Requirement around key_attestations_required with attestation proof type is not clear

[jogu]

Current text says:

key_attestations_required: OPTIONAL. Object that describes the requirement for key attestations as described in Appendix D, which the Credential Issuer expects the Wallet to send within the proof(s) of the Credential Request. If the Credential Issuer does not require a key attestation, this parameter MUST NOT be present in the metadata.

Probably "within the proof(s)" should be "within or as the proof(s)" as I think it is intended to be able to use key_storage etc to set requirements for the attestation proof type, not just for attestations within the jwt proof type.

But also these two are semantically equivalent:

    "proof_types_supported": {
        "attestation": {
            "proof_signing_alg_values_supported": [
            "ES256"
          ],
          "key_attestations_required": {
          }
        }
      },

    "proof_types_supported": {
        "attestation": {
          "proof_signing_alg_values_supported": [
            "ES256"
          ],
        }
      },

(in that in both cases the wallet is required to send a key attestation)

and probably both are valid by my reading of the spec. It'd be useful to get other people's interpretations as otherwise we probably need to test both forms in the conformance tests.

[TimoGlastra]

In our implementation, both the examples you provided will have the same handling for the attestation key type.

For jwt proof type though the second one (imagining it has jwt instead of attestation) would not result in a key attestation being included on the wallet side or it being required on the issuer side.

[thomasdarimont]

@TimoGlastra thats's also how I currently implemented it in the conformance testsuite.

[c2bo]

@TimoGlastra that would be my interpretation as well.