Topic Z - Device-bound Attestations

[phin10]

Description
Currently the ARF only assumes device-bound Attestations. Should this be extended to not-device-bound Attestations. What specific high level requirements for not-device-bound Attestations should the ARF specify?

Planned publication discussion paper
20 August 2025

Link to discussion paper
Paper

Discussion close
Three weeks later.

[c2bo]

This was discussed at length in the OpenID DCP WG and we decided to add support for it since it was a topic that kept coming up in use-cases. In OpenID4VP, the RP can explicitly signal that a presentation is accepted is fine without a proof of possession (see https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#name-requesting-presentations-wi).

I do personally believe that these kind of presentations can be useful when used in combined presentations (e.g., PID + some document about the same person, bound by name or similar attributes) and especially when combined with ZKP since in that case we can guarantee the freshness of the presentation even if the document is not device bound (or prove device binding using another credential like the PID and prove that these are linked without revealing the linking attributes).

Credentials with a certain level of trust associated with them should probably always have some form of device binding, but I believe there is value in allowing presentations without such a binding, especially for the combined presentation cases.

[cre8]

Forcing device bound attestations could lead to a potential risk in super long living access tokens that are used to migrate to another smartphone or wallet. The chance that you can login register your PID and all credentials will be fetched automatcially (like it's done with the google account and the apps via the playstore), is next to 0, because you will not be able to automate all authorization requests in the issuance process.

As @c2bo mentioned the device bound requirement should be based on the use case and may be defined in the rulebook.