-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verifier app attestation for Wallet Instances #595
Comments
According to ISO, this should require Verifier App Authentication and it should be done using x.509 access certificate provided by the Verifier app provider to the instance. |
X.509 access certificates resolves and simplify many aspects according to the delegation paradigm. To avoid the implementations of both the Wallet Unit Attestation presentation using ISO 18013-5 and the credential revocation check mechanisms using status lists or whatever, I would put it in the following way:
Revoking the X.509 certificate makes the credential unusable, therefore as it would be revoked. if there will be an agreed other approach suitable for interoperability, these will be evaluated in future milestones. |
I agree with this approach, but by not presenting the Wallet Attestation there is no way for the Verifier to ensure that it is talking to a secure and certified Wallet Instance. The same goes for the Wallet Instance that will have to ensure that it is talking to a certified Verifier App. The purpose of this issue is to allow the Wallet Instance to verify that the verifier app has been released by an entity that is trusted. |
the trust is delegated, it's up to the credential issuer periodically monitoring the status of the wallet for which it has issued the credentials. Revocation of those wallets must trigger to the credential issuer the revocation of the certificates and therefore the unverifiability of the linked credentials. according to this model, the RP relyies on the credential issuer only, making implementations simpler. |
We need to clarify better our proposal:
|
Requirements discussed during the call of the 19 march 2025:
I would also add that: a) X.509 Certificate Chains require CRL |
It is necessary to define a verification app attestation mechanism (similar to the Wallet Instance Attestation) to be presented to the Wallet Instance at the credentials request stage and also working offline.
The text was updated successfully, but these errors were encountered: