[OIDC4VCI] Proof checking insufficient
Issue #1691
resolved
As far as I can see, there are no instructions on checking the proof except for “the Credential Issuer MUST validate that the proof is actually signed by a key identified in kid parameter.”
This needs to be expanded to include, e.g.:
- checking the relationship between the key and the key that is to be used for the credential
- checking nonce, audience, issuer,
- checking the times (iat),
- checking any other properties of the key that are required (attestation?)
Comments (2)
-
-
- changed status to resolved
PR merged.
- Log in to comment
PR #542 raised. please review.