Architecture whitepaper

[tkuhrt]

No description provided.

[davidejalexander]

Excellent document at first review. My only observations is to strengthen the message is that it is implementation independent so things like wholly based cloud wallets are in scope and any number of other form factors we don't even know about yet but will come e.g. embedded in a car, a physical thing that is a cloud wallet not on a mobile etc.

[bj-ms]

Thanks Tracy for that explicit document! Here my comments on device bound credentials, the verifiable data registry and the trust registry.

First point, from my point of view, governmental identity credentials will rely heavily on device bound credentials and I would propose to describe the case of device bound credentials or proof of ownerships.

Second point, I'm missing the definition of a verifiable data registry and a clear separation between the duties of a VDR and a trust registry. There are a lot of different interpretations who should do what and it would be importance to describe it.

For example for me, a VDR should be there to enable the verification of the identity of an public ecosystem actor but should also host the status of issued credentials to create a functional ecosystem. A trust registry is build on top of it to add the trust to the ecosystem. Approve ecosystem actors, credential schemas and other trust related topics.

Hope that helps!

[bj-ms]

Totally agree with that principle but I fear that it could be misinterpreted that specific hardware feature should not be used. Thinking about TEEs, HSMs and proof of ownership (device bound credentials)

[tkuhrt]

Any suggestions for re-wording? It is definitely not the intent to limit the use of TEEs/HSMs, but rather trying to ensure that we have the ability to switch in libraries that support different hardware.

[bj-ms]

Maybe something like "Design the wallet in such a way that it is not bound to specific hardware, making it interoperable with various technological contexts."?

After re-reading it, I think the risk of misinterpreting the sentence is really minimal. Both option work for me.

[bj-ms]

Depends on the definition of core functionalities but that point could clash with architecture reference frameworks like the EU ARF which enforce device bound wallet attestations and PID credentials.

[tkuhrt]

Thanks for the feedback. I understand what you are saying. I am not sure that I know exactly how to resolve this comment. Let me think on this. If anyone has suggestions on improving the phrasing here, please let me know.

[bj-ms]

Verifiable data registries only mentioned but not described what they do.

[tkuhrt]

This entire section is about things that already exist that could be used as enablers for implementation. We may want to consider describing all of these items. What do you think?

[bj-ms]

Not sure if everything needs to be described but i would say that the idea of having a Verifiable Data Registry and a Trust Registry is universally accepted but the separation of duty between both depend on the interpretation.

The other points are transport protocols, APIs to interacts with actors, interop profiles, etc. for me they seem to be on a deeper technical level than a architectural view of a universal wallet. What the wallet need is to be designed to be multi-stack based and to easily add new protocols, APIs in the future.

I like to compare the current wallet situation with the early days of browser where competiting specifications were implemented in browsers and the more dominant / futureproof specification survived the years.

[stefan-kauhaus]

Thanks Tracy, that's an impressive first take. The paper defines two authentication use cases (which are very relevant), 1/ authenticate to access your wallet and 2/ use your wallet to authenticate towards another service. Hence, I'd suggest that under Technology Enablers we also list FIDO2 next to OAuth/OIDC.

[tkuhrt]

Thanks Tracy, that's an impressive first take. The paper defines two authentication use cases (which are very relevant), 1/ authenticate to access your wallet and 2/ use your wallet to authenticate towards another service. Hence, I'd suggest that under Technology Enablers we also list FIDO2 next to OAuth/OIDC.

Added. Thank you for the feedback.