Skip to content

Commit

Permalink
trust with CI discovery seq diag improved
Browse files Browse the repository at this point in the history
  • Loading branch information
peppelinux authored Oct 16, 2024
1 parent 38204fb commit 9b4f263
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions docs/en/trust.rst
Original file line number Diff line number Diff line change
Expand Up @@ -301,7 +301,7 @@ The Entity Configuration MAY also contain one or more Trust Marks.
All the signature-check operations regarding the Entity Configurations, Entity Statements and Trust Marks, are carried out with the Federation public keys. For the supported algorithms refer to Section `Cryptografic Algorithm`.

Entity Configurations Common Parameters
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The Entity Configurations of all the participants in the federation MUST have in common the parameters listed below.

Expand Down Expand Up @@ -621,6 +621,7 @@ The Trust Chain MAY be contained within the signed request in the form of a JWS

In offline flows, Trust Chain verification enables the assessment of the reliability of Trust Marks and Attestations contained within.


Establishing Trust with Credential Issuers
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Expand All @@ -634,15 +635,20 @@ Trust evaluations implement different ways, as defined below:

* **Trust Marks Evaluation**: Trust Marks are assessed to ensure ongoing compliance with federation policies. These marks indicate adherence to specific standards and practices required by the federation.

* **Policy Evaluation**: Continuous evaluation of policies ensures that the Issuer and the requesting entity comply with the latest security and operational standards.
* **Policy Evaluation**: Wallet Instances and Relying Parties MUST check that the Credential Issuer is allowed in the issuance of the Credential of their interest. Metadata, metadata policies and Trust Marks are used for the implementation of these checks.

In the process represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation.
The discovery process produces the Trust Chain. When the Trust Chain is provided statically within a signed request or Credential, it only REQUIRES to be refreshed when the
internet connection is available, while it MUST be refreshed when the statically provided Trust Chain results as expired.

.. figure:: ../../images/trust-with-ci-discovery.svg
:figwidth: 100%
:align: center
:target: //www.plantuml.com/plantuml/svg/fPCzRzim48Pt_ef3bavkzWn13DTfXIv1quyboqKynOTIH-9uj9D_NqQ46hkmkaGJGJtty7q5wYORgfKnk8Hgt7D2CVY58P2TR6qwm0mN6oLFOem1kfmBwSK9rMqdgXCZ7Sap6br-rv8DrjBlOgLTSyFg-hewh-2MhD_LrOSCs-gr5zX46VYfA1f7UH10Wuy72c7rM-91BcCYORyQo5D3WCIdo69kqqtQTi8LV2ChAcUr9p5cVljiYdsDMgn6VPtvKgqP1erZI_YF8yIOO8WAXBN3wPY3-XmTqctdhk-jkMo-BuzHFGiQmRsXqKXYJJrCm99Y_W8_CR1_dROTGLBQSomPyfkgP9QdwUtjts1peQ_qaXyaQTop9myi4tSsaoFnplqlGBiqcnsoE8V1e1kEzu1pOm75mm-XvyHAVgdNdSQUoCE1RNUKlEtdx2XaMffTr_msaysmLOsws66TKc3AS1S3ztLnZlb4odjgbsfWmG0Z6NeqF4T_9WFS8mTy30Hlls262iG3-UaISiu5fITtG-BB6Fu0

.. note::
As represented in the figure, the trust evaluation process is completely decoupled and distinct from the protocol specific flow,
positioning the trust evaluationin a different flow and using different protocols, specialized for this scope.

Wallet Attestation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Expand Down

0 comments on commit 9b4f263

Please sign in to comment.