andprian
commented
6 months ago How about adding this recommendation for the c_nonce in section 7.3 for the Credential Response? This would prevent replay attacks for all subsequent requests.
Closed peppelinux closed 5 months ago
andprian
commented
6 months ago How about adding this recommendation for the c_nonce in section 7.3 for the Credential Response? This would prevent replay attacks for all subsequent requests.
Sakurann
commented
5 months ago if the point of this PR is to recommend the usage of c_nonce in general (regardless of how the issuer provides c_nocne), the specification right now actually intends to mandate c_nonce (either from the token endpoint or credential endpoint)....
i am inclined to close this issue until there is more clarity on the issues including #331
Sakurann
commented
5 months ago with the discussion in #331, the direction is to remove an option to return c_nonce from the token endpoint
This PR aims to resolve the issue https://github.com/openid/OpenID4VCI/issues/313 where @andprian expressed her sensibility about some details that amtters about the security and the behaviour that an implementer may expect from the AS.
This PR does not address the revocation of a credential when a request for the same credential type occurs. As noted in the related issue, this behavior may be influenced by various factors outside the scope of this specification, including legal requirements already mentioned.