[VC Security & Trust Document] Improve Security Requirement W-01 #14
Description
Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/2016
Original Reporter: danielfett
Kristina Yasuda
it should be explained why the focus is only on protocol and credential formats. technically, entity identifiers (DIDs, jwk thumbprints, etc.) are not part of credential format or protocol, but is crucial part of security, no? if entity identifier was considered as part of credential format it should be explicit.
secure implementations of cryptographic algorithms, the use of secure random number generators, the secure use of hardware-based storage
I have only seen sd-jwt define some of these… W3C VCDM definitely does not and not even mDL spec itself mandates HW-based storage.
something like implement securely and correctly as required by a trust framework would cover the introductory text better..