From f5493e5b734c7e625c5438b81824ac49fba524ca Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Thu, 19 Sep 2024 18:45:27 +0200 Subject: [PATCH 1/5] section: Wallet Checking the Non-Revocation of its Wallet Provider --- openid-federation-wallet-1_0.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/openid-federation-wallet-1_0.md b/openid-federation-wallet-1_0.md index 8640788..f57fe9f 100644 --- a/openid-federation-wallet-1_0.md +++ b/openid-federation-wallet-1_0.md @@ -208,9 +208,9 @@ Consequently, the End-User obtains and holds the Digital Credentials without dis | | | | | | V V V -+--------------------------------------------------------------+ -| Trust Anchor | -+--------------------------------------------------------------+ ++-------------------------------------------------------------------+ +| Trust Anchor | ++-------------------------------------------------------------------+ ```` **Figure 2**: Representation acknowledging the roles of Authentic Sources and Wallet Providers in the ecosystem while maintaining the core structure of the Four-Party Model. @@ -279,7 +279,7 @@ This section defines the Entity Types used by Organizational Entities in their E | Wallet Provider | `federation_entity`, `openid_wallet_provider` | this specification | | Authorization Server | `federation_entity`, `oauth_authorization_server` | [@!OpenID4VCI], [@!RFC8414] | | Credential Issuer | `federation_entity`, `openid_credential_issuer`, `oauth_authorization_server` | [@!OpenID4VCI], this specification | -| Credential Verifier | `federation_entity`, `openid_credential_verifier` | [@!OpenID.Federation], [@!OpenID4VP], this specification | +| Credential Verifier | `federation_entity`, `openid_credential_verifier` | [@!OpenID.Federation], [@!OpenID4VP], this specification | The Credential Issuer is an OAuth 2.0 Protected Resource Server and it MAY also implement, within the same Entity, an OAuth 2.0 Authorization Server. According to [@!OpenID4VCI], the Authorization Server can be external to the Entity that implements the Credential Endpoint, therefore the use of `oauth_authorization_server` is OPTIONAL. @@ -415,8 +415,6 @@ These modifications allow a federation authority, such as a Trust Anchor, to app **Figure 3**: Example demonstrating how a Federation Authority can issue a Subordinate Statement about a Credential Verifier, specifying certain metadata parameters such as the endpoints to use and the allowed Digital Credentials to be requested. - - ## Differences Between `metadata` and `metadata_policy` The key difference between `metadata` and `metadata_policy` is that metadata directly affects only the Immediate Subordinate Entity, while `metadata_policy` impacts the configuration of all Subordinate Entities along a Trust Chain, as defined in Sections 5 and 6.1 of [@!OpenID.Federation]. @@ -455,13 +453,17 @@ The process of trust establishment in federated environments is illustrated in t ## Wallet Checking the Non-Revocation of its Wallet Provider -... +Wallets SHOULD periodically check their Wallet Providers compliance through the federation's trust infrastructure. This involves retrieving the Wallet Provider's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor, ensuring that the Wallet Provider has not been revoked within the federation. Wallets SHOULD remain neutral in attesting to the reliability of their Wallet Providers for the End-User, thereby protecting the End-User against any malevolent behavior by the Wallet Provider. + +The Wallet Provider’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication. In the example represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Wallet Providers enabled within the federation. + +The process to discover the trust with a Wallet Provider is equivalent to the one made for discoving the trust with a Credential Issuer, as described in the dedicated section below. ## Wallet Discovering Credentials Issuers Wallets begin by discovering the identity of Credential Issuers through the federation's trust infrastructure. This involves retrieving the Credential Issuer's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor. The Credential Issuer’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication. -In the example represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation. +the process described in the represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation. ````mermaid From fc49bcc97a13b15c4ef2559f832e0d1da24c3e5b Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Thu, 19 Sep 2024 18:46:43 +0200 Subject: [PATCH 2/5] Apply suggestions from code review --- openid-federation-wallet-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-wallet-1_0.md b/openid-federation-wallet-1_0.md index f57fe9f..4679ea0 100644 --- a/openid-federation-wallet-1_0.md +++ b/openid-federation-wallet-1_0.md @@ -463,7 +463,7 @@ The process to discover the trust with a Wallet Provider is equivalent to the on Wallets begin by discovering the identity of Credential Issuers through the federation's trust infrastructure. This involves retrieving the Credential Issuer's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor. The Credential Issuer’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication. -the process described in the represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation. +the process described in the represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation. ````mermaid From fc7a0a4fb4aec0029272cb49c6ed66f8e416adfd Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Sat, 21 Sep 2024 22:01:32 +0200 Subject: [PATCH 3/5] Apply suggestions from code review Co-authored-by: Michael B. Jones --- openid-federation-wallet-1_0.