Wallet 2 Wallet flows #346
Comments
|
Can you say why the wallet attestation is not sufficient for this purpose, since each EU DI wallet instance should be capable of the same functionality i.e. of being a verifier and an issuer. So why would all the EU DI wallets need two attestations, which are effectively both saying the same thing? Surely you only need two attestations if you want different EU DI wallets to have different functionality. (Of course this requires the definition of the wallet attestation to be sufficient for all purposes that the wallet is capable of performing - do you know where the wallet attestation is being defined?) |
|
@David-Chadwick your words make a lot of sense to me. However, we actually have three different kind of attestations: wallet attestation, key attestation, and verifier attestation. Three different attestations designed for different purposes.
|
|
@peppelinux I was only originally referring to your wallet attestation in my initial comment above. But since you highlight the three different potential types of attestation, I would counter with the notion that an all purpose wallet that has secure storage and that can verify credentials in a compliant manner should still only need one credential, the wallet attestation. This certifies that the wallet complies with all the different functions that it can perform. Consider this from a different angle. A car has a driving seat, an engine and passenger seats. There are conformity rules for driving a car, for engine emissions, and for passenger safety in a car (which might be the same as for passengers in a bus). But a car only has one conformity statement even though it fulfils all functions. It does not make sense to give it multiple conformity statements. So I assert that it is the same for a wallet. It should only need one attestation. Now if we have some reduced functionality wallets and some full functionality wallets, then there can be a field in the common standardised wallet attestation akin to its role(s), that say which functionalities it is certified to provide. This would be similar to a standardised role credential, where the role could be cleaner, programmer, manager, managing director etc. I think this simplifies the model. It also allows the wallet user to see what functionality their wallet has been certified to provide. (Because as I say in another post, I believe the user should be given visibility of the wallet attestation as a way of increasing user trust in the wallet, so that they will be willing to store their high value personal details in it. After all, users are familiar with buying physical goods with certificates and conformity statements, so why not digital wallets as well.) |
I would like us to consider the eidas regulation, which enables a wallet to be eligible to request credentials from another wallet.
The definition of RP includes Wallets, as evidenced in the text I report below
Article 5a
(c) securely authenticate another person’s European Digital Identity Wallet, and receive and share person identification data and electronic attestations of attributes in a secured way between the two European Digital Identity Wallets;
This provides me with the rationale to issue X.509 Certificates or Verifier Attestations to a Wallet Unit, enabling it to function as a Relying Party and allowing OpenID4VP to meet this requirement.
Verifier Attestations could therefore be issued in the form of a Digital Credential (see: GitHub Issue #343) by a trusted third party or be issued by the wallet instance for another subject. This would satisfy the delegation use case, where a holder delegates another holder to act on their behalf, such as driving their car through a shared credential (a proper use of the verb "to share") in a decentralized manner without the need for a third-party auditor.
The text was updated successfully, but these errors were encountered: