From 14cdd091714e65ed3476619233bfc30da29095e3 Mon Sep 17 00:00:00 2001 From: Tobias Looker Date: Wed, 20 Nov 2024 08:30:16 -0300 Subject: [PATCH 1/3] remove c_nonce_expires_in from nonce response --- openid-4-verifiable-credential-issuance-1_0.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index f00d69a6..cfcdac9f 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -775,10 +775,11 @@ Content-Length: 0 The Credential Issuer provides a nonce value in the HTTP response with a 2xx status code and the following parameters included as top-level members in the message body of the HTTP response using the application/json media type: * `c_nonce`: REQUIRED. String containing a nonce to be used when creating a proof of possession of the key proof (see (#credential-request)). -* `c_nonce_expires_in`: OPTIONAL. Number denoting the lifetime in seconds of the `c_nonce`. This value serves only as a hint to the Client, indicating how long the Credential Issuer is likely to accept the `c_nonce` as valid. Due to the temporal and contextually sensitive nature of the `c_nonce` value, the Credential Issuer MUST make the response uncacheable by adding a `Cache-Control` header field including the value `no-store`. +A wallet SHOULD assume that the returned `c_nonce` value remains valid and continue using it in credential requests (see [#credential-request]) until the credential endpoint returns an `invalid_nonce` error response. + Below is a non-normative example of a Nonce Response: ``` @@ -787,8 +788,7 @@ Content-Type: application/json Cache-Control: no-store { - "c_nonce": "wKI4LT17ac15ES9bw8ac4", - "c_nonce_expires_in": 120 + "c_nonce": "wKI4LT17ac15ES9bw8ac4" } ``` @@ -2572,6 +2572,7 @@ The technology described in this specification was made available from contribut * Fixed #239: Completed IANA Considerations section * add key attestation as additional information in a proof of possesion and new proof type * change credential format identifier `vc+sd-jwt` to `dc+sd-jwt` to align with the media type in draft -06 of [@I-D.ietf-oauth-sd-jwt-vc] and update `typ` accordingly in examples + * removes `c_nonce_expires_in` from Nonce Endpoint -14 From ea153bc2a541aac7d8580814330ee7e34fd3d9c4 Mon Sep 17 00:00:00 2001 From: Tobias Looker Date: Fri, 29 Nov 2024 12:02:34 +1300 Subject: [PATCH 2/3] minor tweaks to language --- openid-4-verifiable-credential-issuance-1_0.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index cfcdac9f..0b96804c 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -774,12 +774,10 @@ Content-Length: 0 The Credential Issuer provides a nonce value in the HTTP response with a 2xx status code and the following parameters included as top-level members in the message body of the HTTP response using the application/json media type: -* `c_nonce`: REQUIRED. String containing a nonce to be used when creating a proof of possession of the key proof (see (#credential-request)). +* `c_nonce`: REQUIRED. String containing a nonce to be used when creating a proof of possession of the key proof (see (#credential-request)). This value MUST be unpredictable and unique for every response returned from the nonce endpoint. Due to the temporal and contextually sensitive nature of the `c_nonce` value, the Credential Issuer MUST make the response uncacheable by adding a `Cache-Control` header field including the value `no-store`. -A wallet SHOULD assume that the returned `c_nonce` value remains valid and continue using it in credential requests (see [#credential-request]) until the credential endpoint returns an `invalid_nonce` error response. - Below is a non-normative example of a Nonce Response: ``` From 34b839beb3bc489370daa489b0e29848df46de76 Mon Sep 17 00:00:00 2001 From: Tobias Looker Date: Tue, 3 Dec 2024 21:35:27 +1300 Subject: [PATCH 3/3] Apply suggestions from code review --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 0b96804c..9bfbc6e3 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -774,7 +774,7 @@ Content-Length: 0 The Credential Issuer provides a nonce value in the HTTP response with a 2xx status code and the following parameters included as top-level members in the message body of the HTTP response using the application/json media type: -* `c_nonce`: REQUIRED. String containing a nonce to be used when creating a proof of possession of the key proof (see (#credential-request)). This value MUST be unpredictable and unique for every response returned from the nonce endpoint. +* `c_nonce`: REQUIRED. String containing a nonce to be used when creating a proof of possession of the key proof (see (#credential-request)). This value MUST be unpredictable. Due to the temporal and contextually sensitive nature of the `c_nonce` value, the Credential Issuer MUST make the response uncacheable by adding a `Cache-Control` header field including the value `no-store`.