Authentication of credential issuer towards wallet

[jtalir]

I failed to find some information about how wallet can achieve trust in specific credential issuer. There is a chapter "Trust between Wallet and Issuer" but his chapter talks only about one way - how issuer can trust the wallet, but not the other way.

This trust check is mandated by EUDIW implementing acts as seen for example in point 8 of https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402977#art_3 :

When issuing person identification data to wallet units, providers of person identification data shall identify themselves to wallet units using their wallet-relying party access certificate or by using another authentication mechanism in accordance with an electronic identity scheme notified at assurance level high.

Considering I have some trust list with certificate I see some options like:

• Using TLS certificate of credential issuer endpoint
• Using certificate associated with JWT in signed metadata attribute
• Using certificate associated with signature over issued credential (this is probably not possible to check upfront before issuing credential)

Shouldn't this be discussed somewhere in the document?

[Sakurann]

i think the assumption has been to use "certificate associated with JWT in signed metadata attribute" (your second bullet point). Agree we could add implementations considerations how signed_metadata can be used to authenticate the issuer. we should also consider adding signed_metadata as a requirement in HAIP.