` value that matches with the
663
666
hash produced at the previous point;
664
-
- evaluate the validity of the Status Assertion.
667
+
- evaluate the validity of the Status Assertion within the `vp_token` parameter, by checking the following items:
668
+
- the Issuer parameter value MUST match the one in the Credential;
669
+
- the Issued at time parameter value MUST be equal to or later than the Issued at time parameter value in the Credential;
670
+
- the Expiration time parameter value MUST be later than the current time;
671
+
- the Not before time parameter value, if present, MUST be less than or equal to the current time;
672
+
- the confirmation method MUST be used for the validation (eg: if it uses cryptographic material, this material must be used for the signature validation)
673
+
- The hash of the Credential MUST be produced as described in [Section 7](#status-assertion-request) and MUST match the hash contained in the Status Assertion.
665
674
666
675
# Considerations On Revocation Verification
667
676
@@ -1086,10 +1095,20 @@ We would like to thank:
1086
1095
- Victor Näslund
1087
1096
- Giada Sciarretta
1088
1097
- Amir Sharif
1098
+
- Oliver Terbu
1089
1099
1090
1100
1091
1101
# Document History
1092
1102
1103
+
-03
1104
+
1105
+
* Terminology aligned with IETF Token Status Lists
1106
+
* Marina Adomeit added as co-author
1107
+
* Added informative references about national and international regulations
1108
+
* Abandoned boolean values for Integers values
1109
+
* Status values aligned with IETF Token Status Lists
1110
+
* Added the requirement about not specificing audiences in the Status Assertions
1111
+
1093
1112
-02
1094
1113
1095
1114
* Removed several comparisons with OAuth Status List
0 commit comments