Torsten Lodderstedt

Is this an issue with pre-authz code or cross device in general? I'm asking since cross device could be done with authz code flow, too. Not sure, however, this is...

I have checked back with Fabian. My conclusion: this issue always exists, if there is state from before the credential offer that is conveyed into the issuance process. So even...

@fabian-hk do you think that attack won't work with authorization code and `issuer_state`?

created PR #154

Agree to reconsider. We should be very sure and clear why we think refresh tokens are needed. In my opinion, refresh tokens can help to achieve a better UX in...

I would suggest to add text to the spec requiring the issuer to use the same key resolution mechanism for a certain status list it uses for the respective credential....

I think we also need to add claims to the `proof` issuance request parameter to indicate key type and user authentication method used to protect access to the key, so...

PR #52

I don't think so. it's the wallet (provider) that is being attested, not the key. Like for the issuance of credentials, where the wallet is attested and not the key...

> I assume that a SIOP may issue an id token including the wallet instance attestation containing the public key used to verify the signature of the id token, since...