Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: issuance PAR req jti #54

Merged
merged 6 commits into from
Sep 1, 2023
Merged

fix: issuance PAR req jti #54

Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
bee00b4
fix: issuance PAR req jti
peppelinux Jul 6, 2023
b8be6af
Proofread dell'introduzione relativa a "PID issuance"
ruphy Aug 1, 2023
746f477
Merge pull request #88 from italia/pid-issuance-proofread
peppelinux Aug 3, 2023
8dd1512
Merge branch 'versione-corrente' into issjti
peppelinux Sep 1, 2023
2482776
issuance editorials
peppelinux Sep 1, 2023
1ca263b
issuance: jti considerations
peppelinux Sep 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 13 additions & 10 deletions docs/en/pid-issuance.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,20 @@
.. _pid_issuance.rst:

PID Issuance
+++++++++++++
++++++++++++

The relevant entities and interfaces involved in the issuance flow are:

- *Wallet Provider*: It represents an organization (public or private) that is responsible for the release of an eIDAS-compliant EUDI Wallet Solution. It also issues thes Wallet Instance Attestation to its Wallet Instances by means of an Attestation Service. The Wallet Attestation certifies the genuinity and authenticity of the Wallet Instance and its compliance with a Trust Framework in compliance to the security and privacy requirements.
- *Wallet Solution*: It represents the entire product and service owned by a Wallet Provider, offered to all Users of that solution. A Wallet Solution must be certified as being EUDI-compliant by a Conformity Assessment Body (CAB).
- *Wallet Instance*: instance of a Wallet Solution, installed on User's device. It provides interfaces for User interaction with the Wallet Provider, Relying Parties, PID and (Q)EAA Providers.
- *PID Provider*: It represents the issuer of eIDAS Person Identification Data (PID). It is composed of:
- *Wallet Provider*: This organization (public or private) is responsible for releasing an eIDAS-compliant EUDI Wallet Solution. It also issues Wallet Instance Attestations to its Wallet Instances through an Attestation Service. The Wallet Attestation certifies the genuineness and authenticity of the Wallet Instance and its compliance with a Trust Framework meeting security and privacy requirements.
- *Wallet Solution*: This represents the entire product and service owned by a Wallet Provider, offered to all users of that solution. A Wallet Solution must be certified as EUDI-compliant by a Conformity Assessment Body (CAB).
- *Wallet Instance*: An instance of a Wallet Solution, installed on a user's device. It provides interfaces for user interaction with the Wallet Provider, Relying Parties, PID, and (Q)EAA Providers.
- *PID Provider*: This entity issues eIDAS Person Identification Data (PID). It consists of:

- OpenID4VCI Component: Based on the “OpenID for Verifiable Credential Issuance” specification `[OIDC4VCI. Draft 13] <https://openid.bitbucket.io/connect/openid-4-verifiable-credential-issuance-1_0.html>`_, it releases PID credentials.
- National eID Relying Party (OpenID Connect or SAML2): This component authenticates the End-User with national Digital Identity Providers.

- National IdP: This represents pre-existing identity systems based on SAML2 or OpenID Connect, already in production in each Member State (such as SPID and CIE ID authentication schemes notified as eIDAS with *LoA* **High** in Italy, see `SPID/CIE OpenID Connect Specifications <https://italia.github.io/spid-cie-oidc-docs/en/>`

- OpenID4VCI Component: based on the “OpenID for Verifiable Credential Issuance” specification `[OIDC4VCI. Draft 13] <https://openid.bitbucket.io/connect/openid-4-verifiable-credential-issuance-1_0.html>`_ to release PID credentials.
- National eID Relying Party (OpenID Connect or SAML2): It represents the component to authenticate the End-User with the national Digital Identity Providers.
- National IdP: It represents preexisting identity systems based on SAML2 or OpenID Connect, already in production in each Member State (for Italy SPID and CIE id authentication schemed notified eIDAS with *LoA* **High**, see `SPID/CIE OpenID Connect Specifications <https://italia.github.io/spid-cie-oidc-docs/en/>`_).

.. _fig_High-Level-Flow-EUDIW-PID-Issuing:
.. figure:: ../../images/High-Level-Flow-EUDIW-PID-Issuing.svg
:figwidth: 100%
Expand Down Expand Up @@ -367,7 +368,9 @@ The JWT payload is given by the following parameters:
* - **client_assertion**
- It MUST be set as in the :ref:`Table of the HTTP parameters <table_http_request_claim>`.
- See :ref:`Table of the HTTP parameters <table_http_request_claim>`.

* - **jti**
- Unique JWT identifier to prevent the reuse of the JWT (replay attack).
- [:rfc:`7519`].

Pushed Authorization Request (PAR) Response
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Expand Down
Loading