define where in mdocs to include transaction_data_hashes #330
Conversation
Sakurann
requested review from
danielfett,
jogu,
tlodderstedt,
c2bo,
tplooker,
paulbastian,
awoie,
martijnharing and
bc-pi
| | --------- | ---------- | ----------- | --------------- | | ||
| | `net.openid.openid4vc` | `transaction_data_hashes` | as defined in Section 7.4 of this specification | [ tstr* ] | | ||
|
|
||
| If KeyAuthorization for the requested transaction authorization is not present, the Wallet MUST return an error. |
There was a problem hiding this comment.
need to define proper data element identifier for KeyAuthorization? cc @martijnharing
There was a problem hiding this comment.
When using the mdoc to sign data, there will often be security considerations is to whether the particular mdoc can / should / may sign a particular data element. Whether there are any limitations strongly dependent on the specific document type and use case. But typically the Issuer indicates with a particular namespace and data element identifier which exact things the mdoc can / should / may sign.
So from a security perspective we should define the namespace and data element dependent on the use case and not as a generic identifier.
There was a problem hiding this comment.
as I understand it, transaction_data contains a 'type' parameter. If we want issuers to have more granular control over what type of transaction_data is allowed to be returned by the wallet we could define a set of DataElements:
namespace: net.openid.openid4vc.transactiondata
identifier: must be the type of the transaction_data
The wallet MUST return split the transaction_data_hashes so each is returned as part of the value array in a DataElement with a namespace net.openid.openid4vc.transactiondata and identifier of transaction_data.type. A wallet MUST return an error if a request contains transaction_data with a type that is not present in the KeyAuthorizations.
psuedocode example:
paymentsTransactionData = { type = "payments", ... }
fooTransactionData1 = { type = "foo" , ...}
fooTransactionData2 = { type = "foo", ... }
request {
...
transaction_data [ paymentsTransactionData, fooTransactionData1, fooTransactionData2 ]
..
}
then the response would have in DeviceSigned:
...
net.openid.openid4vc.transactiondata:
[
{ payments -> [ base64(hash(paymentsTransactionData))) }
{ foo -> [ base64(hash(fooTransactionData1)), base64(hash(fooTransactionData2)) ] }
]
}
..
additionally the KeyAuthorizations would either need to authorize the entire net.openid.openid4vc.transactiondata namespace, or the identifiers payments and foo within the net.openid.openid4vc.transactiondata namespace.
@martijnharing this would provide the granularity you are looking for?
@Sakurann does this roughly make sense?
resolves #259