| openid-federation-wallet | September 2024 | |
| De Marco, et al. | Standards Track | [Page] |
This specification defines the OpenID Federation entity types for digital wallet architectures.¶
As digital wallets become increasingly deployed for managing identity credentials, establishing an architecture for trusted communication is required to allow each participant in the ecosystem to evaluate other participants' compliance with mutual trust frameworks and accomplish secure and trusted transactions.¶
This specification defines how to use OpenID Federation 1.0 [OpenID.Federation] to enhance the security and interoperability of wallet ecosystems, facilitating trust establishment among the parties and enabling secure metadata exchange and policy application across large scale deployments. It outlines the general architecture of a federated trust infrastructure for wallet ecosystems, identifying participant roles and describing the use of those roles.¶
Additionally, this specification provides practical examples of how to apply policies for typical use cases within wallet ecosystems. Finally, it offers guidance on defining trust marks for use within wallet ecosystems.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This specification is a profile of [OpenID.Federation] for wallet ecosystems. It defines entity types for entities participating in those ecosystems. It describes trust evaluation mechanisms for those entities. It uses applicable metadata parameters defined by other specifications for wallet entities.¶
Collaboration Note: When a metadata parameter is needed for an Entity Type defined by this specification that does not currently exist and that would be usable by wallet ecosystems both using and not using OpenID Federation, it is the editors' intent to work with the working groups creating general-purpose wallet specifications to define those new parameters there.¶
This specification uses the terms "End-User" and "Entity" as defined by OpenID Connect Core [OpenID.Core], "JSON Web Token (JWT)" defined by JSON Web Token (JWT) [RFC7519], "CBOR Web Token (CWT)" defined by CBOR Web Token (CWT) [RFC8392], "Client" as defined by [RFC6749], "Verifiable Presentation" and "Wallet Attestation" defined in [OpenID4VP], "Holder" and "Credential Issuer" defined in [OpenID4VCI], and "Trust Mark", "Federation Entity", "Trust Anchor", "Intermediate", and "Subordinate Statement" defined in [OpenID.Federation].¶
This specification also defines the following terms:¶
The terms "trust model" and "trust framework" are often used in the context of security, identity management, and federation systems.¶
The Trust Model defines the relationships and mechanisms through which trust is established and maintained between entities in a system. It outlines how entities interact, the basis on which they can trust each other, and the roles they play within the system. Trust Models can be simple or complex, depending on the number of parties involved and the nature of their interactions. Common examples include:¶
Third-Party Trust is the focus of this specification, although the Web of Trust model is not excluded if multiple trusted third parties (Trust Anchors) are supported by the participants.¶
A Trust Framework is a comprehensive structure that includes policies, standards, and guidelines that govern the implementation of a Trust Model. It provides detailed rules for how trust should be managed, including the legal, technical, and procedural aspects. To allow for a scalable approach, as many aspects of the framework as possible should be presented in a machine discoverable and machine-readable way.¶
In the scope of this specification, only the technical and procedural aspects are considered and fully covered.¶
OpenID Federation [OpenID.Federation] is a building block for assembling and using trust frameworks. It can help ensure that all participants in a system understand and adhere to the same principles and practices, making interactions predictable and secure.¶
The Four-Party Model is a framework involving four key participants: the Holder, the Credential Issuer, the Credential Verifier, and an Entity trusted by the other Entities called the Trust Anchor. This is an extension of the three-party Issuer-Holder-Verifier Model described in [OpenID4VCI] and [OpenID4VP] that adds a fourth party: the Trust Anchor. The four Entities interact with each other as described below:¶
+-------------------+ +---------------+ +---------------------+
| Credential Issuer |<-->| Holder |<-->| Credential Verifier |
| | | | | |
+-------------------+ +---------------+ +---------------------+
