peppelinux
commented
5 months ago If we proceed with the approach of not accessing the credential in secure storage (thus not requiring user consent), the unique identifier would not be derived from the credential attributes. This means there could be JWTs without a jti or other credential formats lacking unique identifiers.
Consequently, to uniquely identify a credential, it would be necessary to use a hash of the credential itself. For a JWT, this would involve hashing the JWT; for an mDoc in CBOR format, it would involve hashing its base64 representation, and so forth.
For privacy and security reasons, we should remove the credential jwt from the status attestation request. The credential_pop value should be a unique identifier of the credential, for example the hash value of the credential. The credential issuer is able to get the credential from the hash value, check the status and return the status attestation.