digeorgi
commented
1 month ago Thank you for your comment. The ARF discusses the topic of User binding in section 6.6.3.8. The ARF makes clear that User binding will always be done by means of user authentication by the WSCA/WSCD. This is enforced by the requirement in Annex 2 (WTE_2) that the WSCA/WSCD SHALL NOT perform any cryptographic operation unless the User is successfully authenticated.
Section 6.6.3.8 goes on to explain that an Attestation Provider may additionally add some attributes to the attestation to enable the Relying Party to verify User binding itself. In the case of a DTC in an EUDI Wallet, Issuers will always do so, because the presence of Data Group 2 (biometric face) is mandatory according to ICAO Doc 9303.
In other words, no change to the ARF is needed to ensure that Relying Parties can biometrically verify the user binding of a DTC presented to them by a Wallet Instance.
Description
Name: Heather Dahl, Indicio
ARF Chapter: 2.5.4 Digital Travel Credential “Digital Travel Credential (DTC) Providers may issue DTCs to EUDI Wallets in a supported format enabling Relying Parties to identify Users and their travel, thus facilitating the travel experience and the User journey in this dynamic sector.”
Recommendation: The DTC should also be a biometrically-anchored credential to eliminate the fraudulent use of the credential.