Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pillar 2: Security - Responsibilities of Wallet vs Issuer #42

Open
tlodderstedt opened this issue Aug 28, 2024 · 4 comments
Open

Pillar 2: Security - Responsibilities of Wallet vs Issuer #42

tlodderstedt opened this issue Aug 28, 2024 · 4 comments

Comments

@tlodderstedt
Copy link

"Digital wallets are instrumental to the acquisition, storage and presentation of credential-based assertions, and the security of wallets is essential to safeguarding the integrity and privacy of those assertions. "

I would argue the typical wallet is responsible to ensure the confidentiality of the credentials and the cryptographic binding of the credentials to the holder. The integrity and authenticity of the credentials itself should be ensured by the issuer's signature. Would you agree? This is an important differentiation as it also determines the requirements towards a wallet. A wallet needs to ensure proper management of the key used to proof the user authentication to the verifier. And the issuer needs to make sure an adequate protection level of that key before issuing a credential bound to it. And it needs to protect the credentials' confidentiality, e.g. by encrypting them and ensuring access to the data is only possible after user authentication.
@tlodderstedt
Copy link
Author

same for "Credential Management: Credential management in the context of a digital wallet refers to the process of handling and safeguarding digital credentials to ensure their integrity."

@andy-tobin
Copy link

The wallet is a key part in the "chain of custody" of the credentials within. This sentence is focused on stating that the wallet is such a component, and that is should not disrupt or prevent another party (eg a verifier/relying party) from checking the source and integrity of the assertions that have been made.

@andy-tobin
Copy link

The SIG call attendees noted the complexities of the use of the word "integrity", but noted that in the context of the whole sentence, and the audience not necessarily being experts in the identity-world-centric definition of attribute and attestation integrity, that it is OK. However if you'd like to propose an alternative in a pull request we'll take a look at it.

@tbloomfi
Copy link

tbloomfi commented Sep 4, 2024

Perhaps the following wording?

Digital wallets are instrumental to the acquisition, storage and presentation of credential-based assertions, and the security of wallets is essential to safeguarding the chain of custody and privacy of those assertions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tlodderstedt @tbloomfi @andy-tobin