[Openid-specs-ab] Issue #1443: [oidc4vci] Remove nonce endpoint (openid/connect)
Tobias Looker
issues-reply at bitbucket.org
Wed Feb 23 03:01:17 UTC 2022
New issue 1443: [oidc4vci] Remove nonce endpoint
https://bitbucket.org/openid/connect/issues/1443/oidc4vci-remove-nonce-endpoint
Tobias Looker:
As is currently defined in [https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1\_0.html#section-6.3](https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1_0.html#section-6.3)
“The Client MUST obtain a presentation nonce from the Issuer, when the Client needs to submit certain pre-obtained credentials to the Issuer to meet the requirements in one of the Issuer's Credential Manifests. The Client MUST bind credentials it is submitting to the received presentation nonce. This step is necessary to prevent submitted VCs from being replayed by a malicious Client.”
If the presentation of VC’s is scoped to the OP \(e.g defines them as the domain/aud\) and the OP keeps track of nonces it has seen before then replay attacks are mitigated without having to rely on server side generated nonce
More information about the Openid-specs-ab
mailing list