[PID/(Q)EAA - SD-JWT parameters ] trust chain #259
Comments
|
The trust_chain parameter usage aligns with Federation 1.0. Including the entire trust chain allows static verification in cases of absent connectivity. |
|
@pietroACN the trust chain jws header parameter allows a trust path that simplifies the trust discovery a trust chain can be fastly updated without any discovery and also to check any revocation of its subject while the issuer of the credential is identified within the credential using the claim |
Regardless of static verification, the entire trust chain, from cybersecurity point of view, cannot be simply trusted as provided. |
@peppelinux the 'iss' is simply a string that anyone can set. This is not enough to ensure that who's issuing this has any connection with such entity. I need to be sure that kid used is bound to the entity named in 'iss' claim |
|
a trust chain is made with attributes and cryptographic bindings, therefore an adversary cannot invent or use an the kid must match with one of the federation entity keys included in both the entity configuration and its superior's subordinate statements regarding the leaf. |
|
The trust chain presence in the header is required to enable offline verification at the condition that the verifier itself has access to root anchors proofs (e.g. public keys) 'locally' (thus without the need of looking up online at this purpose). |
|
the trust chain in the header enables the fgast renewal of the trust chain, using the source_endpoint parameter contained in each subordinate statement therefore I suggest to include in the current specs also this section below Trust Chain Fast RenewalAfter detailing the federation discovery process, we now turn our attention to the Trust Chain Fast Renewal method. This approach offers a streamlined way to maintain the validity of a trust chain without undergoing the full discovery process again. It's particularly useful for quickly updating trust relationships when minor changes occur or when the trust chain is close to expiration but the overall structure of the federation hasn't changed significantly. The Trust Chain Fast Renewal process is initiated by fetching the leaf's (RP's or OP's) entity configuration anew. However, unlike the federation discovery process that may involve fetching entity configurations starting from the authority hints, the fast renewal focuses on directly obtaining the subordinate statements. These statements are requested using the source_endpoint provided within them, which points to the location where the statements can be fetched. |
This commit aims to resolve the issue italia#259
* [PID/(Q)EAA - SD-JWT parameters ] trust chain This commit aims to resolve the issue #259 * Apply suggestions from code review Co-authored-by: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com> * Apply suggestions from code review * Apply suggestions from code review --------- Co-authored-by: Giuseppe De Marco <giuseppe.demarco@teamdigitale.governo.it> Co-authored-by: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com>
|
This issues will be resolved with a PR introducing the mechanisms though which the out of band mechanisms to obtain the trust anchor's public cryptographic material must be implemented. sush as eIDAS Trusted List. |
This PR resolves #259 adding also few editorial improvements along the section
github-project-automation
bot
moved this from In Progress
to Done
in EUDI Wallet IT Technical Specifications
Here the parameter "trust_chain" is described as " JSON array containing the trust chain that proves the reliability of the issuer of the JWT. " Link
This parameter doesn't need to identify the whole trust chain but could contain only the identifier (iss) related to the corresponding Issuer. This ID can be obtained by the federation going through the Issuer Trust Chain.
The text was updated successfully, but these errors were encountered: