Secure Area Interface: add OpenID4VCI KeyAttestation format option

[paulbastian]

Secure Area Interface already defines a key attestation in X509 format. OpenID4VCI defined a key attestation in JWT format. Could we add this as a possible return option?

[davidz25]

I'm not fundamentally opposed to it but in my mind there's a separation of responsibilities here that this would violate. In my view we have the following actors

• W: The wallet provider who provides native wallet apps (Android, iOS, etc) along with a proprietary backend service.
• I: The issuer, who issues identity credentials to W.
• C: The Cloud Secure Area operator who provides Cloud HSM services to wallets

In some cases C and I are the same entity (perhaps with some level of barrier to prevent collusion), in other cases it's W and C, and in some cases they are completely separate.

I guess I'm trying to say that the logical actor to provide these key attestations would be the Wallet Backend. Thoughts?

That said, I'm not opposed to adding it as an option to the KeyAttestation class. The question here is how we would represent the attestation? We designed KeyAttestation so it's easily serializable so it would have to be something relatively lightweight that we can serialize into CBOR. Cc @sorotokin