peppelinux
commented
1 year ago since the revocation for x509 should be always attested with web retrieval mechanisms, and that x509 works for key attestation only and needs to be extended with custom attributes to satisfy the requirements for policies and metadata/capabilities retrieval
I'm in favour of using federation trust_chain as the best way to go to satisfy all the requirements for a high assurance profile that attests also grants and capabilities and not just the identity of an entity
then the question would be, where are the requirements? It is still a work in progress but in a way or another it is becoming part of our shared knowledge:
there are currently two options for issuer key resolution: web PKI based one and X.509 based one. current text states, "iissuer supports one of the options, wallet and verifier support both", but @tlodderstedt is right that this will make the life of verifiers (and wallets) really hard. probably need to discuss what it means for the issuer to support both x.509 and web pki based...