From 2bd938bd48b0581a47c056992251198fd09f8130 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Tue, 16 Jul 2024 16:30:42 +0200 Subject: [PATCH] Additional clarifications about WP checks with WI This PR adds clarifications about how the wallet provider should check the mobile application wallet instance using the OS API, it takes parts of https://github.com/italia/eudi-wallet-it-docs/pull/303 --- docs/en/wallet-attestation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/wallet-attestation.rst b/docs/en/wallet-attestation.rst index 78c0fa9eb..1cb54d68a 100644 --- a/docs/en/wallet-attestation.rst +++ b/docs/en/wallet-attestation.rst @@ -15,7 +15,7 @@ The following requirements for the Wallet Attestation are met: - The Wallet Attestation MUST use the signed JSON Web Token (JWT) format; - The Wallet Attestation MUST give all the relevant information to attests the **integrity** and **security** of the device where the Wallet Instance is installed. - The Wallet Attestation MUST be signed by the Wallet Provider that has authority over and that is the owner of the Wallet Solution, as specified by the overseeing registration authority. This ensures that the Wallet Attestation uniquely links the Wallet Provider to this particular Wallet Instance. -- The Wallet Provider MUST ensure the integrity, authenticity, and genuineness of the Wallet Instance, preventing any attempts at manipulation or falsification by unauthorized third parties. +- The Wallet Provider MUST ensure the integrity, authenticity, and genuineness of the Wallet Instance, preventing any attempts at manipulation or falsification by unauthorized third parties. The Wallet Provider MUST also verify the Wallet Instance by using the App Store vendor's API, for Android is *Play Integrity API* and for iOS is *DeviceCheck*, these services are defined in this specification as **Device Integrity Service (DIS)**. - The Wallet Attestation MUST have a mechanism in place for revoking the Wallet Instance, allowing the Wallet Provider to terminate service for a specific instance at any time. - The Wallet Attestation MUST be securely bound to the Wallet Instance ephemeral public key. - The Wallet Attestation MAY be usable multiple times during its validity period, allowing for repeated authentication and authorization without the need to request new attestations with each interaction.