Questions and clarifications about makeAttestationClient and key usage in Client Attestation (WalletKit 0.19.2) #276
Description
I am integrating Client Attestation using WalletKit v0.19.2 and noticed the newly introduced function makeAttestationClient in OpenId4VciConfiguration.swift.
While implementing this flow, I have a few questions.
1️⃣ Wallet attestation creation without private key
In the following line:
let attestation = try await config.walletAttestationsProvider.getWalletAttestation(
key: dpopConstructor.jwk
)
Only the public key (JWK) is passed to walletAttestationsProvider.
However, In our implementation, the wallet attestation provider needs access to the private key to produce the attestation JWT.
Question:
Should getWalletAttestation(...) also receive the private key?
2️⃣ Reuse of DPoP constructor for client attestation
makeAttestationClient internally calls:
let dpopConstructor = try await makeDPoPConstructor(...)
This constructor:
- Generates or retrieves a DPoP key
- Returns a
DPoPConstructorwith jwk and private key
In this context:
- The key is used for client attestation, not for HTTP DPoP proofs
- The naming and reuse of DPoPConstructor is somewhat confusing, since no DPoP proof is created here
Question:
Is the reuse of the DPoP key intentional (i.e. same key for client attestation + DPoP) or would it make sense to:
- Decouple client-attestation key generation from DPoP, or
- Clarify this design decision in naming or documentation?
3️⃣ Secure Area support
Question:
Is it supported (or planned) to generate and store the client-attestation key inside Secure Area
Regards,
Pankaj