[Openid-specs-ab] Issue #1798: OID4VPs - need to specify the trust model (openid/connect)
David W Chadwick
issues-reply at bitbucket.org
Mon Jan 30 21:36:37 UTC 2023
New issue 1798: OID4VPs - need to specify the trust model
https://bitbucket.org/openid/connect/issues/1798/oid4vps-need-to-specify-the-trust-model
David W Chadwick:
We should specify the trust model for wallets trusting verifiers and add this to the specification. Here is a strawman proposal for this
TRUST MODEL FOR WALLETS PRESENTING CREDENTIALS
The wallet/holder cannot trust the verifier without either some pre-existing knowledge of the verifier or a trust infrastructure to inform it. This specification provides a mechanism for the latter. The consequences of this trust model is that nothing asserted by the verifier can be trusted, such as its client\_id or metadata.
1. The wallet/holder is a member of one or more trust domains, and knows how to contact it to ask if a verifier is trusted
2. Trusted verifiers must have their client\_id recorded in one or more trust domains.
3. Wallet/holders can determine if the asserted client\_id is trusted by asking its trust domain
4. The location of the verifier’s metadata must either be recorded in the trust domain and returned to the wallet/holder along with the affirmation of trust in the client\_id, or there must be an algorithmic way for the wallet to determine the location of the verifier’s metadata based on its trusted client\_id
Note. We might also want to write the trust model for verifiers trusting issuers and verifiers trusting wallets.
More information about the Openid-specs-ab
mailing list