feat: Add Wallet Attestation request flow (#233)

* feat: Add Wallet Attestation request flow * Apply suggestions from code review Co-authored-by: Giuseppe De Marco <[email protected]> * Apply suggestions from code review Co-authored-by: Giuseppe De Marco <[email protected]> * Add nonce endpoint reference * Update docs/en/wallet-attestation.rst Co-authored-by: Giuseppe De Marco <[email protected]> * chore: Wallet Attestation editorials and some normative verbs * chore: wallet solution editorials * Remove type * Remove type * chore: standards editorials and removed unused token revocation * defind terms removea misleading element, wallet solution removed auth endpoint pointing to SIOP * Apply suggestions from code review Co-authored-by: fmarino-ipzs <[email protected]> * Update docs/en/defined-terms.rst Co-authored-by: fmarino-ipzs <[email protected]> * Update docs/en/wallet-attestation.rst Co-authored-by: fmarino-ipzs <[email protected]> * refactor * Add Warning * Add Warning * Include other wscd technologies * Rename Wallet Hardware Key Tag to Cryptographic Hardware Key * Rename Wallet Hardware Key Tag to Cryptographic Hardware Key * Apply suggestions from code review Co-authored-by: Giuseppe De Marco <[email protected]> * Apply suggestions from code review Co-authored-by: Giuseppe De Marco <[email protected]> * Apply suggestions from code review Co-authored-by: Giuseppe De Marco <[email protected]> * Update docs/en/wallet-solution.rst Co-authored-by: Giuseppe De Marco <[email protected]> --------- Co-authored-by: Giuseppe De Marco <[email protected]> Co-authored-by: Giuseppe De Marco <[email protected]> Co-authored-by: fmarino-ipzs <[email protected]>
italia · Apr 5, 2024 · 5c38e12 · 5c38e12
1 parent c97726b
commit 5c38e12
Show file tree

Hide file tree

Showing 8 changed files with 434 additions and 264 deletions.
diff --git a/docs/common/standards.rst b/docs/common/standards.rst
@@ -8,29 +8,27 @@ Technical References
     :header-rows: 0
 
