Skip to content

Rephrase conditions to provide nonce in proof types based on presence of Nonce endpoint #678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Rephrase conditions to provide nonce in proof types based on presence of Nonce endpoint #678

wants to merge 3 commits into from
+3 −2

Conversation

@awoie
Copy link
Contributor

@awoie awoie commented Nov 11, 2025
edited
Loading

Potentially fixes #677 , potentially fixes #676

Note that I created the PR based on #676 (comment).

IMO, one implication is that for nonce claims in a key_attestation in a jwt proof, it means, the wallet decides whether to include it which is how I interpret the current version of the spec but wanted to point this out in case it is not obvious for readers of this PR. If the issuer insists on the presence which is unlikely, it could still provide a nonce error. To improve this behaviour, we could define a dedicated issuer metadata parameter, e.g., require_nonce_in_key_attesatation_in_jwt_proof in a backward compatible way to improve this behaviour.

paulbastian
paulbastian approved these changes Nov 11, 2025
View reviewed changes
Copy link
Contributor

@paulbastian paulbastian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't judge for DI, but the fix on jwt proof_type looks right

Sakurann
Sakurann reviewed Nov 11, 2025
View reviewed changes
jogu
jogu requested changes Nov 11, 2025
View reviewed changes
Copy link
Contributor

@jogu jogu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still have the part here to solve: #676 (comment) (or we should raise a new issue for that, I don't have a strong opinion which).

I think we should apply the change to 1.0 as well.

@babisRoutis
Copy link
Contributor

babisRoutis commented Nov 19, 2025

Hi @awoie

Please consider updating the definition of nonce claim of key_attestation found in appendix E.

Currently the definition is

nonce: OPTIONAL. String that represents a nonce provided by the Issuer to prove that a key attestation was freshly generated

IMO this could be update to include

MUST be present if the attestation is used with attestation Proof type, if credential issuer provides a nonce endpoint

@awoie awoie requested a review from Sakurann November 20, 2025 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jogu jogu jogu requested changes

@paulbastian paulbastian paulbastian approved these changes

@Sakurann Sakurann Awaiting requested review from Sakurann

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

"If the Credential Issuer provided a c_nonce" doesn't really make sense key attestation in the jwt proof header should be able to be pre-generated...

6 participants

@awoie @babisRoutis @jogu @paulbastian @Sakurann