danielfett
commented
7 months ago I don't think that the issue pertains to this repository. Can you please check if it was filed correctly?
Open pietroACN opened 7 months ago
danielfett
commented
7 months ago I don't think that the issue pertains to this repository. Can you please check if it was filed correctly?
peppelinux
commented
7 months ago @pietroACN, from my understanding, the point you've raised is relevant within the context of the trust framework and the ways to attests the LoA high (eIDAS requirement, indeed), which serves as the foundation for the implementation of technologies.
This specification, by itself, may suggest or reference good or known practices in the domain of trust modeling and implementation. However, these recommendations can be omitted from the specific technical specifications, as they fall outside the scope of this document.
For instance:
These two examples operate at different levels, and the latter should not restrict the technical autonomy of the former.
using normative language "can" became "MUST" and your suggestion could be evaluated as a implementation or security consideration (therefore non-normative), reusing your words it would something like:
As a security consideration, to ensure an adequate level of assurance for the issued and stored credentials, the cryptographic
device within the Wallet Instance must undergo certification. This certification process involves obtaining a verifiable attestation,
directly issued and signed by the Wallet Provider, which is directly linked to the certifications provided by the designated
cybersecurity certification body for both the Wallet and the Wallet's Cryptographic Security Device (WCSD).At the same time, as @danielfett mentioned, this repository is related to SD-JWT VC Type Metadata therefore related to OpenID for VCI and then to Credential Issuers, that doesn't have any particular WSCD.
The requirement to check the compliance of the requesting party, the client (wallet) for preserving the same LoA of the issued credentials, would have sense in openid 4 vci specs and not to sd-jwt that's a credential format
Wallet certification is described as: " The Wallet Instance, as a personal device, is certified as reliable through a verifiable attestation issued and signed by a trusted third party." Link
As Wallet must be certified by the appropriate cybersecurity certification body, as well as internal/external WCSD used to generate and manage cryptographic keys, Verifiable Attestation must be signed or refers to a certification issued by the appointed cybersecurity certification body. WP would then issue an attestation that this specific instance is the same as the one certified.
Text would then be changed as: " The Wallet Instance, as a personal device, is certified as reliable through a verifiable attestation issued and signed by Wallet Provider directlt linked to the certifications issued by the appointed cybersecurity certification body both for the Wallet and WCSD."