Skip to content

Encrypted issuance and deferred issuance requests #157

New issue
New issue
Open
Feature
Open
Encrypted issuance and deferred issuance requests#157
Feature
Labels
draft16openid4vci alignment
Milestone
openid4vci-swift v0.18.0
@dtsiflit

Description

@dtsiflit
dtsiflit
opened on Aug 25, 2025

The following apply to issuance and deferred issuance requests:

  • Issuance requests must be encrypted by the spec provided here
  • Encryption must be done according to section 9.4 of the spec.
  • Investigate how compression can be applied to ecrypted requests before encrypting respecting zip_values_supported specified from issuer.

For issuance and deferred issuance requests, spec mentions the following

Credential Request encryption MUST but used if the credential_response_encryption parameter is included, to prevent it being substituted by an attacker.

For this to happen when issuer includes in its metadata credential_response_encryption it must also provide credential_request_encryption. In other words if issuer supports encrypted responses it must advertice in metadata its capabilities for encrypted requests.

On the other hand spec does not seem to enforce response encryption when request encryption is required. Its seems that credential_request_encryption can be adverticed by issuer without providing credential_response_encryption metadata.

  • Library should consider issuer metadata valid if credential_response_encryption is not included but credential_request_encryption is.
  • Library should consider issuer metadata as invalid if credential_response_encryption is included but no credential_request_encryption.
  • Requests (deferred or not) must be encrypted if the credential_response_encryption parameter is included in the request.
  • Requests (deferred or not) must be encrypted when issuer metadata have credential_request_encryption.encryption_required set to true

Based on section section 9.4 of the spec, regarding encryption algorithm the following is specified

The JWE alg algorithm used MUST be equal to the alg value of the chosen JWK.

This mandates that the JWKs used for encryption (either wallet generated or issuer adverticed) must include an 'alg' attribute.

  • JWKs included in issuer's credential_request_encryption' must be validated to have alg` specified
  • JWKs generated from lib to be used for encryption must include the encryption algorithm in alg jwk attribute

Metadata

Metadata

Assignees

No one assigned

    Labels

    draft16openid4vci alignment

    Type

    Feature

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions