Cryptographic hardware key

[rohe]

In the flow chart for the Wallet Instance Initialization and Registration the wallet is expected to send the hardware_key_tag to the wallet provider (Step 9). The Wallet Provider on the other hand is expected to store the Cryptographic Hardware Keys (step 12).

Don't understand how the translation from key tag to actual key is expected to work.

[rohe]

Note that further down in the text it's stated:

"It is not necessary to send the Wallet Hardware public key because it is already included in the key_attestation."

Which to me sounds like the key and not the tag is included in the attest key request. Or is it assumed that the device integrity service can acquire the key from the device using the tag ? In some out-of-band way ?

[grausof]

Both of your observations are correct. The key is included in the Key Attestation so the Wallet Provider can extract it from there and it is also used as a unique tag for the operating system to access the private key. Do you have any ideas on how to improve the text?

[grausof]

Please see the note: https://github.com/italia/eudi-wallet-it-docs/blob/22a0082fb2a23f0eec006c98a37297d7365098c5/docs/en/wallet-attestation.rst?plain=1#L156