You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sequence Diagram for Wallet Attestation acquisition
15
15
@@ -44,15 +44,15 @@ Below is a non-normative example of the ``client_data`` JSON object.
44
44
**Steps 8-10**: The Wallet Instance:
45
45
46
46
* produces an ``hardware_signature`` value by signing the ``client_data_hash`` with the Wallet Hardware's private key, serving as a proof of possession for the Cryptographic Hardware Keys.
47
-
* requests the Key Attestation API to create an ``key_attestation`` value linked to the ``client_data_hash``.
48
-
* receives a signed ``key_attestation`` value from the Key Attestation API, authenticated by the OEM.
47
+
* requests the Device Integrity Service to create an ``integrity_assertion`` value linked to the ``client_data_hash``.
48
+
* receives a signed ``integrity_assertion`` value from the Device Integrity Service, authenticated by the OEM.
49
49
50
-
.. note::
51
-
``key_attestation`` is a custom payload generated by Key Attestation API, signed by device OEM and encoded in base64 to have uniformity between different devices.
50
+
.. note::
51
+
``integrity_assertion`` is a custom payload generated by Device Integrity Service, signed by device OEM and encoded in base64 to have uniformity between different devices.
52
52
53
53
**Steps 11-12 (Wallet Attestation Issuance Request)**: The Wallet Instance:
54
54
55
-
* Constructs the Wallet Attestation Request in the form of a JWT. This JWT includes the ``key_attestation``, ``hardware_signature``, ``nonce``, ``hardware_key_tag``, ``cnf`` and other configuration related parameters (see :ref:`Table of the Wallet Attestation Request Body <table_key_binding_request_claim>`) and is signed using the private key of the initially generated ephemeral key pair.
55
+
* Constructs the Wallet Attestation Request in the form of a JWT. This JWT includes the ``integrity_assertion``, ``hardware_signature``, ``nonce``, ``hardware_key_tag``, ``cnf`` and other configuration related parameters (see :ref:`Table of the Wallet Attestation Request Body <table_key_binding_request_claim>`) and is signed using the private key of the initially generated ephemeral key pair.
56
56
* Submits the Wallet Attestation Request to the :ref:`wallet-provider-endpoint:Wallet Attestation Issuance endpoint` of the Wallet Provider Backend.
57
57
58
58
The Wallet Instance MUST send the signed Wallet Attestation Request JWT as an ``assertion`` parameter in the body of an HTTP request to the Wallet Provider's :ref:`wallet-provider-endpoint:Wallet Attestation Issuance endpoint`.
@@ -64,7 +64,7 @@ The Wallet Instance MUST send the signed Wallet Attestation Request JWT as an ``
64
64
3. The ``nonce`` value MUST have been generated by the Wallet Provider and not previously used.
65
65
4. A valid and currently registered Wallet Instance associated with the provided MUST exist.
66
66
5. The ``client_data`` MUST be reconstructed using the ``nonce`` and the ``jwk`` public key. The ``hardware_signature`` parameter value is then validated using the registered Cryptographic Hardware Key's public key associated with the Wallet Instance.
67
-
6. The ``key_attestation`` MUST be validated according to the device manufacturer's guidelines. The specific checks performed by the Wallet Provider are detailed in the operating system manufacturer's documentation.
67
+
6. The ``integrity_assertion`` MUST be validated according to the device manufacturer's guidelines. The specific checks performed by the Wallet Provider are detailed in the operating system manufacturer's documentation.
68
68
7. The device in use MUST be free of known security flaws and meet the minimum security requirements defined by the Wallet Provider.
69
69
8. The URL in the ``iss`` parameter MUST match the Wallet Provider's URL identifier.
0 commit comments