From 7ad26e1563a879c0f326ab792e27623f350f54bd Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Thu, 9 Jan 2025 11:56:58 +0100 Subject: [PATCH 1/7] add small text about the client_id of wallets --- openid-4-verifiable-credential-issuance-1_0.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 0d196744..4a19c709 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -2558,6 +2558,8 @@ The following is a non-normative example of a Wallet Attestation: To use the Wallet Attestation towards the Authorization Server, the Wallet MUST generate a proof of possession according to Section 5.2 "Client Attestation PoP JWT" of Attestation-Based Client Authentication. +The `sub` claim of the Wallet Attestation JWT is picked by the Wallet Provider and represents the `client_id` of the Wallet. This value should be shared by all Wallet Instances for privacy reasons. + # IANA Considerations ## OAuth URI Registry From 3d508a92a80af732be53c52f7fe85141721ed3b4 Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Thu, 9 Jan 2025 11:57:32 +0100 Subject: [PATCH 2/7] add missing comma in attestation jwt example --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 4a19c709..b056f5c8 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -2532,7 +2532,7 @@ The following is a non-normative example of a Wallet Attestation: ``` { - "typ": "oauth-client-attestation+jwt" + "typ": "oauth-client-attestation+jwt", "alg": "ES256", "kid": "11" } From f28adb2c074fe4cd68c3686f1642b130e3d59c91 Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Thu, 9 Jan 2025 11:58:24 +0100 Subject: [PATCH 3/7] add document history --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index b056f5c8..d7455b8b 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -2758,7 +2758,7 @@ The technology described in this specification was made available from contribut -16 - * + * clarify client_id of wallet with wallet attestation -15 From 13da8e115b1a71b7ab5db3da16e3c75aca4d5a43 Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Thu, 9 Jan 2025 12:00:03 +0100 Subject: [PATCH 4/7] clarification of wallet instances --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index d7455b8b..ec8308cd 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -2558,7 +2558,7 @@ The following is a non-normative example of a Wallet Attestation: To use the Wallet Attestation towards the Authorization Server, the Wallet MUST generate a proof of possession according to Section 5.2 "Client Attestation PoP JWT" of Attestation-Based Client Authentication. -The `sub` claim of the Wallet Attestation JWT is picked by the Wallet Provider and represents the `client_id` of the Wallet. This value should be shared by all Wallet Instances for privacy reasons. +The `sub` claim of the Wallet Attestation JWT is picked by the Wallet Provider and represents the `client_id` of the Wallet. This value should be shared by all Wallet Instances from that Wallet Provider for privacy reasons. # IANA Considerations From 908b2d3dbb2a6300f1f19b4f8af9dd142357c4c0 Mon Sep 17 00:00:00 2001 From: Christian Bormann <8774236+c2bo@users.noreply.github.com> Date: Mon, 27 Jan 2025 10:32:38 +0100 Subject: [PATCH 5/7] Apply suggestions from Kristinas review Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com> --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index ec8308cd..50df725c 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -2558,7 +2558,7 @@ The following is a non-normative example of a Wallet Attestation: To use the Wallet Attestation towards the Authorization Server, the Wallet MUST generate a proof of possession according to Section 5.2 "Client Attestation PoP JWT" of Attestation-Based Client Authentication. -The `sub` claim of the Wallet Attestation JWT is picked by the Wallet Provider and represents the `client_id` of the Wallet. This value should be shared by all Wallet Instances from that Wallet Provider for privacy reasons. +The `sub` claim of the Wallet Attestation JWT is picked by the Wallet Provider and represents the `client_id` of the Wallet. For privacy reasons, this value is the same across Wallet Instances of that Wallet Provider. # IANA Considerations From 27ccee15c85dbcaae1dc911134703db30f8b1667 Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Mon, 27 Jan 2025 10:43:17 +0100 Subject: [PATCH 6/7] privacy conisderations for wallet attestation client_id --- openid-4-verifiable-credential-issuance-1_0.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 50df725c..80c8c1fa 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1664,6 +1664,13 @@ for example, by including clear-text session information as a `state` parameter it in a `redirect_uri` parameter. A third party may observe such information through browser history, etc. and correlate the user's activity using it. +### Wallet Attestation Subject {#walletattestation-sub} + +The Wallet Attestation as defined in (#wallet attestation) SHOULD NOT introduce a unique identifier specific to a single client. +The subject claim for the Wallet Attestation SHOULD be a value that is shared by all Wallet instances using this type of +wallet implementation. The value should be understood as an identifier of the Wallet type, rather than the specific Wallet +instance itself. + ## Identifying the Credential Issuer Information in the credential identifying a particular Credential Issuer, such as a Credential Issuer Identifier, @@ -2558,7 +2565,7 @@ The following is a non-normative example of a Wallet Attestation: To use the Wallet Attestation towards the Authorization Server, the Wallet MUST generate a proof of possession according to Section 5.2 "Client Attestation PoP JWT" of Attestation-Based Client Authentication. -The `sub` claim of the Wallet Attestation JWT is picked by the Wallet Provider and represents the `client_id` of the Wallet. For privacy reasons, this value is the same across Wallet Instances of that Wallet Provider. +The `sub` claim of the Wallet Attestation JWT is picked by the Wallet Provider and represents the `client_id` of the Wallet. For privacy reasons, this value is the same across Wallet instances of that Wallet Provider, see (#walletattestation-sub) for more details. # IANA Considerations @@ -2758,7 +2765,7 @@ The technology described in this specification was made available from contribut -16 - * clarify client_id of wallet with wallet attestation + * add privacy considerations for the client_id used with wallet attestations -15 From 5cc3afdcafd5a17e775419de3a46a31b7c04975d Mon Sep 17 00:00:00 2001 From: Christian Bormann <8774236+c2bo@users.noreply.github.com> Date: Wed, 5 Feb 2025 16:44:25 +0100 Subject: [PATCH 7/7] Apply suggestions from Kristina's review Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com> --- openid-4-verifiable-credential-issuance-1_0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 80c8c1fa..bd899445 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1666,7 +1666,7 @@ history, etc. and correlate the user's activity using it. ### Wallet Attestation Subject {#walletattestation-sub} -The Wallet Attestation as defined in (#wallet attestation) SHOULD NOT introduce a unique identifier specific to a single client. +The Wallet Attestation as defined in (#walletattestation) SHOULD NOT introduce a unique identifier specific to a single client. The subject claim for the Wallet Attestation SHOULD be a value that is shared by all Wallet instances using this type of wallet implementation. The value should be understood as an identifier of the Wallet type, rather than the specific Wallet instance itself. @@ -2565,7 +2565,7 @@ The following is a non-normative example of a Wallet Attestation: To use the Wallet Attestation towards the Authorization Server, the Wallet MUST generate a proof of possession according to Section 5.2 "Client Attestation PoP JWT" of Attestation-Based Client Authentication. -The `sub` claim of the Wallet Attestation JWT is picked by the Wallet Provider and represents the `client_id` of the Wallet. For privacy reasons, this value is the same across Wallet instances of that Wallet Provider, see (#walletattestation-sub) for more details. +The `sub` claim of the Wallet Attestation JWT is picked by the Wallet Provider and represents the `client_id` of the Wallet instance. For privacy reasons, this value is the same across Wallet instances of that Wallet Provider, see (#walletattestation-sub) for more details. # IANA Considerations