From 74f63f8f550c7fd2d5171ac2ace4791eb5847909 Mon Sep 17 00:00:00 2001 From: SaraConsoliACN <167582839+SaraConsoliACN@users.noreply.github.com> Date: Fri, 24 May 2024 14:51:05 +0200 Subject: [PATCH 1/2] Req.4 Wallet Attestation Signature This commit aims to resolve issue #256 --- docs/en/wallet-attestation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/wallet-attestation.rst b/docs/en/wallet-attestation.rst index 23a62a2c1..79c46b769 100644 --- a/docs/en/wallet-attestation.rst +++ b/docs/en/wallet-attestation.rst @@ -14,7 +14,7 @@ The following requirements for the Wallet Attestation are met: - The Wallet Attestation MUST use the signed JSON Web Token (JWT) format; - The Wallet Attestation MUST give all the relevant information to attests the **integrity** and **security** of the device where the Wallet Instance is installed. -- The Wallet Attestation MUST be issued and signed by an accredited and reliable Wallet Provider, thereby providing integrity and authenticity to the attestation. +- The Wallet Attestation MUST be signed by the same Wallet Provider that is authoritative for (thus has issued) that wallet, as indicated by the overseeing Accreditation Body/Authority, so that the Attestation will uniquely bind the Wallet Provider to this Wallet Instance. - The Wallet Provider MUST ensure the integrity, authenticity, and genuineness of the Wallet Instance, preventing any attempts at manipulation or falsification by unauthorized third parties. - The Wallet Attestation MUST have a mechanism in place for revoking the Wallet Instance, allowing the Wallet Provider to terminate service for a specific instance at any time. - The Wallet Attestation MUST be securely bound to the Wallet Instance ephemeral public key. From 1f9e563c35cc8ea31add5f3e84156b9d7521cf99 Mon Sep 17 00:00:00 2001 From: SaraConsoliACN <167582839+SaraConsoliACN@users.noreply.github.com> Date: Mon, 27 May 2024 10:25:28 +0200 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Giuseppe De Marco --- docs/en/wallet-attestation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/wallet-attestation.rst b/docs/en/wallet-attestation.rst index 79c46b769..413895ce9 100644 --- a/docs/en/wallet-attestation.rst +++ b/docs/en/wallet-attestation.rst @@ -14,7 +14,7 @@ The following requirements for the Wallet Attestation are met: - The Wallet Attestation MUST use the signed JSON Web Token (JWT) format; - The Wallet Attestation MUST give all the relevant information to attests the **integrity** and **security** of the device where the Wallet Instance is installed. -- The Wallet Attestation MUST be signed by the same Wallet Provider that is authoritative for (thus has issued) that wallet, as indicated by the overseeing Accreditation Body/Authority, so that the Attestation will uniquely bind the Wallet Provider to this Wallet Instance. +- The Wallet Attestation MUST be signed by the Wallet Provider that has authority over and that is the owner of the Wallet Solution, as specified by the overseeing registration authority. This ensures that the Wallet Attestation uniquely links the Wallet Provider to this particular Wallet Instance. - The Wallet Provider MUST ensure the integrity, authenticity, and genuineness of the Wallet Instance, preventing any attempts at manipulation or falsification by unauthorized third parties. - The Wallet Attestation MUST have a mechanism in place for revoking the Wallet Instance, allowing the Wallet Provider to terminate service for a specific instance at any time. - The Wallet Attestation MUST be securely bound to the Wallet Instance ephemeral public key.