CDC-004 - Issuer Trust Protocol 2.0, Security Enforcements and Updates
Swiss Profile VC V1.0
Status: Draft
Published:
Effective:
Affected Components:
Internal Reference: EIDARTFE-1526, EIDARTFE-1726
This change closes all remaining Status List gaps against the current swiss-profile VC required for the swiyu 1.0 go-live. It introduces ttl/exp handling for Status List Tokens, mandatory validation rules on the Status Registry (JWT header typ, profile_version enforcement, expiry, and size constraints), configurable verifier tolerance for status-check failures, and caching of Status List Tokens according to their ttl/exp claims. Together these changes make the Status List implementation in the ecosystem ready for the swiyu 1.0 go-live.
Action required
Update the componets like follows.
Tag โ ๏ธ Required soon Tag ๐จ Breaking Tag ๐ Optional Tag โ Improvement Tag ๐ Fix
Generic Issuer
Version 3.
โ ๏ธ Add support for ttl and exp claims when issuing Status List Tokens, so that consumers can determine cache validity and expiry per the OAuth Status List draft, Status List Update Interval.
Generic Verifier
Version?
๐ Allow configuration of the degree to which a status verification may fail while still accepting a VC.
โ ๏ธ Implement caching of the Status List Token according to its ttl/exp claims, instead of re-fetching on every check.
๐จ Apply Validation Rules: if any status check fails, the Referenced Token SHOULD in most cases be rejected; verifiers configured to tolerate unknown state MAY deviate from this default.
Wallet
Version ?
Check App
Version ?
Status Registry
๐จ Reject Status List Token uploads where exp is missing or already expired; exp MUST be set on upload.
๐จ Enforce that the JWT header typ is statuslist+jwt
๐จ Enforce that the JWT header profile_version matches an allowed value. Implement this as a list of allowed profile versions (e.g. allowed_profile_versions.includes(JWTheader[โprofile_versionโ])) rather than a single hardcoded value, to support future EMC cases. For this dossier, the enforced value is swiss-profile-vc:1.0.0.
๐จ Reject Status Lists whose bit size is not evenly divisible into bytes (size-in-bits % 8 == 0)
๐จ Reject Status Lists whose decompressed size exceeds 200 KB
Migration steps
- Update Generic Issuer and Generic Verifier
- Make sure the exp and statuslist+jwt ist correctly configured.
Timeline
??