     * - `OIDC-FED`_
-      - OpenID Connect Federation 1.0
+      - OpenID Connect Federation 1.0.
     * - `OPENID4VCI`_
-      - T\. Lodderstedt, K. Yasuda, T. Looker, "OpenID for Verifiable Credential Issuance", February 2023.
+      - T. Lodderstedt, K. Yasuda, T. Looker, "OpenID for Verifiable Credential Issuance", February 2023.
     * - `SD-JWT-VC`_
-      - O\. Terbu, D.Fett, "SD-JWT-based Verifiable Credentials (SD-JWT VC)".
+      - O. Terbu, D.Fett, "SD-JWT-based Verifiable Credentials (SD-JWT VC)".
     * - `EIDAS-ARF`_
-      - EUDI Wallet - Architecture and Reference Framework
+      - EUDI Wallet - Architecture and Reference Framework.
     * - `OPENID4VP`_
-      - OpenID for Verifiable Presentations - draft 19 
+      - OpenID for Verifiable Presentations.
     * - `PresentationExch`_
-      - Presentation Exchange 2.0 for Presentation Definition
+      - Presentation Exchange 2.0 for Presentation Definition.
     * - :rfc:`2119`
-      - Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels," BCP 14, RFC 2119, March 1997.
+      - Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels" BCP 14, RFC 2119, March 1997.
     * - :rfc:`2616`
       - Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” RFC 2616, June 1999.
     * - :rfc:`3339`
       - Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002.
     * - :rfc:`3986`
-      - Uniform Resource Identifier (URI): Generic Syntax
-    * - :rfc:`7009`
-      - Lodderstedt, T., Dronia, S., Scurtescu, M., “OAuth 2.0 Token Revocation,” RFC7009, August 2013.
+      - Uniform Resource Identifier (URI): Generic Syntax.
     * - :rfc:`7159`
-      - Bray, T., “The JavaScript Object Notation (JSON) Data Interchange Format,” RFC 7159, March 2014.
+      - Bray, T., “The JavaScript Object Notation (JSON) Data Interchange Format” RFC 7159, March 2014.
     * - :rfc:`7515`
       - Jones, M., Bradley, J. and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015.
     * - :rfc:`7516`
@@ -42,7 +40,7 @@ Technical References
     * - :rfc:`7519`
       - Jones, M., Bradley, J. and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015.
     * - :rfc:`7638`
-      - Jones, M., Sakimura, N., “JSON Web Key (JWK) Thumbprint,”RFC7638, September 2015.
+      - Jones, M., Sakimura, N., “JSON Web Key (JWK) Thumbprint”, September 2015.
     * - :rfc:`7800`
       - Jones, M., Bradley, J. and H. Tschofenig, "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)", RFC 7800, DOI 10.17487/RFC7800, April 2016.
     * - :rfc:`8174`
@@ -52,8 +50,8 @@ Technical References
     * - `JARM`_
       - Lodderstedt, T., Campbell, B., "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)", November 2022.
     * - :rfc:`6749`
-      - The OAuth 2.0 Authorization Framework
+      - The OAuth 2.0 Authorization Framework.
     * - :rfc:`9449`
-      - D\. Fett, B. Campbell, J. Bradley, T. Lodderstedt, M. Jones, D. Waite, "OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)"
+      - D. Fett, B. Campbell, J. Bradley, T. Lodderstedt, M. Jones, D. Waite, "OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)".
     * - `OPENID4VC-HAIP`_
-      - Lodderstedt, T., K. Yasuda, "OpenID4VC High Assurance Interoperability Profile with SD-JWT VC"
+      - Lodderstedt, T., K. Yasuda, "OpenID4VC High Assurance Interoperability Profile with SD-JWT VC".
diff --git a/docs/en/defined-terms.rst b/docs/en/defined-terms.rst
@@ -27,8 +27,6 @@ Below are the description of acronyms and definitions which are useful for furth
      - An entity accredited by the Federation Authority, responsible for managing the process of verification and certification of accreditation requirements for ecosystem roles.
    * - Digital Identity Provider
      - An entity, recognized and accredited by the State, responsible for identifying citizens for the issuance of an Electronic Identity Certificate.
-   * - Electronic Attestation of Identity
-     - Electronic attestation of attributes referring to master data already present in Italian digital identity systems.
    * - Digital Credential
      - An signed Credential whose integrity can be cryptographically verified using the public keys of its Issuer. It is also known as Credential.
    * - Federation Authority
@@ -39,10 +37,18 @@ Below are the description of acronyms and definitions which are useful for furth
      - All public and/or private entities, conforming to a technical profile and accredited by the Federation Authority, that provide citizens with an IT Wallet Instance.
    * - Wallet Attestation
      - Verifiable Attestation, issued by the Wallet Provider, that proves the security compliace of the Wallet Instance.
+   * - Wallet Secure Cryptographic Device
+     - Hardware-backed secure environment for creating, storing, and/or managing cryptographic keys and data. A WSCD MAY implement an association proof in different ways. This largely depends on the implementation of the WSCD for example: remote HSM, external smart card, internal UICC, internal native cryptographic hardware, such as the iOS Secure Enclave or the Android Hardware Backed Keystore or StrongBox
    * - Credential Status Attestation
      - Verifiable Attestation proving that a related Digital Credential is not revoked.
-   * - Wallet Attestation Service
-     - Device manufacturer service that allows you to certify the authenticity of the mobile app (Wallet Instance).
+   * - Device Integrity Service
+     - A service provided by device manufacturers that verifies the integrity and authenticity of the app instance (Wallet Instance), as well as certifying the secure storage of private keys generated by the device within its dedicated hardware. It's important to note that the terminology used to describe this service varies among manufacturers.
+   * - Cryptographic Hardware Keys
+     - During the app initialization, the Wallet Instance generates a pair of keys, one public and one private, which remain valid for the entire duration of the Wallet Instance's life. Functioning as a Master Key for the personal device, these Cryptographic Hardware Keys are confined to the OS domain and are not designed for signing arbitrary payloads. Their primary role is to provide a unique identification for each Wallet Instance.
+   * - Cryptographic Hardware Key Tag
+     - A unique identifier created by the operating system for the Cryptographic Hardware Keys, utilized to gain access to the private key stored in the hardware.
+   * - Key Attestation
+     - An attestation from the device's OEM that enhances your confidence in the keys used in your Wallet Instance being securely stored within the device's hardware-backed keystore.
    * - Qualified Electronic Attestation of Attributes (QEAA)
      - A digitally verifiable attestation in electronic form, issued by a QTSP, that substantiates a person's possession of attributes.
    * - Qualified Electronic Signature Provider
@@ -83,3 +89,7 @@ Acronyms
     - Application Programming Interface
   * - **LoA**
     - Level of Assurance
+  * - **AAL**
+    - Authenticator Assurance Level as defined in `<https://csrc.nist.gov/glossary/term/authenticator_assurance_level>`_
+  * - **WSCD**
+    - Wallet Secure Cryptographic Device