| | |
| | |
V V V
+--------------------------------------------------------------+
| Trust Anchor |
+--------------------------------------------------------------+
¶
Figure 1: The relationships and interactions within a Wallet ecosystem using the Four-Party Model.¶
where Authentic Sources and Wallet Providers figure such as extensions to be not considered in the core structure of the four parties.¶
The Figure above illustrates at the center the Holder, who interacts directly with both the Credential Issuer and the Credential Verifier. The Credential Issuer provides Digital Credentials to the Holder, while the Credential Verifier relies on these Credentials to verify the Holder's claims. Above the Holder is the Wallet Provider, which facilitates the registration and the attestation of the security and integrity of the Holder. All entities, including the Credential Issuer, Credential Verifier, Wallet Provider and therefore Holders, and are underpinned by a Trust Anchor, which provides a foundational layer of trust and security for the entire system. This setup ensures that all interactions and transactions are anchored in a trusted framework.¶
In the Wallet Ecosystem, the primary interaction resolves around asset management. Unlike an Identity Provider in OpenID Connect or SAML2, which authenticates the End-User's identity for third parties, the Credential Issuer in the Wallet ecosystem focuses on managing the issuance of Digital Credentials to the Holder, therefore to the End-User in control of the Wallet.¶
The transactions primarily involve the transfer or management of Digital Credentials rather than granting access to services based on identity verification.¶
Consequently, the End-User obtains and holds the Digital Credentials without disclosing their intended use to the Credential Issuers. At any subsequent time, the End-User can present these Digital Credentials to a Credential Verifier to authenticate themselves.¶
+------------------+ +-----------------+
| Authentic Source | | Wallet Provider |
| | | |
+------------------+ +-----------------+
| |
| |
V V
+-------------------+ +---------------+ +---------------------+
| Credential Issuer |<-->| Holder |<-->| Credential Verifier |
| | | | | |
+-------------------+ +---------------+ +---------------------+
| | |
| | |
V V V
+--------------------------------------------------------------+
| Trust Anchor |
+--------------------------------------------------------------+
¶
Figure 2: Representation acknowledging the roles of Authentic Sources and Wallet Providers in the ecosystem while maintaining the core structure of the Four-Party Model.¶
There are many ways to technically implement Wallet Instances to manage Digital Credentials. There are typically two types of Wallet End-Users: one is a natural person and another is an Organizational Entity, such as a legal person. These two types of End-Users may have different usage and functional requirements.¶
Below a non-exhaustive list of the different Wallet Instance types.¶
Also known as Cloud Wallet or Web Wallet only, is a Wallet that uses native web technologies for its components, such as UI components. Cloud Wallets are typically suited for Organizational Entities that requires automated Digital Credential operations (request, issuance, store, presentation, revocations) in unsupervised flows, therefore without any human control. Web Wallets are divided into two additional subtypes:¶
Since the Holder may not be an Organizational Entity and cannot be registered as an Organization through registration services, it is not represented within a Trust Chain and does not qualify as a Federation Entity. This context sets the stage for understanding the unique position of the Holder in relation to the Trust Chain and Federation Entities.¶
+----------------------------+ | Trust Chain | | +------------------------+ | | | Trust Anchor | | | | (Entity Configuration) | | | +------------------------+ | | | | | v | | +------------------------+ | | | Trust Anchor | | | | (Subordinate Statement | | | | about the | | | | Wallet Provider) | | | +------------------------+ | | | | | v | | +------------------------+ | | | Wallet Provider | | +-------------------------------+ | | (Entity Configuration) |----->| Wallet Attestation | | +------------------------+ | | (Not part of the Trust Chain) | +----------------------------+ +-------------------------------+¶
