5.4 Protection against Credential Replay Attacks and VP Lifetime

[bluesteens]

for Steering

There is seemingly superfluous and misleading information in the section that deals with replay attacks pointing to a prior design decision. In addition, this wording adds no value for auditors or implementers and may cause confusion. Suggest removal of the para in question and clarification for implementers.

---

Observation

1. The first para in section 5.4 justifies a design decision made in the past:

It was decided by OCI members not to use the verifiable presentation approach employing a nonce created by the verifier as developed in the pilot phase, but instead to use a JWT with a given lifetime that then defines the expiration date/time of the JWT.

2. There is an error code with "nonce" in its label.

The field nonce of the decoded JWT is concluded to not contain a valid UUID Version 4 Format as specified in [RFC4122].
vp_nonce_invalid

Issues

• The wording ("nonce") in 5.4 and error label seem to conflict at first glance and especially for a reader who does not know anything about the pilot version. The nonce usage in the pilot was different from the use of the corrUUID in the current nonce field. Strictly, the note about the decision to not use nonces is factually wrong. We could say we're not actively checking against it as a 'challenge response' process, but we definitely use it and respect the field.
• The OCI spec doesn't explain that the correlation UUID should end up in the VP at all. We should explain that it should be mapped to the nonce field in there.

Suggestion
The simplest solution is to remove the 1st para in 5.4. and add a clear requirement for the corrUUID to be added to the VP nonce field.
The design justification may be communicated elsewhere but seems superfluous, even counterproductive, in a conformance document whose purpose is to state the current requirements.

---

• Is Issue appropriate for OCI Architecture
• Create Steering-level Summary of request
• Assign Size
• Assign Priority
• Assign Label (if needed)
• OCI affected Artifacts Identified
• Assign Triage - Artifact Version Target (v x.x.x Milestone)
• Assign Triage - Interop Profile Version Target (v x.x.x Milestone)
• Create sub-project (if needed)

Affected Parties (help determine Sunrise/Sunset):

• Trading Partners
• Issuers
• Wallet Solutions
• PI Verification Solutions

Affected OCI Artifact

• Schema Document
• Identity Schema
• ATP Schema
• Issuer Conformance Criteria
• Wallet Conformance Criteria
• VRS Solution Conformance Criteria
• Wallet API Specification
• Governance Document
• Conformance Program
• OCI Website
• Internal Process

Change Category (Guides Steering Review)

- Steering/Industry Review

• Business-Level (May affect business operations)
• OCI Governance, Policy or website feature

- Steering/Industry Notification

• Technical-Level (Does not affect business operations)
• OCI Internal Process or Infrastructure