grausof
commented
1 year ago Yes is the nonce. We have a pending discussion on this: https://github.com/italia/eudi-wallet-it-docs/issues/40
Closed peppelinux closed 6 months ago
grausof
commented
1 year ago Yes is the nonce. We have a pending discussion on this: https://github.com/italia/eudi-wallet-it-docs/issues/40
peppelinux
commented
1 year ago Partially resolved by https://github.com/italia/eudi-wallet-it-docs/pull/121
grausof
commented
10 months ago Authentication is guaranteed by the integrity check
peppelinux
commented
10 months ago the question is:
how does the wallet provider make sure that it is one of its wallet instances and not a generic compatible device for Apple/Android?
actually the PR to does not make this explicit
Could you give a few more words for this in your opinion, make it explicit with a box or just mention that this is a requirement (MUST) without going into detail on how this can happen?
each gap could give rise to privacy problems, if possible I would say which data are intended as necessary for the authentication of the wallet instance with its provider
hevelius
commented
10 months ago Conceptually, the integrity token is a way to establish the identity of the app (on an untampered device) through an attestation obtained from the vendor side (Apple/Goole). The wallet provider verifies the token, decodes it and inside it there is, among other information, the appId. The token is signed by Google which certifies that the identity is associated with an appId.
peppelinux
commented
6 months ago Duplicated
@rohe 's
I can't find any mentioning of how the wallet identifies itself to the wallet provider. No client authentication? I guess it has something with the nonce to do.