How the Issuer verifies

Before it issues anything, the Issuer (a PID Provider or Attestation Provider) verifies both the Key Attestation and the proof of possession. The checks are similar in spirit across the two specifications but differ in the details, especially around trust establishment and revocation.

Step through each path below. Each step cites the clause it comes from.

Verifier follows

OpenID4VCI verification

Step 1 of 6

1

📥 Receive the proof

Take each JWT proof from the Credential Request proofs; require typ = openid4vci-proof+jwt and an asymmetric alg (never none).OpenID4VCI Section 8.2

2

✍️ Validate the KA

3

🔑 Match the signing key

4

🔐 Verify proof of possession

5

🛡️ Check key levels

6

⛓️ Bind and issue

The gist

• OpenID4VCI establishes trust in the KA through the key conveyed by x5c, kid or trust_chain, matches the proof's signing key against attested_keys, verifies the PoP signature, and checks nonce, aud and iat.
• TS3 mandates that x5c chains to the Wallet Provider Trusted List, that the single proof verifies under attested_keys[0], that key security is iso_18045_high for a WSCD, and that key_storage_status is fresh (its exp at least 31 days ahead), re-checked across the credential's validity.

For the data behind these checks, build a KA and a proof on the Key Attestation and Proof of possession pages.

Illustrative aid

The steps summarise the cited clauses for teaching. Always verify against the specification text linked on References.