Nonce endpoint when making multiple calls to the credential endpoint #413
Comments
That seems the current expectation, yes. #394 (and the associated PR) are suggesting some tweaks in that area. |
|
there is this sentence in section 12.5 that I hope clarifies the question: |
|
closing in a week, unless objections |
|
@Sakurann , regarding the sentence you quoted in from section 12.5, how is the nonce related to a specific wallet? Is it accurate to say that |
|
@andprian but it is a specific wallet that is interacting with the issuer in each session, right..? |
|
I guess what is being asked (might be wrong) is whether you need to bind the nonce to a specific wallet session after it's first use? Previously in our implementation we generated the nonce for a specific session, but with the new unauthenticated nonce endpoint this is not possible beforehand. So you then have two choices how to implement this:
Only one wallet will get the specific nonce from the nonce endpoint, so it's more about a malicious attack i guess? |
|
Yes, @TimoGlastra that is exactly my point. The statement in section 12.5 might lead to believe that only one wallet would be able to use a nonce, while I don't see a technical binding there. First of all I would like to know what we intend to have. Is it a stateless nonce or a stateful nonce, like you very well put it. |
Previously when requesting multiple credentials from a credential issuer the flow we used is that every credential response contained a new nonce for the next request.
With the new nonce endpoint that doesn't seem possible, so for a server/wallet perspective on implementation I'm curious when you want to request issuance of say 5 different credentials types (so 5 requests to credential endpoint), would you do:
In this case all credentials would be requested within the nonces active timeframe (so not expired). Is it ok for the "number used once" to be used for multiple requests?
The text was updated successfully, but these errors were encountered: