Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support key attestations in JWT proofs #277

Open
4 tasks
babisRoutis opened this issue Feb 13, 2025 · 0 comments
Open
4 tasks

Support key attestations in JWT proofs #277

babisRoutis opened this issue Feb 13, 2025 · 0 comments
Labels
feature New feature or request openid4vci draft 15 spec alignment

Comments

@babisRoutis
Copy link
Contributor

babisRoutis commented Feb 13, 2025
edited by vafeini
Loading

Draft 15 intoruces the concept of "key attestation" as a way for the holder to provide evidence for the authenticity and security properties of a key and its storage component to the Credential Issuer.

Specificaly for proofs of possetion of type JWT the key attestation is used to prove that the key that signs the JWT is the one contained in the key attestation.

For this the following are needed

  • For credentials demanding key attestations issuer should reflect this in the respective credential configuration (include key_attestations_required in proof_types_supported). This can be defined as policy per supported crednetial in issuer's config properties.
  • If issuer demands key attestations in jwt proofs issuer must validate that proofs provided in the request include key attestation
  • Validate that the JWT proof provided in request is signed by the key contained in the key_attestation as specified in JWT proof's header.
  • Validate that the key attestation jwt is signed by someone it trusts. Spec mentions that key attestations can be signed by 'Wallet Provider or the Wallet's key storage component itself'. At the currest state we can assume that issuer has a list of certificates of trusted wallet providers against which the signature should be validated. It is unclear yet how 'Wallet's key storage component' should be trusted.

Imlementation Considerations

For jwt Proof Type spec mentions the following

The Credential Issuer SHOULD issue a Credential for each cryptographic public key specified in the attested_keys claim within the key_attestation parameter

It is unclear how issuer should handle cases where multiple jwt proofs are included with the key attestations with overlaping keys (same key attestation included in multiple jwt proofs). It is also questinable if in the case of jwt proofs the key attestations should be used for key binding.

So for the time being and untill this is cleared up issuer should handle key attestations in JWT proof only as an evidence to validate the key singing the JWT proof.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request openid4vci draft 15 spec alignment
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@babisRoutis