Torsten Lodderstedt
Torsten Lodderstedt
Is that an mdoc specific issue? Is it relevant for readers, too? If so, then I suggest to solve it in an mdoc specific way. This is because the reader...
We (@danielfett and myself) just had a discussion with Tobias. The goal is to establish trust in a mdoc issuer through a URL and then map that URL to the...
@selfissued that argument would lead to a single multi purpose well-known, essentially contradicting the idea of well-known locations. It's like did:web. well-known allows for a modular way to manage metadata....
I would feel more comfortable with the AS issuing the credential identifiers that can be used with the credential issuer. However since that is impossible for MSFT (and perhaps other...
I do not support the top level credential identifier for credentials requested with authorization details. Reason: every credential identifier represents a concrete credential dataset authorized by the respective authorization detail....
good question. OAuth allows to request an access token without any scope or authorization details object. In case of a pre authz grant, I would assume a token request without...
@peppelinux You mean the signature over the request is the proof of possession for the wallet attestation? That would mean to send a signed request object to the PAR endpoint,...
@peppelinux As I wrote in my initial comment, one time use (jti) is a possible option for replay prevention. However, one time use limits scalability and nonces offer more implementation...
@peppelinux Can you please describe why you assess use of a nonce as "overkill"? As I already stated, `jti` requires one time use on the issuer side, which means shared,...
@fmarino-ipzs > My comment was related to your last sentence regarding the token request where there is no equivalent to the signed request. @peppelinux suggested to use a request signature...