OpenID4VCI icon indicating copy to clipboard operation
OpenID4VCI copied to clipboard
verified publisher icon openid

chore: c_nonce is recommended and AS takes care

Open peppelinux opened this issue 1 year ago • 1 comments

This PR aims to resolve the issue https://github.com/openid/OpenID4VCI/issues/313 where @andprian expressed her sensibility about some details that amtters about the security and the behaviour that an implementer may expect from the AS.

This PR does not address the revocation of a credential when a request for the same credential type occurs. As noted in the related issue, this behavior may be influenced by various factors outside the scope of this specification, including legal requirements already mentioned.

peppelinux avatar May 17 '24 19:05 peppelinux

How about adding this recommendation for the c_nonce in section 7.3 for the Credential Response? This would prevent replay attacks for all subsequent requests.

andprian avatar May 21 '24 07:05 andprian

if the point of this PR is to recommend the usage of c_nonce in general (regardless of how the issuer provides c_nocne), the specification right now actually intends to mandate c_nonce (either from the token endpoint or credential endpoint)....

i am inclined to close this issue until there is more clarity on the issues including #331

Sakurann avatar May 27 '24 19:05 Sakurann

with the discussion in #331, the direction is to remove an option to return c_nonce from the token endpoint

Sakurann avatar Jun 12 '24 08:06 Sakurann