Key Attestation (KA)

The Key Attestation (KA) is the part of the WUA that attests the keys. The Wallet Provider signs a JWT (OpenID4VCI v1.0 Appendix D) listing the public keys it certifies are held in the WSCD, together with the security properties of that storage.

What is inside:

• attested_keys: the array of public keys (JWKs) the Wallet Provider attests.
• key_storage and user_authentication: the attested attack resistance, on the ISO 18045 AVA_VAN scale (for example iso_18045_high).
• x5c: the Wallet Provider signing certificate, which the verifier chains to the Wallet Provider Trusted List.

Use the slider to change how many keys the KA attests, and the toggle to switch between the two profiles:

• key-attestation+jwt is the OpenID4VCI v1.0 media type (hyphenated).
• keyattestation+jwt is how TS3 v1.5 types the same structure (no hyphen). TS3 also drops iss (identity comes from x5c), requires iso_18045_high for a WSCD, makes certification mandatory, and adds key_storage_status for revocation and a maintenance commitment.

Attested keys (N):

3

Profile

Generating sample keys and signing tokens…

A single KA can attest many keys at once. How those keys turn into credentials, and how many, is covered in Batch issuance.

Illustrative aid

The KA is signed in your browser with the sample iGrant.io Wallet Provider key, so the encoded JWT verifies against the x5c certificate. Self-signed sample, not a trust anchor.