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openid-federation-wallet-1_0.md b/openid-federation-wallet-1_0.md index 4679ea0..952cc4d 100644 --- a/openid-federation-wallet-1_0.md +++ b/openid-federation-wallet-1_0.md @@ -453,17 +453,17 @@ The process of trust establishment in federated environments is illustrated in t ## Wallet Checking the Non-Revocation of its Wallet Provider -Wallets SHOULD periodically check their Wallet Providers compliance through the federation's trust infrastructure. This involves retrieving the Wallet Provider's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor, ensuring that the Wallet Provider has not been revoked within the federation. Wallets SHOULD remain neutral in attesting to the reliability of their Wallet Providers for the End-User, thereby protecting the End-User against any malevolent behavior by the Wallet Provider. +Wallets SHOULD periodically check their Wallet Providers' compliance through the federation's trust infrastructure. This involves retrieving the Wallet Provider's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor, ensuring that the Wallet Provider has not been revoked within the federation. Wallets SHOULD remain neutral in attesting to the reliability of their Wallet Providers for the End-User, thereby protecting the End-User against any malevolent behavior by the Wallet Provider. The Wallet Provider’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication. In the example represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Wallet Providers enabled within the federation. -The process to discover the trust with a Wallet Provider is equivalent to the one made for discoving the trust with a Credential Issuer, as described in the dedicated section below. +The process to discover the trust with a Wallet Provider is equivalent to the one used for discoving the trust with a Credential Issuer, as described in the dedicated section below. ## Wallet Discovering Credentials Issuers Wallets begin by discovering the identity of Credential Issuers through the federation's trust infrastructure. This involves retrieving the Credential Issuer's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor. The Credential Issuer’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication. -the process described in the represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation. +In the process represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation. ````mermaid From f741930dff646cc6d49668f1e1e48709a886f0fa Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Sat, 21 Sep 2024 14:14:46 -0700 Subject: [PATCH 4/5] Applied Guiseppe's suggestion Co-authored-by: Giuseppe De Marco --- openid-federation-wallet-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-wallet-1_0.md b/openid-federation-wallet-1_0.md index 952cc4d..f3244e7 100644 --- a/openid-federation-wallet-1_0.md +++ b/openid-federation-wallet-1_0.md @@ -455,7 +455,7 @@ The process of trust establishment in federated environments is illustrated in t Wallets SHOULD periodically check their Wallet Providers' compliance through the federation's trust infrastructure. This involves retrieving the Wallet Provider's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor, ensuring that the Wallet Provider has not been revoked within the federation. Wallets SHOULD remain neutral in attesting to the reliability of their Wallet Providers for the End-User, thereby protecting the End-User against any malevolent behavior by the Wallet Provider. -The Wallet Provider’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication. In the example represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Wallet Providers enabled within the federation. +The Wallet Provider’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication. The Wallet Instance SHOULD use the Federation API to periodically reestablish trust with its Wallet Provider. The process to discover the trust with a Wallet Provider is equivalent to the one used for discoving the trust with a Credential Issuer, as described in the dedicated section below. From caecc2dcca1abbba824fcb2e2b34401530fca9fe Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Sat, 21 Sep 2024 14:15:06 -0700 Subject: [PATCH 5/5] Applied Guiseppe's suggestion Co-authored-by: Giuseppe De Marco --- openid-federation-wallet-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-wallet-1_0.md b/openid-federation-wallet-1_0.md index f3244e7..ef2331b 100644 --- a/openid-federation-wallet-1_0.md +++ b/openid-federation-wallet-1_0.md @@ -457,7 +457,7 @@ Wallets SHOULD periodically check their Wallet Providers' compliance through the The Wallet Provider’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication. The Wallet Instance SHOULD use the Federation API to periodically reestablish trust with its Wallet Provider. -The process to discover the trust with a Wallet Provider is equivalent to the one used for discoving the trust with a Credential Issuer, as described in the dedicated section below. +The process to discover the trust with a Wallet Provider is equivalent to the one used for discovering the trust with a Credential Issuer, as described in the dedicated section below. ## Wallet Discovering Credentials Issuers