Skip to content

Commit

Permalink
update few pages
Browse files Browse the repository at this point in the history
  • Loading branch information
@BastienLopez
BastienLopez committed Oct 10, 2024
1 parent 0be6696 commit a92c53d
Show file tree
Hide file tree
Showing 10 changed files with 320 additions and 174 deletions.
127 changes: 125 additions & 2 deletions docs/wallet-provider-backend/ssi-data.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,126 @@
# SSI Data
# SSI parameters

Manage and store Self-Sovereign Identity (SSI) data securely within the wallet provider backend.
This section allows an advanced user (admin) to specify the SSI profile of the wallets.

## Choose an SSI Profile or configure your own

This option allows admin to select a predefined ecosystem profiles or to define his own profiles through the tuning of parameters. Here is below the main features of the predefined profiles:


| Profiles | VC format | OIDC4VCI | DID | Key |
| :---------- | ------------------------ | ---------- | :-------- | ------- |
| Default | ldp_vc | 11 | did:key | EdDSA |
| EBSI V3.x | jwt_vc | 11 | did:key | P-256 |
| EBSI V4.0 | jwt_vc_json, sd-jwt vc | 13 | did:key | P-256 |
| DIIP V2.1 | jwt_vc_json | 13 | did:jwk | P-256 |
| DIIP V3.0 | sd-jwt vc | 13 | did:jwk | P-256 |

If admin chooses to define its own SSI profile, he must select set the following options:

## Wallet identifier

it can be any one of the DID methods of the list ([did:key](https://w3c-ccg.github.io/did-method-key/), [did:jwk](https://github.com/quartzjer/did-jwk/blob/main/spec.md)) associated to one of the types of keys available (EdDSA, P-256 or seck256k1). For EBSI the did:key method is specific, see specification [here](https://hub.ebsi.eu/vc-framework/did/natural-person).

* cnf,
* did:key with EdDSA key,
* did:key with EBSI encoding and P-256 key,
* did:key with secp256k1 key,
* did:key with P-256 key,
* did:jwk with P-256 key

In case of the EUDI Architecture Reference Framework - ARF, choose the `cnf` option as the wallet identifier.

### OID4VCI Client Type

The client type affects how the wallet authenticates and interacts with the authorization server during credential issuance.

* **did:** Decentralized Identifier, typically used for secure, decentralized identity interactions,
* **urn:ietf:params:oauth:** Used when the subject is identified via a JWK thumbprint,
* **confidential:** For confidential clients that require secure and private interaction with the authorization server.

In case of the EUDI Architecture Reference Framework - ARF, choose the `**urn:ietf:params:oauth` option.

### Cryptographic Holder Binding

* **Yes (default):** Keeps cryptographic binding enabled, ensuring that credentials are cryptographically tied to the holder, providing higher security,
* **No:** Disables cryptographic binding, allowing credentials to be bound without cryptographic proofs for claim binding for instance.

In case of the EUDI Architecture Reference Framework - ARF, choose the `Yes` option.

Learn more about crypto binding [here](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-claims-based-binding-of-the).

### Scope parameters

Scope parameters define the specific scope of the credential inside the authorization request request. If scope is not used, wallet will use an authorization details object.

Enabling scope parameters provides more granular control over the credential issuance process.

In case of the EUDI Architecture Reference Framework - ARF, choose the `scope` option.

Learn more about scope [here](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-using-scope-parameter-to-re).

### Client Authentication Method

Select one authentication method among the following ones:

* **None:** No authentication required.
* **Client ID:** Identifies the client with a unique ID,
* **Client Secret Basic:** Sends ID and secret in the HTTP header,
* **Client Secret Post:** Sends ID and secret in the request body,
* **Wallet Attestation:** Proves authenticity via attestation,

In case of the EUDI Architecture Reference Framework - ARF, choose the `wallet attestation` option.

Learn more about authentication method [here](https://www.rfc-editor.org/rfc/rfc6749#section-2.3).

### Choosing a VC Format

Select the VC format:

* **ldp_vc:** W3C verifiable credentials using Linked Data Proofs.
* **jwt_vc:** EBSI compatible credentials in JWT format.
* **jwt_vc_json:** Structured JSON format with JWT flexibility.
* **jwt_vc_json-ld:** Linked data support with JWT.
* **vc+sd-jwt:** Selective disclosure for privacy in JWTs.
* **auto:** Auto-selects the format depending on issuer metadata.

**auto** means the wallet displays all formats.

In case of the EUDI Architecture Reference Framework - ARF, choose the `vc+sd-jwt` option.

Learn more about VC format [here](https://www.w3.org/TR/vc-data-model/).

### OIDC4VCI Proof Type

The proof type determines how the wallet proves its key ownership when presenting credentials.

* **jwt:** Uses JWT to prove key ownership.
* **ldp_vp:** Verifiable Presentation with linkedin data proof.

In case of the EUDI Architecture Reference Framework - ARF, choose the `jwt` option.

Learn more about proof type [here](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types).

### Proof of Possession Headers

This setting determines what data to include in the header of the JWT proof type.

* **kid:** Key ID, used to identify the key in the proof of possession.
* **jwk:** JSON Web Key, representing the key in a structured format for proof of possession.

In case of the EUDI Architecture Reference Framework - ARF, choose the `jwk` option.

