pinamiranda
commented
1 month ago Thank you for your comment, that was accepted (and added to ARF 1.4.0)
We have made two changes prior to publication of ARF 1.4.0:
- This section (6.6.3.5) now allows the use of device-signed or self-issued attestations, provided that such solutions are certified for LoA “high”.
- We have added another bullet in section 6.6.3.5 explaining that solutions based on an authenticated channels are allowed. However, we emphasize that any solution must be fully conformant with the interface specifications between Wallet Instance and Relying Party (i.e., ISO 18013-5 and OpenID4VP). Otherwise, interoperability issues will occur.
The German Architecture Proposal Version 2 (from 2024-03-21) lists several different solution options (B, B',D, C', and C). From these options the first three (B, B' and D) rely mainly on trusted hardware and authenticated channels between this trusted hardware and the Wallet Provider, PID Provider, or Relying Party on the other side.
As I see it, the current ARF v1.3 mainly focuses on forms of signed credentials (according to the nomenclature of the German Architecture Proposal, where they are described as solution option C' or C).
So my question would be: Are approaches utilizing the concept of authenticated channels between trusted hardware and the WP, PP or RP already permissible according to the current version of the ARF, e.g., by the following trust requirements:
Or are such solution options using authenticated channels and MACs not permissible according to the current version of the ARF, e.g., indicated maybe by the following paragraphs which talk explicitly about public keys and signatures (not MACs):
If authenticated channel based solution options according to the German Architecture Proposal are not already covered (due to such specifics), will such concepts be explicitly added in a future version?