Handshake protocol
1. Aim
The handshake protocol aims to provide a unified QR code that allows the user to choose the wallet to initiate an identity attribute exchange.
Initiation problem statement User User Relying Party or Issuer Relying Party or Issuer Wrong Wallet Wrong Wallet Right Wallet Right Wallet 1 access request 2 QR code to initiate wallet communication 3 user scans QR code 4 user has used wrong wallet to scan this QR code 5 user scans QR code with the right wallet 6 wallet can interpret the QR code copyright Condatis Group Limited Last Published: 21 December 2023 at 14:42 Classification: COMPANY CONFIDENTIAL 2. Approach
The approach:
Introduce a QR code that would work for every wallet, by applying a standardisation around a call-back to the initiating agent.
Introducing a wallet identification method on the call-back to produce a wallet specific initiation.
Handshake Approach Initiating Service Initiating Service Wallet Wallet 1 generate QR code with "request uri" 2 capture QR code 3 extract "request URI" 4 request full request at "request URI" and identify wallet 5 generate full request based on identified wallet 6 return full request Continue SSI stack specific interaction ... copyright Condatis Group Limited Last Published: 21 December 2023 at 14:42 Classification: COMPANY CONFIDENTIAL 2.1 Initiation
Most wallet provider allow the QR code to contain a URL that allows the abstraction of a more complex initiation request that would make the QR code density too high.
This allows to unify the initiation QR code:
The proposal is to use a short URI in the QR code that points back to the requester based on the SIOP standard of abstracting the request into an uri.
https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter
Example Request
openid://?request_uri=[uri_to_full_request]
This now allows the wallet to query for the full request and by this identify itself to the stack.
Initiation with common QR code User User Relying Party or Issuer Relying Party or Issuer Wallet Wallet 1 access request 2 QR code to initiate wallet communication "openid://? request_uri= [uri_to_full_request] " 3 user scans QR code 4 query for full request copyright Condatis Group Limited Last Published: 21 December 2023 at 14:42 Classification: COMPANY CONFIDENTIAL 2.2 Identification of wallets
We propose that the wallet is identifying itself to the URI hosing the full initiation request with the following:
Based on https://tools.ietf.org/html/rfc7231#section-5.3.2 the wallet adds accept
to the http request to identify itself.
Accept = #( media-range [ accept-params ] )
Example:
Accept = application/json
The following agreements have already been taken:
Supplier
Wallet
mime type
Microsoft
Authenticator
application/jwt
Evernym
Connect.me
application/json
3 Resulting Flow
Handshake Protocol User User Relying Party or Issuer Relying Party or Issuer Wallet Wallet 1 access request 2 QR code to initiate wallet communication "openid://? request_uri= [uri_to_full_request] " 3 user scans QR code 4 query for full request Accept = [accepted-mime-type] 5 generate full request based on mime type 6 return request Continue SSI stack specific interaction ... copyright Condatis Group Limited Last Published: 21 December 2023 at 14:43 Classification: COMPANY CONFIDENTIAL