Joseph Heenan
Joseph Heenan
I'm not sure I fully understand. Can you share the DCQL query being sent please so I'm clear what the verifier requested? Note that the spec you linked to is...
I don't think I have sufficient w3c vc expertise to answer any further unfortunately (I'm not even sure if what you're trying to do is legal or not) - I'd...
If I'm understanding the question correctly, then essentially if the redirect_uri parameter doesn't match the url in the redirect_uri: client id then essentially client authentication has failed and the wallet...
> I might be missing something, but doesn't "Requests using the redirect_uri Client Identifier Prefix cannot be signed because there is no method for the Wallet to obtain a trusted...
> What is the content of this response header jwt? The contents of the DPoP-Nonce header is as defined in the DPoP spec. > Is it really a jwt or...
I think we might have assumed in a few places that batching is only necessary for credentials that are key bound, and that non-key-bound credentials are likely claims-bound instead so...
> Unless the credential endpoint can be called multiple times for credentials without key binding, effectively achieving batch issuance, this could be problematic. I think you can call the credential...
I think the practical outcome of removing `c_nonce_expires` might well be that many wallets treat nonce as single use and fetch a new one immediately prior to generating each set...
Thanks Fabian! For the IAR endpoint in general, The recommendation to use FAPI2 (and hence the `iss` parameter in the response) I believe mitigates this. In HAIP, using FAPI2 moves...
Rereading this again, I'm not sure the attack is really possible in a meaningful way as the wallet attestation would have the `aud` of attacker's AS as hence the attacker...