oid4vc-haip-sd-jwt-vc icon indicating copy to clipboard operation
oid4vc-haip-sd-jwt-vc copied to clipboard

Published 20 hours ago verified publisher icon openid

Requirement that DPoP and client attestation key are the same?

Open TimoGlastra opened this issue 8 months ago • 1 comments

Is/should there be a requirement that the client attestation and DPoP key are the same for a wallet? Or can the keys used for client attestation and DPoP be separate keys?

I've heard of some implementations using/requiring the keys to be the same. If this is expected/desired behaviour it would be good to define this in HAIP.

Since a client attestation and DPoP key are used with the same issuer, they could have the same lifecycle. But there might be cases where DPoP and wallet attestation keys have a different lifecycle.

TimoGlastra avatar Mar 29 '25 11:03 TimoGlastra

i think this came up before but it has been treated as a potential optimization rather than a mandatory thing. tho if DPoP is mandatory we might consider mandating this optimization, but again not sure it will work for all implementations

Sakurann avatar May 19 '25 23:05 Sakurann

I think this is effectively a duplicate of https://github.com/openid/oid4vc-haip/issues/1 ? Marking as pending-close on that basis.

jogu avatar Jul 24 '25 13:07 jogu