Support `verifier_attestation` scheme
Closed this issue · 1 comments
Specification
verifier_attestation: This Client Identifier Scheme allows the Verifier to authenticate using a JWT that is bound to a certain public key as defined in Section 10. When the Client Identifier Scheme is verifier_attestation, the Client Identifier MUST equal the sub claim value in the Verifier attestation JWT. The request MUST be signed with the private key corresponding to the public key in the cnf claim in the Verifier attestation JWT. This serves as proof of possesion of this key. The Verifier attestation JWT MUST be added to the jwt JOSE Header of the request object (see Section 10). The Wallet MUST validate the signature on the Verifier attestation JWT. The iss claim value of the Verifier Attestation JWT MUST identify a party the Wallet trusts for issuing Verifier Attestation JWTs. If the Wallet cannot establish trust, it MUST refuse the request. If the issuer of the Verifier Attestation JWT adds a redirect_uris claim to the attestation, the Wallet MUST ensure the redirect_uri request parameter value exactly matches one of the redirect_uris claim entries. All Verifier metadata other than the public key MUST be obtained from the client_metadata or or the client_metadata_uri parameter.
To my understanding this is very close to OAuth 2.0 Attestation-Based Client Authentication with the exception that verifier doesn't need to provide a proof of possession of his key, if it uses JAR. In this case the JAR JWT plays the role of PoP
The following is an indicative (high level) diagram of the flow.
Notably it adds a new party (to the Verifier - Wallet duo) named "Attestation Issuer".
This party needs to be trusted be the Wallet but OpenID4VP doesn't define the grounds of the trust.
sequenceDiagram
Verifier->>Attestation Issuer: Request attestation (ver_pub_key)
Attestation Issuer-->>Verifier: Attestation (JWT)
Verifier-)Wallet: Place OpenId4VP request (JAR + Verifier Attestation JWT)
Wallet ->> Wallet: Verifiy Attestation JWT (extract ver_pub_key)
Wallet ->> Wallet: Verify JAR