Merge pull request #27 from peppelinux/tc-offline

feat: Implementation Considerations for Offline Flows using Trust Chain JWT header parameter
openid · Sep 30, 2024 · bc5d430 · bc5d430
2 parents dc37085 + c1fe1b4
commit bc5d430
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/openid-federation-wallet-1_0.md b/openid-federation-wallet-1_0.md
@@ -415,8 +415,6 @@ These modifications allow a federation authority, such as a Trust Anchor, to app
 **Figure 3**: Example demonstrating how a Federation Authority can issue a Subordinate Statement about a Credential Verifier, specifying certain metadata parameters such as the endpoints to use and the allowed Digital Credentials to be requested.
 
 
-
-
 ## Differences Between `metadata` and `metadata_policy`
 
 The key difference between `metadata` and `metadata_policy` is that metadata directly affects only the Immediate Subordinate Entity, while `metadata_policy` impacts the configuration of all Subordinate Entities along a Trust Chain, as defined in Sections 5 and 6.1 of [@!OpenID.Federation].
@@ -566,7 +564,18 @@ sequenceDiagram
 
 # Implementation Considerations for Offline Flows
 
-TBD: usage of static trust chain having at least a Trust Anchor in common with the requestor
+The static Trust Chain parameter within the JWT headers, as defined in Section 4.3 of [@!OpenID.Federation], is used as a hint to the Entity involved in a transaction with a common Trust Anchor. This facilitates trust evaluation without the need for real-time Federation Entity Discovery using Federation API endpoints.
+
+The Entity that issues a signed data object, including the `trust_chain` parameter, might be:
+
+- Wallet Providers in signed Wallet Attestations. The Wallet Instance obtains one or more Wallet Attestations from its Wallet Provider, each of them including a Trust Chain related to each Trust Anchor the Wallet Provider trusts;
+- Credential Verifiers in signed request objects. The Wallet Instance obtains a presentation request that includes a Trust Chain using a Trust Anchor that the Credential Verifier has in common with the Wallet Provider, according to the `wallet_metadata` parameter provided by the Wallet in the Request URI POST;
+- A Credential Issuer in a signed Digital Credential. The Wallet Instance obtains a Digital Credential from its Credential Issuer, which includes the Trust Chain using a Trust Anchor that the Credential Verifier has in common with the Wallet Provider, according to the Wallet Attestation used during the Issuance.
+
+The Entity that receives the data object including the JWT `trust_chain`, such as the Wallet Instance obtaining a signed request object, verifies the Trust Chain using the Trust Anchor's public keys and applies any metadata policies, without needing to have a working network connection for reaching the Federation API.
+
+Using short-lived Trust Chains ensures compatibility with required revocation administrative protocols, such as those defined in a legal framework. For example, if a revocation must be propagated in less than 24 hours, the Trust Chain should not be valid for more than that period.
+
 
 # Acknowledgments