diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 0d196744..bd899445 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -1664,6 +1664,13 @@ for example, by including clear-text session information as a `state` parameter it in a `redirect_uri` parameter. A third party may observe such information through browser history, etc. and correlate the user's activity using it. +### Wallet Attestation Subject {#walletattestation-sub} + +The Wallet Attestation as defined in (#walletattestation) SHOULD NOT introduce a unique identifier specific to a single client. +The subject claim for the Wallet Attestation SHOULD be a value that is shared by all Wallet instances using this type of +wallet implementation. The value should be understood as an identifier of the Wallet type, rather than the specific Wallet +instance itself. + ## Identifying the Credential Issuer Information in the credential identifying a particular Credential Issuer, such as a Credential Issuer Identifier, @@ -2532,7 +2539,7 @@ The following is a non-normative example of a Wallet Attestation: ``` { - "typ": "oauth-client-attestation+jwt" + "typ": "oauth-client-attestation+jwt", "alg": "ES256", "kid": "11" } @@ -2558,6 +2565,8 @@ The following is a non-normative example of a Wallet Attestation: To use the Wallet Attestation towards the Authorization Server, the Wallet MUST generate a proof of possession according to Section 5.2 "Client Attestation PoP JWT" of Attestation-Based Client Authentication. +The `sub` claim of the Wallet Attestation JWT is picked by the Wallet Provider and represents the `client_id` of the Wallet instance. For privacy reasons, this value is the same across Wallet instances of that Wallet Provider, see (#walletattestation-sub) for more details. + # IANA Considerations ## OAuth URI Registry @@ -2756,7 +2765,7 @@ The technology described in this specification was made available from contribut -16 - * + * add privacy considerations for the client_id used with wallet attestations -15