[OpenID4VP] Verifiable Client Attestation

[peppelinux]

thread here https://bitbucket.org/openid/connect/pull-requests/524/add-verifier-attestation-jwt-definition

this may have an impact on the trust evaluation mechanisms during the presentation phase. I agree the solution proposed in the PR, since the verifiable attestation in our implementation should have a trust_chain in the JWS header, or at least a x5c parameter

The requirements are listed below:

• How to trust the issuer of that attestation?
• How a trust evaluator (wallet instance) may attest the trust to the client thanks to an accreditation body, that's the issuer of the verifier attestation

[peppelinux]

@fmarino-ipzs @grausof the PR was merged 5 days ago

it has positive impacts on the trust model, since the rp shows a verifiable attestation about itself and this then is obviously signed by a trusted third party

using federation, this verifiable attestation should contain the trust_chain JWS header parameter, or at least a x5c, for the trust evaluation

[peppelinux]

Regarding how the attestation can be provisioned using Federation and then the requirement to relax its typ parameter: https://bitbucket.org/openid/connect/issues/1992/openid4vp-relying-party

@fmarino-ipzs ^

[peppelinux]

This issues is related to policies and grants given to RPs

this impacts federation and X.509 certificates.

[peppelinux]

Verifier Client Attestation seems to be deprecated, trust chains (federatiopn or X.509) seems to have more concreteness