Wallet Instance authentication to the Wallet Provider before the WIA issuance #109
Comments
|
Yes is the nonce. We have a pending discussion on this: #40 |
|
Partially resolved by #121 |
|
Authentication is guaranteed by the integrity check |
|
the question is: how does the wallet provider make sure that it is one of its wallet instances and not a generic compatible device for Apple/Android? actually the PR to does not make this explicit Could you give a few more words for this in your opinion, make it explicit with a box or just mention that this is a requirement (MUST) without going into detail on how this can happen? each gap could give rise to privacy problems, if possible I would say which data are intended as necessary for the authentication of the wallet instance with its provider |
|
Conceptually, the integrity token is a way to establish the identity of the app (on an untampered device) through an attestation obtained from the vendor side (Apple/Goole). The wallet provider verifies the token, decodes it and inside it there is, among other information, the appId. The token is signed by Google which certifies that the identity is associated with an appId. |
|
We'll cover it here anyway |
|
Duplicated |
@rohe 's
I can't find any mentioning of how the wallet identifies itself to the wallet provider. No client authentication? I guess it has something with the nonce to do.
The text was updated successfully, but these errors were encountered: