openid-federation-wallet | October 2024 | |
De Marco, et al. | Standards Track | [Page] |
This specification defines the OpenID Federation entity types for digital wallet architectures.¶
As digital wallets become increasingly deployed for managing identity credentials, establishing an architecture for trusted communication is required to allow each participant in the ecosystem to evaluate other participants' compliance with mutual trust frameworks and accomplish secure and trusted transactions.¶
This specification defines how to use OpenID Federation 1.0 [OpenID.Federation] to enhance the security and interoperability of wallet ecosystems, facilitating trust establishment among the parties and enabling secure metadata exchange and policy application across large scale deployments. It outlines the general architecture of a federated trust infrastructure for wallet ecosystems, identifying participant roles and describing the use of those roles.¶
Additionally, this specification provides practical examples of how to apply policies for typical use cases within wallet ecosystems. Finally, it offers guidance on defining trust marks for use within wallet ecosystems.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This specification is a profile of [OpenID.Federation] for wallet ecosystems. It defines entity types for entities participating in those ecosystems. It describes trust evaluation mechanisms for those entities. It uses applicable metadata parameters defined by other specifications for wallet entities.¶
Collaboration Note: When a metadata parameter is needed for an Entity Type defined by this specification that does not currently exist and that would be usable by wallet ecosystems both using and not using OpenID Federation, it is the editors' intent to work with the working groups creating general-purpose wallet specifications to define those new parameters there.¶
This specification uses the terms "End-User" and "Entity" as defined by OpenID Connect Core [OpenID.Core], "JSON Web Token (JWT)" defined by JSON Web Token (JWT) [RFC7519], "CBOR Web Token (CWT)" defined by CBOR Web Token (CWT) [RFC8392], "Client" as defined by [RFC6749], "Verifiable Presentation" and "Wallet Attestation" defined in [OpenID4VP], "Holder" and "Credential Issuer" defined in [OpenID4VCI], and "Trust Mark", "Federation Entity", "Trust Anchor", "Intermediate", and "Subordinate Statement" defined in [OpenID.Federation].¶
This specification also defines the following terms:¶
The terms "trust model" and "trust framework" are often used in the context of security, identity management, and federation systems.¶
The Trust Model defines the relationships and mechanisms through which trust is established and maintained between entities in a system. It outlines how entities interact, the basis on which they can trust each other, and the roles they play within the system. Trust Models can be simple or complex, depending on the number of parties involved and the nature of their interactions. Common examples include:¶
Trusted Third-Party is the focus of this specification, although the Web of Trust model is not excluded if multiple trusted third parties (Trust Anchors) are supported by the participants.¶
A Trust Framework is a comprehensive structure that includes policies, standards, and guidelines that govern the implementation of a Trust Model. It provides detailed rules for how trust should be managed, including the legal, technical, and procedural aspects. To allow for a scalable approach, as many aspects of the framework as possible should be presented in a machine discoverable and machine-readable way.¶
In the scope of this specification, only the technical and procedural aspects are considered and fully covered.¶
OpenID Federation [OpenID.Federation] is a building block for assembling and using trust frameworks. It can help ensure that all participants in a system understand and adhere to the same principles and practices, making interactions predictable and secure.¶
The Four-Party Model is a framework involving four key participants: the Holder, the Credential Issuer, the Credential Verifier, and an Entity trusted by the other Entities called the Trust Anchor. This is an extension of the three-party Issuer-Holder-Verifier Model described in [OpenID4VCI] and [OpenID4VP] that adds a fourth party: the Trust Anchor.¶
The four Entities interact with each other as described below:¶
+-------------------+ +---------------+ +---------------------+ | Credential Issuer |<-->| Holder |<-->| Credential Verifier | | | | | | | +-------------------+ +---------------+ +---------------------+ | | | | | | V V V +--------------------------------------------------------------+ | Trust Anchor | +--------------------------------------------------------------+¶
Figure 1: The relationships and interactions within a Wallet ecosystem using the Four-Party Model, where Authentic Sources and Wallet Providers figure such as extensions to be not considered in the core structure of the four parties.¶
In the Wallet Ecosystem, the primary interaction resolves around asset management. Unlike an Identity Provider in OpenID Connect or SAML2, which authenticates the End-User's identity for third parties, the Credential Issuer in the Wallet ecosystem focuses on managing the issuance of Digital Credentials to the Holder.¶
The transactions primarily involve the transfer or management of Digital Credentials rather than granting access to services based on identity verification.¶
Consequently, the End-User obtains and holds the Digital Credentials without disclosing their intended use to the Credential Issuers. At any subsequent time, the End-User can present these Digital Credentials to a Credential Verifier to authenticate themselves.¶
+------------------+ +-----------------+ | Authentic Source | | Wallet Provider | | | | | +------------------+ +-----------------+ | | | | V V +-------------------+ +---------------+ +---------------------+ | Credential Issuer |<-->| Holder |<-->| Credential Verifier | | | | | | | +-------------------+ +---------------+ +---------------------+ | | | | | | V V V +-------------------------------------------------------------------+ | Trust Anchor | +-------------------------------------------------------------------+¶
Figure 2: Representation acknowledging the roles of Authentic Sources and Wallet Providers in the ecosystem while maintaining the core structure of the Four-Party Model.¶
The Figure above illustrates at the center the Holder, who interacts directly with both the Credential Issuer and the Credential Verifier. The Credential Issuer provides Digital Credentials to the Holder, while the Credential Verifier relies on these Credentials to verify the Holder's claims. Above the Holder is the Wallet Provider, which facilitates the registration and the attestation of the security and integrity of the Holder. All entities, including the Credential Issuer, Credential Verifier, Wallet Provider and therefore Holders, and are underpinned by a Trust Anchor, which provides a foundational layer of trust and security for the entire system. This setup ensures that all interactions and transactions are anchored in a trusted framework.¶
There are many ways to technically implement Wallet Instances to manage Digital Credentials. There are typically two types of Wallet End-Users: one is a natural person and another is an Organizational Entity. These two types of End-Users may have different usage and functional requirements.¶
Below a non-exhaustive list of the different Wallet Instance types.¶
Also known as Cloud Wallet or Web Wallet only, is a Wallet that uses native web technologies for its components, such as UI components. Cloud Wallets are typically suited for Organizational Entities that requires automated Digital Credential operations (request, issuance, store, presentation, revocations) in unsupervised flows, therefore without any human control. Web Wallets are divided into two additional subtypes:¶
Since the Holder may not be an Organizational Entity and cannot be registered as an Organization through registration services, it is not represented within a Trust Chain and does not qualify as a Federation Entity. This context sets the stage for understanding the unique position of the Holder in relation to the Trust Chain and Federation Entities.¶
+----------------------------+ | Trust Chain | | +------------------------+ | | | Trust Anchor | | | | (Entity Configuration) | | | +------------------------+ | | | | | v | | +------------------------+ | | | Trust Anchor | | | | (Subordinate Statement | | | | about the | | | | Wallet Provider) | | | +------------------------+ | | | | | v | | +------------------------+ | | | Wallet Provider | | +-------------------------------+ | | (Entity Configuration) |----->| Wallet Attestation | | +------------------------+ | | (Not part of the Trust Chain) | +----------------------------+ +-------------------------------+¶
Figure 3: Federation Trust Chain and Wallet Attestation are separate things, where the Wallet Attestation is linked to its Issuer attested within the Trust Chain.¶
Outside the Trust Chain, it is the Wallet Attestation, where the Wallet Provider that issued it is attestable through the Trust Chain, while the Wallet, such as the End-User's Native Mobile Application installed on the Personal Device, is attested through the Wallet Attestation and under the responsibility of its issuer, the Wallet Provider.¶
This section defines the Entity Types used by Organizational Entities in their Entity Configurations according to their roles in the Wallet ecosystem.¶
Entity | Entity Type Identifiers | References |
---|---|---|
Trust Anchor |
federation_entity
|
[OpenID.Federation] |
Intermediate |
federation_entity
|
[OpenID.Federation] |
Wallet Provider |
federation_entity , openid_wallet_provider
|
this specification |
Authorization Server |
federation_entity , oauth_authorization_server
|
[OpenID4VCI], [RFC8414] |
Credential Issuer |
federation_entity , openid_credential_issuer , oauth_authorization_server
|
[OpenID4VCI], this specification |
Credential Verifier |
federation_entity , openid_credential_verifier
|
[OpenID.Federation], [OpenID4VP], this specification |
Table 1: Map of the Federation Entity Types and corresponding metadata types for the Wallet architectures.¶
The Credential Issuer is an OAuth 2.0 Protected Resource Server and it MAY also implement, within the same Entity, an OAuth 2.0 Authorization Server. According to [OpenID4VCI], the Authorization Server can be external to the Entity that implements the Credential Endpoint, therefore the use of oauth_authorization_server
is OPTIONAL.¶
The OpenID Federation Entity Type Identifier for the Wallet Provider is openid_wallet_provider
.¶
For information on metadata parameters specific to OpenID Wallets, refer to Section 8. Wallet Metadata (Authorization Server Metadata) of the OpenID for Verifiable Presentations [OpenID4VP] specification.¶
The OpenID Federation Entity Type Identifier for the Credential Issuer is openid_credential_issuer
.¶
For information on metadata parameters specific to OpenID Credential Issuers, refer to Section 10.2. Credential Issuer Metadata of the OpenID for Verifiable Credential Issuance [OpenID4VCI] specification.¶
The OpenID Federation Entity Type Identifier for the Credential Verifier is openid_credential_verifier
.¶
This specification introduces a distinct Entity Type Identifier for the OpenID Credential Verifier to clearly differentiate it from a traditional OpenID Connect Relying Party (openid_relying_party
). This distinction highlights the unique characteristics and functionalities of the Wallet ecosystem and its Credential Verifier.¶
For information on metadata parameters specific to OpenID Credential Verifiers, refer to Section 9. Verifier Metadata (Client Metadata) of the OpenID for Verifiable Presentations [OpenID4VP] specification.¶
Policies refer to a set of rules that govern the operations, security, and interactions within a federation.¶
Technical implementation of federation policies over participants metadata is managed with the use of metadata
and metadata_policy
parameters in Subordinate Statements. These parameters allow for the configuration enforcement of application-specific metadata changes for each subject (Leaf).¶
Qualitative aspects of federation entities, including administrative protocols, security measures, and behavioral profiling, are regulated by Trust Marks. These marks provide verifiable assertions of compliance with specific profiles beyond the scope of the application-specific metadata.¶
Metadata refers to application-specific properties about a subject and for the purpose of the interoperability. This includes details such as service endpoints, cryptographic keys, and other supported configurations.¶
Metadata within a Subordinate Statement allows for modifications to the metadata published in a Leaf's Entity Configuration. These modifications allow a federation authority, such as a Trust Anchor, to apply policies coercively to its subordinates. This can include actions such as removing weak signature algorithms from their metadata, enforcing the use of specific endpoints configured at the time of the entity's registration within the ecosystem, or restricting the personal data that a Credential Verifier is allowed to request.¶
{ "iss": "https://trust-anchor.example.com", "sub": "https://credential-verifier.example.it", "iat": 1616239022, "exp": 1616239322, "metadata": { "federation_entity": { "organization_name": "Example Credential Verifier", }, "openid_credential_verifier": { ... as defined in the OpenID4VP specs ... } }, "jwks": { "keys": [ { "kty": "RSA", "use": "sig", "kid": "1", "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEPCRfceaC7mkxr8v...", "e": "AQAB" } ] } }¶
Example 1: Example demonstrating how a Federation Authority can issue a Subordinate Statement about a Credential Verifier, specifying certain metadata parameters such as the endpoints to use and the allowed Digital Credentials to be requested.¶
metadata
and metadata_policy
The key difference between metadata
and metadata_policy
is that metadata directly affects only the Immediate Subordinate Entity, while metadata_policy
impacts the configuration of all Subordinate Entities along a Trust Chain, as defined in Sections 3, 5 and 6.1 of [OpenID.Federation].¶
Differently from metadata
, metadata_policy
ensures that specific settings can be propagated to all the Entities Statements contained within a Trust Chain.¶
Trust Marks are issued by authorized entities (Trust Mark Issuers) within the federation, typically after an entity has demonstrated compliance with certain standards, this might happen through auditing or certification processes.¶
