Security Enforcement, AES256 Migration & Status List Gap Closure

Status: Draft
Published:
Effective:
Affected Components: Generic Issuer, swiyu Wallet
Internal Reference: EIDARTFE-1526, EIDARTFE-1564, EIDARTFE-1717, EIDARTFE-1726

This dossier bundles four related Issuer-side changes into a single migration wave. First, it enforces the security changes from swiss-profile-issuance 1.0 by enforcing Payload Encryption, and Signed Metadata, all of which are already implemented but currently only optionally supported under the EMC (Expand-Migrate-Contract) pattern. Second, it migrates encryption from AES128-GCM to AES256-GCM; following EMC, all components first accept both algorithms, with the Wallet required to support this ahead of the Issuer and Verifier. Third, it introduces the Issuerโ€™s role in Trust Protocol 2.0, including providing Trust Statements in Issuer Metadata. Fourth, it closes the remaining Status List gaps required for the swiyu 1.0 go-live, including ttl/exp handling and Status List validation. During the transition period, non-enforcing behavior continues to be accepted where noted; afterwards, non-compliant Issuers can no longer participate in the ecosystem.

Action required

โš ๏ธ Required soon ๐Ÿšจ Breaking ๐Ÿ†• Optional โœ… Improvement ๐Ÿž Fix

Generic Issuer

Version: 4.0.0
โš ๏ธ Add ttl/exp support when issuing Status List Tokens (JWT format).
โš ๏ธ Enforce correct usage of credential_configuration_id.
โš ๏ธ Enforce presence of the nonce_endpoint, credential_request_encryption, and credential_response_encryption metadata parameters.
๐Ÿšจ Enforce Credential Endpoint and the Deferred Credential Endpoint. Swiyu wallet will enforce this with a future release.
๐Ÿšจ Enforce credential_request_encryption and credential_response_encryption, reject unencrypted requests/responses where encryption is required, including for the Deferred Credential Request and Response. Swiyu wallet will enforce this with a future release.
๐Ÿšจ Enforce Signed Metadata on the Credential Issuer Metadata endpoint. Swiyu wallet will enforce this with a future release.

Supported after and should be deployed after the wallet version 1.17.0.
Must be in use until end of Q3 2026.

Migration steps

  1. Issuer can migrate to generic issuer 4.0.0.
  2. Contract phase: Payload Encryption and signed meta data become mandatory at the swiyu Wallet; non-conforming Issuers can no longer issue credentials to the swiyu Wallet.

Timeline

17.08.2026: Wallet-side 1.17 security enforced (payload encryption, Signed Metadata trust) requires the generic issuer 4.0.0.

Updated: