From 9b4f263bec6c12bb583d257327d1d7d285d6bf12 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Wed, 16 Oct 2024 13:07:48 +0200 Subject: [PATCH] trust with CI discovery seq diag improved --- docs/en/trust.rst | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/en/trust.rst b/docs/en/trust.rst index a3a12e00..27b04353 100644 --- a/docs/en/trust.rst +++ b/docs/en/trust.rst @@ -301,7 +301,7 @@ The Entity Configuration MAY also contain one or more Trust Marks. All the signature-check operations regarding the Entity Configurations, Entity Statements and Trust Marks, are carried out with the Federation public keys. For the supported algorithms refer to Section `Cryptografic Algorithm`. Entity Configurations Common Parameters -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The Entity Configurations of all the participants in the federation MUST have in common the parameters listed below. @@ -621,6 +621,7 @@ The Trust Chain MAY be contained within the signed request in the form of a JWS In offline flows, Trust Chain verification enables the assessment of the reliability of Trust Marks and Attestations contained within. + Establishing Trust with Credential Issuers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -634,15 +635,20 @@ Trust evaluations implement different ways, as defined below: * **Trust Marks Evaluation**: Trust Marks are assessed to ensure ongoing compliance with federation policies. These marks indicate adherence to specific standards and practices required by the federation. -* **Policy Evaluation**: Continuous evaluation of policies ensures that the Issuer and the requesting entity comply with the latest security and operational standards. +* **Policy Evaluation**: Wallet Instances and Relying Parties MUST check that the Credential Issuer is allowed in the issuance of the Credential of their interest. Metadata, metadata policies and Trust Marks are used for the implementation of these checks. In the process represented in the sequence diagram below, the Wallet Instance uses the Federation API to discover and collect all the Credential Issuers enabled within the federation. +The discovery process produces the Trust Chain. When the Trust Chain is provided statically within a signed request or Credential, it only REQUIRES to be refreshed when the +internet connection is available, while it MUST be refreshed when the statically provided Trust Chain results as expired. .. figure:: ../../images/trust-with-ci-discovery.svg :figwidth: 100% :align: center :target: //www.plantuml.com/plantuml/svg/fPCzRzim48Pt_ef3bavkzWn13DTfXIv1quyboqKynOTIH-9uj9D_NqQ46hkmkaGJGJtty7q5wYORgfKnk8Hgt7D2CVY58P2TR6qwm0mN6oLFOem1kfmBwSK9rMqdgXCZ7Sap6br-rv8DrjBlOgLTSyFg-hewh-2MhD_LrOSCs-gr5zX46VYfA1f7UH10Wuy72c7rM-91BcCYORyQo5D3WCIdo69kqqtQTi8LV2ChAcUr9p5cVljiYdsDMgn6VPtvKgqP1erZI_YF8yIOO8WAXBN3wPY3-XmTqctdhk-jkMo-BuzHFGiQmRsXqKXYJJrCm99Y_W8_CR1_dROTGLBQSomPyfkgP9QdwUtjts1peQ_qaXyaQTop9myi4tSsaoFnplqlGBiqcnsoE8V1e1kEzu1pOm75mm-XvyHAVgdNdSQUoCE1RNUKlEtdx2XaMffTr_msaysmLOsws66TKc3AS1S3ztLnZlb4odjgbsfWmG0Z6NeqF4T_9WFS8mTy30Hlls262iG3-UaISiu5fITtG-BB6Fu0 +.. note:: + As represented in the figure, the trust evaluation process is completely decoupled and distinct from the protocol specific flow, +positioning the trust evaluationin a different flow and using different protocols, specialized for this scope. Wallet Attestation ^^^^^^^^^^^^^^^^^^^^^^^^^^^^