[Openid-specs-ab] Issue #2065: [OIDC Federation] Trust Patterns - Wallets (openid/connect)
alen_horvat
issues-reply at bitbucket.org
Thu Sep 21 09:41:04 UTC 2023
New issue 2065: [OIDC Federation] Trust Patterns - Wallets
https://bitbucket.org/openid/connect/issues/2065/oidc-federation-trust-patterns-wallets
Alen Horvat:
Hi.
Based on the discussion [https://github.com/openid/OpenID4VCI/issues/71#issuecomment-1721676675](https://github.com/openid/OpenID4VCI/issues/71#issuecomment-1721676675) I’m opening this ticket to discuss and understand better the OIDC Fed. patterns.
My understanding is the following:
* OIDC Fed. defines creation and issuance of entity statements and construction of trust chains \(trust chain == a sequence of entity statements\)
In the context of digital wallet instances, the digital wallet has access to private/public key pairs and it also ships with wallet configuration \(that usually needs to be presented to the issuer/verifier\).
Since the trust chain can be put in any JWT/JWS header \(currently via protected trust\_chain claim\), I identified the two patterns below, and I’d like to see whether my understanding of the possible usage of trust chains and entity statements is correct.
a\) Wallet provider issues entity statement \+ trust chain to the wallet instance; wallet instance is the leaf. The wallet instance entity statement contains the signed wallet configuration and wallet’s key\(s\) – ideally, there should be 1 Entity Statement/key. Of course, the \(mobile\) wallet instance won’t have any public endpoint. In this case, whenever required, the wallet can simply sign a request/response and put the trust\_chain in the header. From the signature itself, the issuer/verifier can determine everything it needs to trust the wallet or not. \(when this trust is established, whether the issuer requests additional info, … is not relevant to this discussion\)
b\) The wallet provider issues a credential to the wallet instance and the wallet provider is the last one in the trust chain.
---
b\) is something that Italy implemented, if I understood correctly;
My question is whether a\) is a valid pattern? \(I took the example of a wallet instance, but can be applied in other contexts\)
More information about the Openid-specs-ab
mailing list