From edf2ec9a5fa0687daf78526e34dc5b867f3070c3 Mon Sep 17 00:00:00 2001 From: Joseph Heenan Date: Wed, 28 May 2025 08:40:33 +0100 Subject: [PATCH 1/3] Attempt to clarify intro text about key attestations The singular "key" was being used in a way that could be confusing given a single key attestation can be used to attest multiple keys. closes #463 --- openid-4-verifiable-credential-issuance-1_0.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 4645f568..cfe0efaa 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -919,10 +919,10 @@ This specification defines the following proof types: There are two ways to convey key attestations (as defined in (#keyattestation)) of the cryptographic key material during Credential issuance: -- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession of the key and adds the key attestation in the JOSE header. -- The Wallet uses the `attestation` proof type in the Credential Request with the key attestation without a proof of possession of the key itself. +- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession for one of the attested keys and adds the key attestation in the JOSE header. +- The Wallet uses the `attestation` proof type in the Credential Request to provide a key attestation without a proof of possession of any of the keys. -Depending on the Wallet's implementation, the `attestation` may avoid unnecessary End-User interaction during Credential issuance, as the key itself does not necessarily need to perform signature operations. +Depending on the Wallet's implementation, the `attestation` may avoid unnecessary End-User interaction during Credential issuance, as the key to which the credential will be bound does not necessarily need to perform signature operations. Additional proof types MAY be defined and used. From 24fbca365ba6519e5feadcf9da0e3c8ec1444b2e Mon Sep 17 00:00:00 2001 From: Joseph Heenan Date: Wed, 28 May 2025 16:41:30 +0100 Subject: [PATCH 2/3] Apply Kristina's suggestion Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com> --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index cfe0efaa..3800bd56 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -922,7 +922,7 @@ There are two ways to convey key attestations (as defined in (#keyattestation)) - The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession for one of the attested keys and adds the key attestation in the JOSE header. - The Wallet uses the `attestation` proof type in the Credential Request to provide a key attestation without a proof of possession of any of the keys. -Depending on the Wallet's implementation, the `attestation` may avoid unnecessary End-User interaction during Credential issuance, as the key to which the credential will be bound does not necessarily need to perform signature operations. +Depending on the Wallet's implementation, the `attestation` may avoid unnecessary End-User interaction during Credential issuance, as the key to which the Credential will be bound does not necessarily need to perform signature operations. Additional proof types MAY be defined and used. From 9ca0347a54e1e31f1e98560a6f68e2a7d23045ef Mon Sep 17 00:00:00 2001 From: Joseph Heenan Date: Wed, 11 Jun 2025 13:53:51 +0100 Subject: [PATCH 3/3] Mention use of one attestation for multiple keys to resolve Kristina's feedback --- openid-4-verifiable-credential-issuance-1_0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-4-verifiable-credential-issuance-1_0.md b/openid-4-verifiable-credential-issuance-1_0.md index 3800bd56..552718c0 100644 --- a/openid-4-verifiable-credential-issuance-1_0.md +++ b/openid-4-verifiable-credential-issuance-1_0.md @@ -922,7 +922,7 @@ There are two ways to convey key attestations (as defined in (#keyattestation)) - The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession for one of the attested keys and adds the key attestation in the JOSE header. - The Wallet uses the `attestation` proof type in the Credential Request to provide a key attestation without a proof of possession of any of the keys. -Depending on the Wallet's implementation, the `attestation` may avoid unnecessary End-User interaction during Credential issuance, as the key to which the Credential will be bound does not necessarily need to perform signature operations. +Depending on the Wallet's implementation, the `attestation` may avoid unnecessary End-User interaction during Credential issuance, as the key(s) to which the Credential(s) will be bound does not necessarily need to perform signature operations, and one key attestation can be used to attest multiple keys. Additional proof types MAY be defined and used.