OpenID4VCs: Security & Trust Model Document

We need a comprehensive analysis and description of the security of the OpenID4VCs protocol family, which also includes the underlying trust model. It is important to conduct the analysis end 2 end for the whole family since there are interdependencies.

Here are just some initial thoughts:

Authentic claims - signed data by a trusted issuer
trusted issuer - signed data / identification of issuer / management of trusted issuers
Prevention of copying/replay of credentials / impersonation - holder binding (cryptographic, biometric, claims-based)
Security of cryptographic holder binding - attestation of different kind
Trustworthiness of processing by wallet - 3rd party verification / confirmation
Design philosophy: issuer does the heavy lift, verifier can be sure all pre-requisites are fulfilled by wallet if there exists a credential issued by a trusted issuer (since it conforms to its policy)
Confidentially of user claims - protected cloud systems / encryption on rest, encrypted transmission
Issuance - Do we need nonce and audience in issuance?
Impersonation by attacker - authentication to wallet

‌

Comments (8)