Trust Marks are typically implemented as signed assertions that can be verified by other entities.¶
This verification process involves checking the digital signature against the public key of the Trust Mark Issuer to ensure the Trust Mark has not been forged, and its check to the Trust Mark Status endpoint to check it against any revocation.¶
Trust Marks SHOULD be defined within the trust framework. Trust Marks are asserted about a subject through a registration service or compliance evaluation mechanism and therefore included in subject's Entity Configurations. This allows other entities to quickly assess the compliance status of a subject by examining the Entity Configuration of a subject.¶
{ "id":"https://diligent.federation.example.com/openid_credential_verifier/private/under-age", "iss": "https://trustissuer.pinarolo.example.it", "sub": "https://vavuso.example.com/rp", "iat": 1579621160, "policy_uri": "https://vavuso.example.com/policy", "tos_uri": "https://vavuso.example.com/tos" }¶
Example 2: Trust Mark to be included in a Leaf Entity Configuration, which payload states Leaf's compliance in interacting with under-age End-User.¶
The process of trust establishment in federated environments is illustrated in this section through specific use cases involving Wallet Instances, Credential Issuers (CIs), and Credential Verifiers (CVs).¶
A Credential Verifier Instance is typically installed on a mobile device, personal computer, or embedded system. It enables an individual to perform Digital Credential verification tasks locally, often in proximity to the Holder, and without necessarily requiring a broadband connection. This instance engages in peer-to-peer exchanges with Holders, facilitating Credential verifications directly on the device. This approach represents a shift from traditional server-based verification to a more user-centric model within the Wallet ecosystem.¶
To establish trust between a Holder's Wallet Instance and a Credential Verifier Instance, a mechanism using a verifiable attestation, such as the Wallet Instance Attestations, SHOULD be employed. This process ensures that the Credential Verifier Instance is legitimate and trustworthy.¶
The mechanisms used to present the Wallet Instance Attestation to a Credential Verifier are out of scope for this specification, as they are related to Credential presentation flows. For implementation details on these presentation mechanisms, please refer to the OpenID for Verifiable Presentations (OpenID4VP) specification.¶
Wallets SHOULD periodically check their Wallet Providers' compliance through the federation's trust infrastructure. This involves retrieving the Wallet Provider's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor, ensuring that the Wallet Provider has not been revoked within the federation. Wallets SHOULD remain neutral in attesting to the reliability of their Wallet Providers for the End-User, thereby protecting the End-User against any malevolent behavior by the Wallet Provider.¶
The Wallet Provider’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication. The Wallet Instance SHOULD use the Federation API to periodically reestablish trust with its Wallet Provider.¶
The process to discover the trust with a Wallet Provider is equivalent to the one used for discovering the trust with a Credential Issuer, as described in the dedicated section below.¶
Wallets begin by discovering the identity of Credential Issuers through the federation's trust infrastructure. This involves retrieving the Credential Issuer's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor. The Credential Issuer’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication.¶
In the process represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation.¶
+------+ +------------+ +------------+ +-----------------+ |Wallet| |Trust Anchor| |Intermediate| |Credential Issuer| +---+--+ +------+-----+ +------+-----+ +--------+--------+ | Fetch the list of all | | | | Intermediates and CIs | | | |--------------------------------->| | | | | | | +-----------+----------------------------------+--------------+------+ | | LOOP |for each Intermediate | | | | |-------+ | | | | | | | Fetch listing of | | | | | | Subordinates/CIs | | | | | |------------------------------------------------>| | | +-----------+----------------------------------+--------------+------+ | | | | | +-----------+----------------------------------+--------------+----------------+--------+ | LOOP |for each CI | | | | |-------+ | | | | | | | Fetch CI's Entity Configuration | | | | | |----------------------------------------------------------------->| | | | | | | | | | Fetch Subordinate Statement(s) | | | | | | for CI | | | | | |------------------------------------------------>| | | | | | | | | | | Fetch Subordinate Statement | | | | | | for Intermediate(s) | | | | | |--------------------------------->| | | | | |----+ | | | | | | | Validate Trust Chain | | | | | | | for CI | | | | | |<---+ | | | | | | | | | | | |----+ | | | | | | | Include CI in | | | | | | | Discovery Page | | | | | | | with validated | | | | | | | information and logo | | | | | |<---+ | | | | +-----------+----------------------------------+--------------+----------------+--------+ +---+--+ +------+-----+ +------+-----+ +--------+--------+ |Wallet| |Trust Anchor| |Intermediate| |Credential Issuer| +------+ +------------+ +------------+ +-----------------+¶
