oid4vc-haip-sd-jwt-vc icon indicating copy to clipboard operation
oid4vc-haip-sd-jwt-vc copied to clipboard

Published 20 hours ago verified publisher icon openid

Keys for DPoP should be attested to be highly secure

Open awoie opened this issue 2 years ago • 5 comments

Let's make sure that keys we use for DPoP can be directly attested by the key attestation to be protected by the secure key store of the device (e.g. Secure Element, Secure Enclave etc.).

awoie avatar May 08 '23 10:05 awoie

let's also make sure it is optimization and not a requirement in client attestation draft.

Sakurann avatar May 13 '23 15:05 Sakurann

Would that be a DPoP extension?

tlodderstedt avatar May 16 '23 09:05 tlodderstedt

Proposal is to use the following structure as a DPoP JWT to attest the keys DPoP is bound to. Should we add this as an optional extension in HAIP?

{
  "typ":"dpop+jwt",
  "alg":"ES256",
  "jwk": {
    "kty":"EC",
    "x":"l8tFrhx-34tV3hRICRDY9zCkDlpBhF42UQUfWVAWBFs",
    "y":"9VE4jf_Ok_o64zbTTlcuNJajHmt6v9TDVrU0CdvGRDA",
    "crv":"P-256"
  }
  **"attestation" : <key attestation JWT>**
}
.
{
  "jti":"-BwC3ESc6acc2lTc",
  "htm":"POST",
  "htu":"https://server.example.com/token",
  "iat":1562262616
}

Sakurann avatar Dec 05 '24 10:12 Sakurann

I support this.

paulbastian avatar Dec 10 '24 15:12 paulbastian

What about x5c?

alenhorvat avatar Dec 13 '24 14:12 alenhorvat