Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC-010 Amendment (v1.1) #142

Open
kerk12 opened this issue Feb 13, 2025 · 0 comments
Open

RFC-010 Amendment (v1.1) #142

kerk12 opened this issue Feb 13, 2025 · 0 comments
Labels
enhancement New feature or request EWC RFC010

Comments

@kerk12
Copy link
Contributor

kerk12 commented Feb 13, 2025

Dear partners,

During the implementation of the POC Document Signing Service, we have tested RFC-010 v1.0 thoroughly and identified some issues that need amending. The issues are listed below.

Optional Issuance of QESAC (Section 4.1)

    The issuance of the QESAC should be optional, based on the requirements of the signing service and the authentication methods used.
    If a robust method for unique user identification and authentication is employed (e.g., username/email, password, WebAuthn), it sufficiently verifies the user’s identity, making QESAC issuance optional.
    However, QESAC should not be removed entirely, as it provides a useful mechanism for signing providers to assign a specific credential for wallet-assisted signing via the credential_id property.

Clarification of section 4.2

    It should be explicitly stated that strong authentication is required before a user is permitted to upload or sign documents.
    This authentication should include a combination of username/email, password, and/or WebAuthn, along with the presentation of the PID and QESAC (if issued).

Optional Signing Confirmation (Section 4.4.1)

    Testing has shown that "Signature Confirmation as a Willful Act" should be determined by the policy of the signing service and, therefore, should be made optional.
    When using the OAuth 2.0 authorization code (oauth2code) credential authorization mode, this step can be skipped, as the confirmation can be handled at the authorization endpoint.

Presentation of VCs at the Authz endpoint during credential authz (oauth2code mode):

    It should be specified that credentials can be presented at the authorization endpoint to authorize credential usage (e.g., PID) if the Signing Service opts for this approach.
    This enhancement would further demonstrate a workflow that fully leverages the wallet for RP-Centric signing.

Given these findings, I would like to invite you to contribute to the amendment of RFC-010 by submitting pull requests (PRs) addressing the issues outlined above. Additionally, if you have identified other areas for improvement, your contributions would be highly valuable.

Please let us know if you have any questions or require further clarification.
Best,
Kyriakos
@andreasabr andreasabr added enhancement New feature or request EWC RFC010 labels Feb 24, 2025
LeoneRiello74 added a commit that referenced this issue Feb 24, 2025
@LeoneRiello74
proposal for addressing issue #142
3ae3751 
#142
LeoneRiello74 added a commit to LeoneRiello74/eudi-wallet-rfcs that referenced this issue Feb 24, 2025
@LeoneRiello74
proposal for addressing issue EWC-consortium#142
f49d0da
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request EWC RFC010
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kerk12 @andreasabr