Handshake protocol
1. Aim
The handshake protocol aims to provide a unified QR code that allows the user to choose the wallet to initiate an identity attribute exchange.
Initiation problem statement Initiation problem statement <$user> <$user> <$application_server> <$application_server> <$cell_phone_iphone_proportional> <$cell_phone_iphone_proportional> <$cell_phone_iphone_proportional> <$cell_phone_iphone_proportional> User User Relying Party or Issuer Relying Party or Issuer Wrong Wallet Wrong Wallet Right Wallet Right Wallet 1 access request 2 QR code to initiate wallet communication 3 user scans QR code 4 user has used wrong wallet to scan this QR code 5 user scans QR code with the right wallet 6 wallet can interpret the QR code copyright Condatis Group Limited Last Published: 04 March 2025 at 16:02 Classification: COMPANY CONFIDENTIAL 2. Approach
The approach:
Introduce a QR code that would work for every wallet, by applying a standardisation around a call-back to the initiating agent.
Introducing a wallet identification method on the call-back to produce a wallet specific initiation.
Handshake Approach Handshake Approach <$application_server> <$application_server> <$application_server> <$cell_phone_iphone_proportional> <$cell_phone_iphone_proportional> <$cell_phone_iphone_proportional> Initiating Service Initiating Service Wallet Wallet 1 generate QR code with "request uri" 2 capture QR code 3 extract "request URI" 4 request full request at "request URI" and identify wallet 5 generate full request based on identified wallet 6 return full request Continue SSI stack specific interaction ... copyright Condatis Group Limited Last Published: 04 March 2025 at 16:02 Classification: COMPANY CONFIDENTIAL 2.1 Initiation
Most wallet provider allow the QR code to contain a URL that allows the abstraction of a more complex initiation request that would make the QR code density too high.
This allows to unify the initiation QR code:
The proposal is to use a short URI in the QR code that points back to the requester based on the SIOP standard of abstracting the request into an uri.
https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter
Example Request
openid://?request_uri=[uri_to_full_request]
This now allows the wallet to query for the full request and by this identify itself to the stack.
Initiation with common QR code Initiation with common QR code <$user> <$user> <$application_server> <$application_server> <$cell_phone_iphone_proportional> <$cell_phone_iphone_proportional> User User Relying Party or Issuer Relying Party or Issuer Wallet Wallet 1 access request 2 QR code to initiate wallet communication "openid://? request_uri= [uri_to_full_request] " 3 user scans QR code 4 query for full request copyright Condatis Group Limited Last Published: 04 March 2025 at 16:02 Classification: COMPANY CONFIDENTIAL 2.2 Identification of wallets
We propose that the wallet is identifying itself to the URI hosing the full initiation request with the following:
Based on https://tools.ietf.org/html/rfc7231#section-5.3.2 the wallet adds accept to the http request to identify itself.
Accept = #( media-range [ accept-params ] )
Example:
Accept = application/json
The following agreements have already been taken:
Supplier
Wallet
mime type
Microsoft
Authenticator
application/jwt
Evernym
Connect.me
application/json
3 Resulting Flow
Handshake Protocol Handshake Protocol <$user> <$user> <$user> <$application_server> <$application_server> <$application_server> <$cell_phone_iphone_proportional> <$cell_phone_iphone_proportional> <$cell_phone_iphone_proportional> User User Relying Party or Issuer Relying Party or Issuer Wallet Wallet 1 access request 2 QR code to initiate wallet communication "openid://? request_uri= [uri_to_full_request] " 3 user scans QR code 4 query for full request Accept = [accepted-mime-type] 5 generate full request based on mime type 6 return request Continue SSI stack specific interaction ... copyright Condatis Group Limited Last Published: 04 March 2025 at 16:02 Classification: COMPANY CONFIDENTIAL