Open sander opened 3 days ago
Hi @sander
Thanks for working on this! I'm one of the co-chairs of the DCP WG group (the other chairs being Kristina & Torsten).
We don't seem to obviously have a contribution agreement from you or your company - unless you already completed one in the last few days, can you please complete one via the docusign process on https://openid.net/intellectual-property/openid-foundation-contribution-agreements/ ? This is a necessary step for anyone that wants to contribute to an OpenID Foundation specification, so it may be something you want to mention to other members of your working group that might get involved in adding this to the VCI spec.
In principle your proposal seems to make sense (although I am not qualified to comment on any of the cryptographic details).
I suspect a sensible next step might be to try and arrange for some members of your working group to join a DCP WG call and give the working group members a briefing on your specification. The WG call schedule is on https://openid.net/wg/digital-credentials-protocols/ - we have two different time slots (one is "EU friendly", one APAC-ish friendly), we may need to do this in both time slots (or perhaps do it in one and record it). Probably the earliest we could think about doing this is 11th July, and we should avoid week of 22nd July as IETF is that week.)
Thanks @jogu! I’ve just signed the contribution agreement. The 11th July EU Call should work for me, I’ll also check with other working group members.
Great, thanks. Just for clarity we'll also need to confirm we have the right people on our side available that day too.
Hi @sander , I already opened an Issue for this discussion a week ago here: https://github.com/openid/OpenID4VCI/issues/355 which is kind of adjacent
Thanks @paulbastian, this is indeed closely related and should be aligned. Note that with HDK:
device_keys
, but just the cnf
key to ensure the Wallet Provider does not learn the derived public keys as correlation handles;cnf
key into an ARKG public seed, without involvement of the Wallet Provider, so this will not be part of the WTE/ITE;
Hi OpenID4VCI authors! With a cross-pilot working group we’re specifying Hierarchical Deterministic Keys (HDKs) for the European Digital Identity Wallet. Let’s discuss how we could make HDK work with OpenID4VCI.
An HDK is a key deterministically derived from parent key material, and bound to a wallet secure cryptographic device (WSCD) using key blinding. A wallet instance could derive an HDK either locally, just using a static seed and path, or remotely, additionally using a key handle provided by another component. Remote key derivation is implemented using Asynchronous Remote Key Generation (ARKG). By construction, the wallet instance and optional remote party know that child keys are bound to the same WSCD (if any) as their parent key.
This design should offer several advantages to the ecosystem:
Locally derived keys are opaque to issuers, so can be considered just an optimisation for wallet solution design. Remotely derived keys have some consequences for OpenID4VCI applications:
(pk_kem, pk_bl)
, wherepk_kem
is a KEM public key andpk_bl
is an asymmetric key blinding public key (the key to derive from).As of d5ed198, it looks like OpenID4VCI does not yet fully support these features. As @paulbastian suggested in a recent HDK call, we could define a new proof type.
My first suggestion would be:
hdk
proof type with an associated object containing elements:seed
: REQUIRED. An ARKG public seed represented as base64url-encoded COSE_Key structure.key_handles
containing base64url-encoded ARKG key handles in the same order as the associated entries in thecredential
orcredentials
parameter.hdk.seed
, a proof of possession needs to be given of the key associated with the BL public key – and hence with the WSCD, if any. Doesinvalid_proof
meet this use case?What do you think?