APrian
APrian
How about adding this recommendation for the `c_nonce` in section 7.3 for the Credential Response? This would prevent replay attacks for all subsequent requests.
> Yes, unless the access token is intended for multiple uses with a specific Resource Server, such as the Credential Endpoint. OK, section 6.2 brings clarification stating that "_The Authorization...
The PR https://github.com/openid/OpenID4VCI/pull/323 clarifies some of the points I addressed but I still have 2 questions that remain regarding the Issuer's behavior. For a Credential Request with exactly the same...
OK to close this since the nonce feature has been moved to another endpoint.
Is there a real need for a `client_id` in VCI? If not, why not make it optional?
Hello all, I have listed a few requirements that are important for us in the EAA issuance process: 1. The Issuer must be able to indicate what are the security...
@tlodderstedt, I added my comments on PoP keeping in mind that the Credential endpoint will be used for issuing multiple EAA at once and as a reaction to the discussions...
@oriolcanades I do not see the need to ask for a nonce if you don't have a previously obtained access token.
I am not sure I understand the reasons described. > nonce endpoint does not mean an exponentially growing nonce data bases (mechanisms can be self-contained nonces or fully fledged database...
I have to admit that I do not understand the strategy here. The spec does not mandate any constraint for the nonce. Currently it is allowed to be a fixed...