[OpenID4VP] Wallet Instance metadata discovery

Verifier utilizing this specification has multiple options to obtain Wallet's metadata: - Verifier obtains Wallet's metadata dynamically, e.g., using [RFC8414] or out-of-band mechanisms. See Section 8 for the details. - Verifier has pre-obtained static set of Wallet's metadata. See Section 10.1.2 for the example.

Comments (6)

Giuseppe De Marco reporter

an alternative would be getting the request_uri with HTTP GET and including the wallet instance attestation as Authorization DPoP token and a DPoP proof as HTTP headers for the proof of possession of the wallet instance attestation.

2023-06-26T16:28:54+00:00

Giuseppe De Marco reporter

edited description

2023-06-26T16:35:30+00:00

Torsten Lodderstedt

Can you pleas shed some light on why the wallet metadata must be asserted by a third party? I’m asking since metadata typically is configuration/capability data that the respective provider publishes itself.

2023-07-12T10:34:34+00:00

Giuseppe De Marco reporter

Thank you for asking, here some objective assumptions:

the Wallet Instance supports SIOPv2, so it is a provider
the Wallet Instance supports OpenID4VP, so it provides presentations
there are sign and enc algs, methods and endpoints, involved during the presentation phase
the metadata is the artifact we traditionally use for having the capabilities of an entity, according to a format

there some open points to be addressed:
- in the wallet ecosystem trust models, there come the requirement of the Wallet Instance Attestation for attesting the device security according to a trust framework
- the wallet instance attestation must be provided to a credential issuer for the issuance of a digital credential
- the wallet instance attestation should be provided to a RP as well, to let it know the wallet security levels, and technical capabilities such the supported algs, url scheme and the revocation status list of that attestation
- the RP should obtain these information before (metadata discovery) issuing the request object

the metadata can be:

published by a trusted entity
published by the entity itself
signed by a trusted entity and then published by the entity itself (as the Wallet Instance Attestation)
published by the entity itself and verified with a mechanisms that involves trusted third parties and cryptographic bindinds (X.509 chains, OIDC Federation chains …)

regardless of the model used and the publication mechanism, this issue wants to identify the the way the metadata discovery can be done, without relying to abstract out of band or out of scope weak pointers.

the proposal is to allow forwarding of the attestation/metadata to the request_uri endpoint, or the definition of a new endpoint RP side for this scope.

For the first solution, related to the request_uri endpoint, it is necessary to provide a token, and the WAI is a token.

let's talk about it, let's understand together how to proceed

2023-07-12T12:23:30+00:00

Giuseppe De Marco reporter

edited description

2023-07-12T13:18:07+00:00

Mark Haine

changed status to resolved

Migrated to GitHub

https://github.com/openid/OpenID4VP

2023-09-01T17:33:49+00:00

Giuseppe De Marco reporter
an alternative would be getting the request_uri with HTTP GET and including the wallet instance attestation as Authorization DPoP token and a DPoP proof as HTTP headers for the proof of possession of the wallet instance attestation.
- 2023-06-26T16:28:54+00:00
Giuseppe De Marco reporter
- edited description
- 2023-06-26T16:35:30+00:00
Torsten Lodderstedt
Can you pleas shed some light on why the wallet metadata must be asserted by a third party? I’m asking since metadata typically is configuration/capability data that the respective provider publishes itself.
- 2023-07-12T10:34:34+00:00
Giuseppe De Marco reporter
Thank you for asking, here some objective assumptions:
- the Wallet Instance supports SIOPv2, so it is a provider
- the Wallet Instance supports OpenID4VP, so it provides presentations
- there are sign and enc algs, methods and endpoints, involved during the presentation phase
- the metadata is the artifact we traditionally use for having the capabilities of an entity, according to a format
there some open points to be addressed:
- in the wallet ecosystem trust models, there come the requirement of the Wallet Instance Attestation for attesting the device security according to a trust framework
- the wallet instance attestation must be provided to a credential issuer for the issuance of a digital credential
- the wallet instance attestation should be provided to a RP as well, to let it know the wallet security levels, and technical capabilities such the supported algs, url scheme and the revocation status list of that attestation
- the RP should obtain these information before (metadata discovery) issuing the request object

the metadata can be:
- published by a trusted entity
- published by the entity itself
- signed by a trusted entity and then published by the entity itself (as the Wallet Instance Attestation)
- published by the entity itself and verified with a mechanisms that involves trusted third parties and cryptographic bindinds (X.509 chains, OIDC Federation chains …)
regardless of the model used and the publication mechanism, this issue wants to identify the the way the metadata discovery can be done, without relying to abstract out of band or out of scope weak pointers.

the proposal is to allow forwarding of the attestation/metadata to the request_uri endpoint, or the definition of a new endpoint RP side for this scope.

For the first solution, related to the request_uri endpoint, it is necessary to provide a token, and the WAI is a token.

let's talk about it, let's understand together how to proceed
- 2023-07-12T12:23:30+00:00
Giuseppe De Marco reporter
- edited description
- 2023-07-12T13:18:07+00:00
Mark Haine
- changed status to resolved
Migrated to GitHub

https://github.com/openid/OpenID4VP
- 2023-09-01T17:33:49+00:00
Log in to comment