OID4VCI misalignments with ARF 1.5

[Sh-Amir]

The newly defined ARF introduces the Wallet Unit Attestation (WUA), which merges the Wallet Attestation and Key Attestation into a single attestation. However, it also presents several differences and challenges compared to the OID4VCI:

• WUA must be selectively disclosable, necessitating issuance by the Wallet Provider following SD-JWT VC or mDOC. This selective disclosure is driven by the fact that the Resource Provider (RP) does not require access to all details in the WUA.
• To the best of my understanding, the OID4VCI utilizes WA at the PAR and Token endpoints and key attestation at the credential endpoint. In contrast, the ARF proposes using the WUA for the former and optionally providing proof of association for the latter. As noted in the ARF, the current support for cryptographic operations by available WSCDs is unclear. Link]. In my honest opinion, by adding multiple keys to the key attestation we can have a basic form of PoA.
• While the claims for WA and Key Attestation are well-defined in the OpenID4VCI, the claims for WUA are undefined and deferred to ARF-2.0.
• To facilitate the transfer of proof of association from the Wallet Unit to the PID/Attestation Provider, a new proof type within OpenID4VCI is required, which is currently lacking.

Consequently, a decision must be made regarding compliance with OID4VCI or ARF V1.5.

related issue: #461
@peppelinux @fmarino-ipzs @m-basili @grausof @giadas

[peppelinux]

We need to be sure if ARF 1.6 or 2.0 will get aligned with OpenID4VCI, therefore WUA and key attestation would be handled separately or, differently, if OpenID4VCI will get aligned with ARF 1.5

The DCP WG chair will be asked for that