From bee00b4906f3d9bf83e2f1a60ae87b8ba5ecf4a0 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Thu, 6 Jul 2023 10:55:12 +0200 Subject: [PATCH 1/4] fix: issuance PAR req jti --- docs/en/pid-issuance.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/en/pid-issuance.rst b/docs/en/pid-issuance.rst index 25f58de87..01371be5b 100644 --- a/docs/en/pid-issuance.rst +++ b/docs/en/pid-issuance.rst @@ -367,7 +367,9 @@ The JWT payload is given by the following parameters: * - **client_assertion** - It MUST be set as in the :ref:`Table of the HTTP parameters `. - See :ref:`Table of the HTTP parameters `. - + * - **jti** + - Unique JWT identifier to prevent the reuse of the JWT (replay attack). + - [:rfc:`7519`]. Pushed Authorization Request (PAR) Response ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From b8be6af9be519e904a00457e20fb3f9fc01301bf Mon Sep 17 00:00:00 2001 From: Riccardo Iaconelli Date: Tue, 1 Aug 2023 12:14:22 +0200 Subject: [PATCH 2/4] Proofread dell'introduzione relativa a "PID issuance" --- docs/en/pid-issuance.rst | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/en/pid-issuance.rst b/docs/en/pid-issuance.rst index 01371be5b..b64818f68 100644 --- a/docs/en/pid-issuance.rst +++ b/docs/en/pid-issuance.rst @@ -3,19 +3,20 @@ .. _pid_issuance.rst: PID Issuance -+++++++++++++ +++++++++++++ The relevant entities and interfaces involved in the issuance flow are: - - *Wallet Provider*: It represents an organization (public or private) that is responsible for the release of an eIDAS-compliant EUDI Wallet Solution. It also issues thes Wallet Instance Attestation to its Wallet Instances by means of an Attestation Service. The Wallet Attestation certifies the genuinity and authenticity of the Wallet Instance and its compliance with a Trust Framework in compliance to the security and privacy requirements. - - *Wallet Solution*: It represents the entire product and service owned by a Wallet Provider, offered to all Users of that solution. A Wallet Solution must be certified as being EUDI-compliant by a Conformity Assessment Body (CAB). - - *Wallet Instance*: instance of a Wallet Solution, installed on User's device. It provides interfaces for User interaction with the Wallet Provider, Relying Parties, PID and (Q)EAA Providers. - - *PID Provider*: It represents the issuer of eIDAS Person Identification Data (PID). It is composed of: + - *Wallet Provider*: This organization (public or private) is responsible for releasing an eIDAS-compliant EUDI Wallet Solution. It also issues Wallet Instance Attestations to its Wallet Instances through an Attestation Service. The Wallet Attestation certifies the genuineness and authenticity of the Wallet Instance and its compliance with a Trust Framework meeting security and privacy requirements. + - *Wallet Solution*: This represents the entire product and service owned by a Wallet Provider, offered to all users of that solution. A Wallet Solution must be certified as EUDI-compliant by a Conformity Assessment Body (CAB). + - *Wallet Instance*: An instance of a Wallet Solution, installed on a user's device. It provides interfaces for user interaction with the Wallet Provider, Relying Parties, PID, and (Q)EAA Providers. + - *PID Provider*: This entity issues eIDAS Person Identification Data (PID). It consists of: + + - OpenID4VCI Component: Based on the “OpenID for Verifiable Credential Issuance” specification `[OIDC4VCI. Draft 13] `_, it releases PID credentials. + - National eID Relying Party (OpenID Connect or SAML2): This component authenticates the End-User with national Digital Identity Providers. + + - National IdP: This represents pre-existing identity systems based on SAML2 or OpenID Connect, already in production in each Member State (such as SPID and CIE ID authentication schemes notified as eIDAS with *LoA* **High** in Italy, see `SPID/CIE OpenID Connect Specifications ` - - OpenID4VCI Component: based on the “OpenID for Verifiable Credential Issuance” specification `[OIDC4VCI. Draft 13] `_ to release PID credentials. - - National eID Relying Party (OpenID Connect or SAML2): It represents the component to authenticate the End-User with the national Digital Identity Providers. - - National IdP: It represents preexisting identity systems based on SAML2 or OpenID Connect, already in production in each Member State (for Italy SPID and CIE id authentication schemed notified eIDAS with *LoA* **High**, see `SPID/CIE OpenID Connect Specifications `_). - .. _fig_High-Level-Flow-EUDIW-PID-Issuing: .. figure:: ../../images/High-Level-Flow-EUDIW-PID-Issuing.svg :figwidth: 100% From 2482776d58c939568b08b2ed4ae93e71fcbfaf96 Mon Sep 17 00:00:00 2001 From: peppelinux Date: Fri, 1 Sep 2023 23:31:08 +0200 Subject: [PATCH 3/4] issuance editorials --- docs/en/pid-eaa-issuance.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index 4568edab0..4d89c6025 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -8,10 +8,10 @@ PID/(Q)EAA Issuance This section describes the PID and (Q)EAAs issuance flow with an high level of security. The relevant entities and interfaces involved in the issuance flow are: - - *Wallet Provider*: The entity responsible for releasing an EUDI Wallet Solution. It also issues Wallet Instance Attestations to its Wallet Instances through an Attestation Service. The Wallet Attestation certifies the genuineness and authenticity of the Wallet Instance and its compliance with a Trust Framework meeting security and privacy requirements. - - *Wallet Solution*: Entire product and service owned by a Wallet Provider, offered to all the Users of that solution. A Wallet Solution must be certified as EUDI-compliant by a Conformity Assessment Body (CAB). + - *Wallet Provider*: The entity responsible for releasing an EUDI Wallet Solution. It also issues Wallet Instance Attestations to its Wallet Instances through an Attestation Service. The Wallet Attestation certifies the genuinity and authenticity of the Wallet Instance and its compliance with a Trust Framework in compliance to the security and privacy requirements. + - *Wallet Solution*: Entire product and service owned by a Wallet Provider, offered to all the Users of that solution. The Wallet Solution is certified as EUDI-compliant by a Conformity Assessment Body (CAB). - *Wallet Instance*: Instance of a Wallet Solution, installed on the User device. It provides interfaces for user interaction with the Wallet Provider, Relying Parties, PID, and (Q)EAA Providers. - - *PID Provider*: The entity that issues the eIDAS Person Identification Data (PID). It consists of: + - *PID Provider*: The entity that issues the eIDAS Person Identification Data (PID). It is composed of: - OpenID4VCI Component: based on the “OpenID for Verifiable Credential Issuance” specification `[OIDC4VCI. Draft 13] `_ to release PID credentials. - National eID Relying Party (OpenID Connect or SAML2): It represents the component to authenticate the End-User with the national Digital Identity Providers. From 1ca263bcfe3e01b20da83c904348ad02150e94e8 Mon Sep 17 00:00:00 2001 From: peppelinux Date: Fri, 1 Sep 2023 23:34:19 +0200 Subject: [PATCH 4/4] issuance: jti considerations --- docs/en/pid-eaa-issuance.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/en/pid-eaa-issuance.rst b/docs/en/pid-eaa-issuance.rst index 4d89c6025..fdb316571 100644 --- a/docs/en/pid-eaa-issuance.rst +++ b/docs/en/pid-eaa-issuance.rst @@ -420,9 +420,10 @@ The JWT payload is given by the following parameters: - It MUST be set as in the :ref:`Table of the HTTP parameters `. - See :ref:`Table of the HTTP parameters `. * - **jti** - - Unique JWT identifier to prevent the reuse of the JWT (replay attack). + - Unique JWT identifier to prevent the reuse of the JWT (replay attack). Since the `jti` value alone is not collision resistant, it MUST be identified uniquely together with its issuer. - [:rfc:`7519`]. + Pushed Authorization Request (PAR) Response ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^