Outside the Trust Chain, it is the Wallet Attestation, where the Wallet Provider that issued it is attestable through the Trust Chain, while the Wallet, such as the End-User's Native Mobile Application installed on the Personal Device, is attested through the Wallet Attestation and under the responsibility of its issuer, the Wallet Provider.¶
A Credential Verifier Instance is typically installed on a mobile device, personal computer, or embedded system. It enables an individual to perform Digital Credential verification tasks locally, often in proximity to the Holder, and without necessarily requiring a broadband connection. This instance engages in peer-to-peer exchanges with Holders, facilitating Credential verifications directly on the device. This approach represents a shift from traditional server-based verification to a more user-centric model within the Wallet ecosystem.¶
To establish trust between a Holder's Wallet Instance and a Credential Verifier Instance, a mechanism using a verifiable attestation, such as the Wallet Instance Attestations, SHOULD be employed. This process ensures that the Credential Verifier Instance is legitimate and trustworthy.¶
This section defines the Entity Types used by Organizational Entities in their Entity Configurations according to their roles in the Wallet ecosystem.¶
| Entity | Entity Type Identifiers | References |
|---|---|---|
| Trust Anchor |
federation_entity
|
[OpenID.Federation] |
| Intermediate |
federation_entity
|
[OpenID.Federation] |
| Wallet Provider |
federation_entity, openid_wallet_provider
|
this specification |
| Authorization Server |
federation_entity, oauth_authorization_server
|
[OpenID4VCI], [RFC8414] |
| Credential Issuer |
federation_entity, openid_credential_issuer, oauth_authorization_server
|
[OpenID4VCI], this specification |
| Credential Verifier |
federation_entity, openid_credential_verifier
|
[OpenID.Federation], [OpenID4VP], this specification |
The Credential Issuer is an OAuth 2.0 Protected Resource Server and it MAY also implement, within the same Entity, an OAuth 2.0 Authorization Server. According to [OpenID4VCI], the Authorization Server can be external to the Entity that implements the Credential Endpoint, therefore the use of oauth_authorization_server is OPTIONAL.¶
The OpenID Federation Entity Type Identifier for the Wallet Provider is openid_wallet_provider.¶
For information on metadata parameters specific to OpenID Wallets, refer to Section 8. Wallet Metadata (Authorization Server Metadata) of the OpenID for Verifiable Presentations [OpenID4VP] specification.¶
The OpenID Federation Entity Type Identifier for the Credential Issuer is openid_credential_issuer.¶
For information on metadata parameters specific to OpenID Credential Issuers, refer to Section 10.2. Credential Issuer Metadata of the OpenID for Verifiable Credential Issuance [OpenID4VCI] specification.¶
The OpenID Federation Entity Type Identifier for the Credential Verifier is openid_credential_verifier.¶
This specification introduces a distinct Entity Type Identifier for the OpenID Credential Verifier to clearly differentiate it from a traditional OpenID Connect Relying Party (openid_relying_party). This distinction highlights the unique characteristics and functionalities of the Wallet ecosystem and its Credential Verifier.¶
For information on metadata parameters specific to OpenID Credential Verifiers, refer to Section 9. Verifier Metadata (Client Metadata) of the OpenID for Verifiable Presentations [OpenID4VP] specification.¶
Policies refer to a set of rules that govern the operations, security, and interactions within a federation.¶
Technical implementation of federation policies over participants metadata is managed with the use of metadata and metadata_policy parameters in Subordinate Statements. These parameters allow for the configuration enforcement of application-specific metadata changes for each subject (Leaf).¶
Qualitative aspects of federation entities, including administrative protocols, security measures, and behavioral profiling, are regulated by Trust Marks. These marks provide verifiable assertions of compliance with specific profiles beyond the scope of the application-specific metadata.¶
Metadata refers to application-specific properties about a subject and for the purpose of the interoperability. This includes details such as service endpoints, cryptographic keys, and other supported configurations.¶
Metadata within a Subordinate Statement allows for modifications to the metadata published in a Leaf's Entity Configuration. These modifications allow a federation authority, such as a Trust Anchor, to apply policies coercively to its subordinates. This can include actions such as removing weak signature algorithms from their metadata, enforcing the use of specific endpoints configured at the time of the entity's registration within the ecosystem, or restricting the personal data that a Credential Verifier is allowed to request.¶
