OpenID4VP icon indicating copy to clipboard operation
OpenID4VP copied to clipboard

Published 20 hours ago verified publisher icon openid

using a VC for Verifier Attestation

Open Sakurann opened this issue 2 years ago • 5 comments

the core idea is: "Verifier obtains a VC from a trusted third party, a VC includes a key material of a Verifier, authorization request is signed using that key". need to define a schema for that VC.

Sakurann avatar May 15 '23 23:05 Sakurann

this is what I have now: "When the Client Identifier Scheme is verifier_attestation, the Client Identifier MUST equal sub claim value in the Verifier attestation JWT. The request MUST be signed with the private key corresponding to the public key in the cnf claim in the Verifier attestation JWT. The Verifier attestation VC MUST be added to a newly defined verifier_attestation JOSE Header of a request object. The Wallet MUST validate the signature on the Verifier attestation JWT by a trusted third party. Verifier metadata MUST be obtained from the Verifier attestation JWT."

Sakurann avatar May 16 '23 03:05 Sakurann

Just check back with ppl from ETSi. They are in favor of (in addition to x.509 for qWACs and qSeals) having a VC-based mechanism for Verifier authentication.

tlodderstedt avatar May 16 '23 15:05 tlodderstedt

we are not forced in using verifier_attestation JOSE claim, since we may use a trust_chain jose claim

the attestation is flat, while the trust chain attests all the trust relationships between the parties that attests the accreditation status of an entity, without a central registry

peppelinux avatar May 20 '23 23:05 peppelinux

I think this should be moved to OpenID4VP - I don't think this belongs in HAIP?

c2bo avatar Dec 13 '24 12:12 c2bo

i think if we do this, we can define a new client id scheme..? so marking 1.1 for now

Sakurann avatar Mar 20 '25 20:03 Sakurann