Release Announcements Swiyu Public Beta

We would like to give an update about the latest releases in the different repositories. Since our first announcement we fixed some issues raised by the community as well as security findings from internal pentests. We also took further steps related to the Expand-Migrate-Contract pattern to avoid breaking changes. For a more detailed view please refer to the CHANGELOG in each repository.

swiyu wallet: Android Version 1.10.0; iOS Version 1.21.1

• Expand step for “vct” property in credential request (iOS)
• Fix: Credential offer URL decoded twice
• Fix: Wallet expects non-standard format property in credential response
• Fix: Holder binding jwt has a random aud
• Feature: Issuer Metadata not from Trust Registry

Please note: In an upcoming release we’ll proceed the contract step for “wallet must support specified cnf claim format for Android and iOS.

Beta Credential Service (BCS)

• A health check endpoint is available; it returns a response code 200 if the BCS is up and running
• When displaying a verification QR code on a mobile device, a button is displayed to directly open the verification URL in the swiyu app
• When requesting all attributes during verification, the nationality is now also displayed
• The BCS currently runs the version 2.0.1 of the swiyu generic issuer & generic verifier

DID Toolbox Version 1.6.0

• Support for DID Web + Verifiable History (did:webvh) v1.0 introduced
• Fix: Eliminate duplicate parsing

DID Resolver Version 2.3.0

• Fix: Perform strict domain and URL validation
• Security Fix: Possible DID resolution DoS
• Security Fix: Check DID log for conformity
• Feature: Added support for Key Pre-Rotation for did:webvh.
• Feature: Added support for DID Web + Verifiable History (did:webvh:1.0).

Generic Issuer (Version 2.0.2 on new swiyu-issuer repository)

• Upgraded to new DID Resolver Library version 2.0.1
• Expand step to support correct and incorrect “cryptographic_binding_methods_supported”
• Expand step for Providing openid metadata also under correct “/.well-known/oauth-authorization-server”
• Security Fix: Block disallowed disclosures
• Security Fix: Block disallowed claims
• Security Fix: Credential can be issued after expiration

We kindly ask you to migrate your components to the latest versions. In order to plan the contract step for “Token endpoint expected x-www-form-urlencoded” we created an issue to collect your feedback.

Generic Verifier (Version 2.0.2 on new swiyu-verifier repository)

• Expand step to handle malformed and correct “cnf” claim
• Security Fix: Unsecure serialization/deserialization

We kindly ask you to migrate your components to the latest versions in order to prevent breaking changes in the future.

Specifications

• Upcoming: Trust Protocol Version 1.0
• OID4VCI Version 1.0 has been published. We will plan the updates on our side and will announce the changes as soon as possible.