{
"iss": "https://trust-anchor.example.com",
"sub": "https://credential-verifier.example.it",
"iat": 1616239022,
"exp": 1616239322,
"metadata": {
"federation_entity": {
"organization_name": "Example Credential Verifier",
},
"openid_credential_verifier": {
"application_type": "web",
"client_name": "Example Credential Verifier",
"request_uris": [
"https://verifier.example.org/request_uri"
],
"response_uris_supported": [
"https://verifier.example.org/response_uri"
],
"presentation_definitions_supported": [
{
"id": "d76c51b7-ea90-49bb-8368-6b3d194fc131",
"input_descriptors": [
{
"id": "PersonIdentificationData",
"name": "Person Identification Data",
"purpose": "User Authentication",
"format": {
"vc+sd-jwt": {
"alg": [
"ES256",
"ES384",
"ES512"
]
}
},
"constraints": {
"limit_disclosure": "required",
"fields": [
{
"filter": {
"const": "PersonIdentificationData",
"type": "string"
},
"path": [
"$.vct"
]
},
{
"filter": {
"type": "object"
},
"path": [
"$.cnf.jwk"
]
},
{
"path": [
"$.first_name"
]
},
{
"path": [
"$.family_name"
]
}
]
}
}
]
}
],
}
},
"jwks": {
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "1",
"n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEPCRfceaC7mkxr8v...",
"e": "AQAB"
}
]
}
}
¶
Figure 3: Example demonstrating how a Federation Authority can issue a Subordinate Statement about a Credential Verifier, specifying certain metadata parameters such as the endpoints to use and the allowed Digital Credentials to be requested.¶
metadata and metadata_policy
The key difference between metadata and metadata_policy is that metadata directly affects only the Immediate Subordinate Entity, while metadata_policy impacts the configuration of all Subordinate Entities along a Trust Chain, as defined in Sections 5 and 6.1 of [OpenID.Federation].¶
This distinction positions the metadata parameter as an ideal tool for federation authorities managing entity registrations and needing to sanitize Leaves configurations in an arbitrary way. The Trust Anchor (TA) and Intermediate (INT) sanitize an Entity Configuration during technical tests and finalize it by setting specific metadata parameters.¶
Differently from metadata, metadata_policy ensures that specific settings can be propagated to all the Entities Statements contained within a Trust Chain.¶
Trust Marks are issued by authorized entities (Trust Mark Issuers) within the federation, typically after an entity has demonstrated compliance with certain standards, this might happen through auditing or certification processes.¶
Trust Marks are typically implemented as signed assertions that can be verified by other entities.¶
This verification process involves checking the digital signature against the public key of the Trust Mark Issuer to ensure the Trust Mark has not been forged, and its check to the Trust Mark Status endpoint to check it against any revocation.¶
Trust Marks SHOULD be defined within the trust framework. Trust Marks are asserted about a subject through a registration service or compliance evaluation mechanism and therefore included in subject's Entity Configurations. This allows other entities to quickly assess the compliance status of a subject by examining the Entity Configuration of a subject.¶
{
"id":"https://diligent.federation.example.com/openid_credential_verifier/private/under-age",
"iss": "https://trustissuer.pinarolo.example.it",
"sub": "https://vavuso.example.com/rp",
"iat": 1579621160,
"policy_uri": "https://vavuso.example.com/policy",
"tos_uri": "https://vavuso.example.com/tos"
}
¶
Figure 4: Trust Mark to be included in a Leaf Entity Configuration, which payload states Leaf's compliance in interacting with under-age End-User.¶
The process of trust establishment in federated environments is illustrated in this section through specific use cases involving Wallet Instances, Credential Issuers (CIs), and Credential Verifiers (CVs).¶
Wallets begin by discovering the identity of Credential Issuers through the federation's trust infrastructure. This involves retrieving the Credential Issuer's Entity Configuration and verifying its Trust Chain up to a recognized Trust Anchor. The Credential Issuer’s Entity Configuration provides essential information, including its roles within the federation, policies it adheres to, and cryptographic keys for secure communication.¶
In the example represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation.¶
sequenceDiagram
participant Wallet
participant TA as Trust Anchor
participant IM as Intermediate
participant CI as Credential Issuer
Wallet->>TA: Fetch the list of all Intermediates and CIs
loop for each Intermediate
Wallet->>IM: Fetch listing of Subordinates/CIs
end
loop for each CI
Wallet->>CI: Fetch CI's Entity Configuration
Wallet->>IM: Fetch Subordinate Statement(s) for CI
Wallet->>TA: Fetch Subordinate Statement for Intermediate(s)
Wallet->>Wallet: Validate Trust Chain for CI
Wallet->>Wallet: Include CI in Discovery Page<br/>with validated information and logo
end
¶
The diagram above shows how a Wallet navigates the federation, collecting and validating the Trust Chain for each Credential Issuer (CI), and creating a discovery page including each Credential Issuer using the information, such as the credential types and logo obtained through their Trust Chain.¶
The diagram below illustrates how a Wallet establishes trust with a Credential Issuer by verifying its link (even if indirect) to a Trust Anchor and validating which credentials it is authorized to issue. This may happen in a credential offer flow, for instance, where the Wallet is used by an End-User starting from the Credential Issuer website and without any discovery phases started before within the Wallet.¶
sequenceDiagram
participant Wallet
participant CI as Credential Issuer
participant IE as Intermediate Entities
participant TA as Trust Anchor
Wallet->>CI: Fetch CI's Entity Configuration
CI->>Wallet: Return Entity Configuration
Wallet->>Wallet: Extract Authority Hints from CI's Configuration
loop for each Authority Hint
Wallet->>IE: Fetch Entity Configuration
Wallet->>IE: Fetch Subordinate Statement
Wallet->>Wallet: Validate the previous statement<br/>using the Federation Entity Keys<br/>provided in the Subordinate Statement
end
Wallet->>Wallet: Validate Trust Chain
alt If Trust Chain is Valid and Unexpired
Wallet->>Wallet: Proceed with Federation Process
else
Wallet->>Wallet: Abort Process with Error
end
Wallet->>Wallet: Applies Policies
Wallet->>Wallet: Derive CI's final metadata
Wallet->>Wallet: Get available Credentials allowed for issuance
¶
The Federation Entity Discovery starts with the Wallet Instance fetching the Credential Verifier's Entity Configuration to identify authority hints, pointing to Federation Entities that can issue Subordinate Statements about the Credential Verifier. The Wallet Instance then follows these hints and collects the Subordinate Statements and validating each one. The process continues until the Wallet Instance reaches the Trust Anchor. Finally, the Wallet Instance compiles the validated Trust Chain. If the Trust Chain is valid, the Wallet Instance processes the Credential Verifier final metadata.¶
Note: While this section exemplifies the journey of discovery from the perspective of an OpenID Wallet Instance, it is important to understand that this approach can be applied to every kind of entity type within the federation.¶
sequenceDiagram
participant WalletInstance as Wallet Instance
participant CV as Credential Verifier
participant IE as Intermediate
participant TA as Trust Anchor
WalletInstance->>CV: Fetch CV's Entity Configuration
CV->>WalletInstance: Return Entity Configuration
WalletInstance->>CV: Extract Authority Hints from CV's Configuration
CV->>WalletInstance: Provide Authority Hints
loop for each Authority Hint
WalletInstance->>IE: Fetch Entity Configuration -> get federation_fetch_api URL
IE->>WalletInstance: Fetch Subordinate Statement
WalletInstance->>WalletInstance: Validate the previous statement<br/>using the Federation Entity Keys<br/>provided in the Subordinate Statement
end
WalletInstance->>WalletInstance: Validate Trust Chain
alt If Trust Chain is valid and unexpired
WalletInstance->>WalletInstance: Proceed with Federation Process
else
WalletInstance->>WalletInstance: Abort Process with Error
end
WalletInstance->>WalletInstance: Applies Policies
WalletInstance->>WalletInstance: Derive CV's final metadata
¶
TBD: usage of static trust chain having at least a Trust Anchor in common with the requestor¶
We would like to thank the following individuals for their comments, ideas, and contributions to this implementation profile and to the initial set of implementations.¶
Copyright (c) 2024 The OpenID Foundation.¶
The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.¶
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that MAY cover technology that MAY be required to practice this specification.¶
[[ To be removed from the final specification ]]¶
-02¶
-01¶
openid_wallet_relying_party to openid_credential_verifier.¶
-00¶