Figure 4: Federation Credential Issuer listing, the Wallet Instance browse the entire federation collecting all the Credential Issuers.¶
The diagram above shows how a Wallet navigates the federation, collecting and validating the Trust Chain for each Credential Issuer (CI), and creating a discovery page including each Credential Issuer using the information, such as the Credential Types and logo obtained through their Trust Chain.¶
The diagram below illustrates how a Wallet establishes trust with a Credential Issuer by verifying its link (even if indirect) to a Trust Anchor and validating which Credentials it is authorized to issue. This may happen in a credential offer flow, for instance, where the Wallet is used by an End-User starting from the Credential Issuer website and without any discovery phases started before within the Wallet.¶
+------+ +-----------------+ +-------------------------+ |Wallet| |Credential Issuer| |Intermediate/Trust Anchor| +---+--+ +--------+--------+ +------------+------------+ | Fetch CI's Entity Configuration | | |-------------------------------------------->| | | | | |----+ | | | | Extract Authority Hints | | | | from CI's Configuration | | |<---+ | | | | | | | | +-------+---+---------------------------------------------+-----------------------+------------+ | LOOP |for each Authority Hint | | | +-------+ | | | | | | Fetch Entity Configuration | | | |-------------------------------------------------------------------->| | | | | | | | | Fetch Subordinate Statement | | | |-------------------------------------------------------------------->| | | | | | | | |----+ | | | | | | Validate the previous statement | | | | |<---+ using the Federation Entity Keys | | | | | provided in the Subordinate Statement | | | | | | | | +-----------+---------------------------------------------+-----------------------+------------+ | | | |----+ | | | | Validate Trust Chain | | |<---+ | | | | | | | | +------+----+----------------------------------------+ | | | ALT |If Trust Chain is Valid and Unexpired | | | +------+ | | | | | |----+ | | | | | | Proceed with Federation Process | | | | |<---+ | | | +-----------+----------------------------------------+ | | | | | | | | |----+ | | | | | | Abort Process with Error | | | | |<---+ | | | +-----------+----------------------------------------+ | | | | | |----+ | | | | Applies Policies | | |<---+ | | | | | |----+ | | | | Derive CI's final metadata | | |<---+ | | | | | |----+ | | | | Get available Credentials | | | | allowed for issuance | | |<---+ | | +---+--+ +--------+--------+ +------------+------------+ |Wallet| |Credential Issuer| |Intermediate/Trust Anchor| +------+ +-----------------+ +-------------------------+¶
Figure 5: Federation Entity Discovery, the Wallet Instance evaluates the trust with a Credential Issuer.¶
The evaluation of trust by the Credential Issuer towards the Wallet Provider is conducted exactly as other federation entities. This process can be achieved through Federation Entity Discovery, where the Trust Chain is constructed starting from the Entity Configuration of the Wallet Provider. The Credential Issuer retrieves the Entity Configuration of the Wallet Provider and follows the authority_hints
to build the Trust Chain in the usual manner.¶
Alternatively, trust can be established via a signed data object issued by Wallet Provider, which includes the trust_chain
parameter, as defined in Section 4.3 of [OpenID.Federation]. This parameter contains a pre-constructed and verifiable Trust Chain, which MUST be validated using one of the the public keys of the Trust Anchor. This method allows for a streamlined trust evaluation process, as the Trust Chain is provided directly by the Wallet Provider and can be quickly validated.¶
During the issuance phase, the Wallet Instance authenticates with the Credential Issuer using a Client authentication mechanism that includes a proof issued by its Wallet Provider.¶
This proof is a signed data object that confirms the match of a Wallet Instance to a Wallet Solution, as attested by the Wallet Provider. This proof contains all the information the Credential Issuer requires regarding the security and compliance of the Wallet Instance and the cryptographic proof of possession of this attestation provided by the Wallet Instance presenting it.¶
To establish trust with the Wallet Instance, the Credential Issuer MUST first establish trust with the Wallet Provider that is the issuer of the verifiable attestation, as described in the previous section.¶
The verifiable attestation issued by the Wallet Provider to the Wallet Instance MUST be cryptographically validated using the cryptographic material provided by the federation Trust Chain. The Credential Issuer evaluates the adequacy of these verifiable attestations using mechanisms and rules that might depend upon different regulations and frameworks that are out of the scope of this specification.¶
The Federation Entity Discovery starts with the Wallet Instance fetching the Credential Verifier's Entity Configuration to identify authority hints, pointing to Federation Entities that can issue Subordinate Statements about the Credential Verifier. The Wallet Instance then follows these hints and collects the Subordinate Statements and validating each one. The process continues until the Wallet Instance reaches the Trust Anchor. Finally, the Wallet Instance compiles the validated Trust Chain. If the Trust Chain is valid, the Wallet Instance processes the Credential Verifier final metadata.¶
Note: While this section exemplifies the journey of discovery from the perspective of an OpenID Wallet Instance, it is important to understand that this approach can be applied to every kind of entity type within the federation.¶
+------+ +-------------------+ +-------------------------+ |Wallet| |Credential Verifier| |Intermediate/Trust Anchor| +---┬--+ +--------+----------+ +--------+----------------+ | Fetch Entity Configuration | | |------------------------------------------>| | | | | |----+ | | | | Extract Authority Hints | | | | from Entity Configuration | | |<---+ | | | | | | | | +-------+---+-------------------------------------------+---------------------+----------+ | LOOP |for each Authority Hint | | | +-------+ | | | | | | Fetch Entity Configuration | | | |---------------------------------------------------------------->| | | | | | | | | Fetch Subordinate Statement | | | |---------------------------------------------------------------->| | | | | | | | |----+ | | | | | | Validate the previous statement | | | | |<---+ using the Federation Entity Keys | | | | | provided in the Subordinate Statement| | | | | | | | +-----------+-------------------------------------------+---------------------+----------+ | | | |----+ | | | | Validate Trust Chain | | |<---+ | | | | | | | | +------+----+----------------------------------------+ | | | ALT |If Trust Chain is Valid and Unexpired | | | +------+ | | | | | |----+ | | | | | | Proceed with Federation Process | | | | |<---+ | | | +-----------+----------------------------------------+ | | | | | | | | |----+ | | | | | | Abort Process with Error | | | | |<---+ | | | +-----------+----------------------------------------+ | | | | | |----+ | | | | Applies Policies | | |<---+ | | | | | |----+ | | | | Derive final metadata | | |<---+ | | | | | |----+ | | | | Get Credentials | | | | allowed for presentation | | |<---+ | | +---+--+ +--------+--------+ +----------+--------------+ |Wallet| |Credential Issuer| |Intermediate/Trust Anchor| +------+ +-----------------+ +-------------------------+¶
Figure 6: Federation Entity Discovery, the Wallet Instance evaluates the trust with a Credential Verifier.¶
The static Trust Chain parameter within the JWT headers, as defined in Section 4.3 of [OpenID.Federation], is used as a hint to the Entity involved in a transaction with a common Trust Anchor. This facilitates trust evaluation without the need for real-time Federation Entity Discovery using Federation API endpoints.¶
The Entity that issues a signed data object, including the trust_chain
parameter, might be:¶
wallet_metadata
parameter provided by the Wallet using the Request URI POST;¶
The Entity that receives the data object including the JWT trust_chain
, such as the Wallet Instance obtaining a signed request object, verifies the Trust Chain using the Trust Anchor's public keys and applies any metadata policies, without needing to have a working network connection for reaching the Federation API.¶
Using short-lived Trust Chains ensures compatibility with required revocation administrative protocols, such as those defined in a legal framework. For example, if a revocation must be propagated in less than 24 hours, the Trust Chain should not be valid for more than that period.¶
We would like to thank the following individuals for their comments, ideas, and contributions to this implementation profile and to the initial set of implementations.¶
Copyright (c) 2024 The OpenID Foundation.¶
The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.¶
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that MAY cover technology that MAY be required to practice this specification.¶
[[ To be removed from the final specification ]]¶
-03¶
-02¶
-01¶
openid_wallet_relying_party
to openid_credential_verifier
.¶
-00¶