From a11dcba45677a2be8f6da7cbd83da0504c7b27fb Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Fri, 10 May 2024 12:46:40 +0200 Subject: [PATCH] chore: add recommedation about public key used in the jwt proof (#267) * chore: add recommedation about public key used in the jwt proof This PR aims to remark an important aspect about the unlinkability of the credential through the holder key binding. * Update docs/en/pid-eaa-issuance.rst * Update docs/en/pid-eaa-issuance.rst * fix: remove DPoP / jwt proof binding * Mart Aarma added in the acknowledgments section --- docs/en/contribute.rst | 1 + docs/en/pid-eaa-issuance.rst | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/en/contribute.rst b/docs/en/contribute.rst index 3929edb69..921478355 100644 --- a/docs/en/contribute.rst +++ b/docs/en/contribute.rst @@ -37,6 +37,7 @@ implementation profile and to the initial set of implementations. - Kristina Yasuda - Leif Johansson - Lorenzo Cerini +- Mart Aarma - Marta Sciunnach - Michele Silletti - Nicola Saitto diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index f1fe78e44..1b6df962d 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -322,6 +322,11 @@ The ``client_assertion`` is signed using the private key that is created during **PID/(Q)EAA Credential Schema and Status registration:** The PID/(Q)EAA Provider MUST register all the issued Credentials for their later revocation, if needed. + +.. note:: + + It is RECOMMENDED that the public key contained in the ``jwt_proof`` be specifically generated for the requested Credential (fresh cryptographic key) to ensure that different issued Credentials do not share the same public key, thereby remaining unlinkable to each other. + .. code-block:: POST /credential HTTP/1.1 @@ -892,7 +897,7 @@ The JWT proof type MUST contain the following parameters for the JOSE header and - It MUST be set to `openid4vci-proof+jwt`. - `[OIDC4VCI. Draft 13] `_, [:rfc:`7515`], [:rfc:`7517`]. * - **jwk** - - Representing the public key chosen by the Wallet Instance, in JSON Web Key (JWK) [:rfc:`7517`] format that the PID/(Q)EAA shall be bound to, as defined in Section 4.1.3 of [:rfc:`7515`]. The ``jwk`` value MUST be equal to the same public key that is generated for the DPoP. + - Representing the public key chosen by the Wallet Instance, in JSON Web Key (JWK) [:rfc:`7517`] format that the PID/(Q)EAA shall be bound to, as defined in Section 4.1.3 of [:rfc:`7515`]. - `[OIDC4VCI. Draft 13] `_, [:rfc:`7515`], [:rfc:`7517`]. .. list-table::