### Push Authorization Request (PAR)

PAR is an advanced feature that enhances security during the authorization process by ensuring the integrity of the request.

* **Yes:** Push authorization requests to the server,
* **No:** Uses traditional redirect for authorization requests.

In case of the EUDI Architecture Reference Framework - ARF, choose the `Yes` option.

Learn more about PAR [here](https://datatracker.ietf.org/doc/html/rfc9126).

### Status List Cache

The Status List cache duration controls how long the wallet stores status lists used to verify credentials (e.g., revoked or valid). Adjusting this duration can balance performance with up-to-date information.
29 changes: 12 additions & 17 deletions docs/wallet-provider-backend/support.md
View file
Original file line number Diff line number Diff line change
@@ -1,38 +1,33 @@
# Support

Access the support resources available for managing and troubleshooting the wallet provider backend.
## Chat and Notification for Talao and Altme Wallets users with Matrix

# Chat and Notification Setup for Talao and Altme Wallets
[Matrix.org](https://matrix.org/) is an open-source, decentralized, end-to-end encrypted messaging protocol. Unlike centralized services such as WhatsApp, Slack, or Telegram, Matrix ensures privacy and avoids using private, centralized services. Currently, there are over 1,000 Matrix servers. Talao operates its own server, dedicated to the authentication of its wallets

Matrix.org is an open-source, decentralized, end-to-end encrypted messaging protocol. Unlike centralized services such as WhatsApp, Slack, or Telegram, Matrix ensures privacy and avoids using private, centralized services. Currently, there are over 1,000 Matrix servers. Talao operates its own server, dedicated to the authentication of its wallets.
For more information about Matrix, you can visit:

To create chat and notification accounts, follow these steps:
- [Matrix Clients](https://matrix.org/ecosystem/clients/)
- [Matrix Servers](https://servers.joinmatrix.org/)

## Step 1: Installing a Web or Smartphone Client Application
There are many Matrix client applications available. You can find a list [here](https://matrix.org/ecosystem/clients/).

There are many Matrix client applications available. You can find a list [here](https://matrix.org/ecosystem/clients/). We recommend using the Element client, which is one of the most popular options. Element is available on iOS and Android smartphones, as well as on various web platforms like Windows and Linux. You can download it from this [Element page](https://matrix.org/ecosystem/clients/element/).
We recommend using the [Element Client](https://matrix.org/ecosystem/clients/element/), which is one of the most popular options. Element is available on iOS and Android smartphones, as well as on various web platforms like Windows and Linux. You can download it from this [Element page](https://matrix.org/ecosystem/clients/element/).

## Step 2: Creating an Account for Chat
To configure Talao Chat and Notification with Element, follow the 3 steps below:

### Step 1: Creating an Account for Chat

Once you install the Element client, create an account on a public server, such as [matrix.org](https://matrix.org), or any other public server. You can view a list of available servers [here](https://servers.joinmatrix.org/). After completing this step, you will have a chat address in the format `@my_name:matrix.org`, assuming you use the matrix.org server.

## Step 3: Creating a Public Room for Notifications
### Step 2: Creating a Public Room for Notifications

In Element, select the option to create a public room, and enter a name for your room. If you use the matrix.org server, you will receive a room address in the format `#my_room:matrix.org`. Please ensure that the room is set to "public," not "private."

## Step 4: Entering Information on the Wallet Provider Backend
### Step 3: Entering Information on the Wallet Provider Backend

In the wallet provider backend, go to the **Support** page and enter your chat and notification addresses in forms **7.2** and **7.5**. Save the configuration.

## Using Chat and Notifications

If you already have a wallet, update your configuration to enable chat and notifications.

- **For Chat**: You will receive an invitation in your Element client app from each wallet using your configuration. Accept the invitation, and you can privately and anonymously communicate with the wallet user in a private room. All messages are end-to-end encrypted, and you can exchange both text and images.

- **For Notifications**: Any messages you post in your notification room will be sent to all wallets. Note that users cannot reply to these messages.

For more information, you can visit:
- [Matrix Clients](https://matrix.org/ecosystem/clients/)
- [Matrix Servers](https://servers.joinmatrix.org/)
- [Element Client](https://matrix.org/ecosystem/clients/element/)
35 changes: 34 additions & 1 deletion docs/wallet/developer-mode.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,36 @@
# Developer Mode

Learn about the developer mode of the Talao wallet for advanced testing and customization.
The developer mode allow any technical users to get internal information about the wallet data and logic. It modifies the display of verifiable credentials and it provides data of the wallet calls and responses.

The developer mode can be removed from the settings menu of the wallet through the Wallet Provider Backend.

Below are all the wallet features which are enhanced or modified in the developer mode.

## Display of verifiable credentials

Verifiable credentials are displayed in their original form as json-ld or jwt. For jwt users have an access to the header and payload of the credentials. For sd-jwt vc, jwt are displayed with all disclosures decoded.

## Display of the wallet instance attestation

If the wallet is used with the wallet provider backend the developer mode gives access to the wallet instance attestation which is displayed on the main screen of the wallet.

## Verifiable credentials status and validity

In case of signature failure or invalid status, the reasons of the problems are provided in details.

## Protocol flow

After scanning an OIDC4VC QR code a popup proposes to users to:

* display the QR code data and the OpeinID issuer metadata,
* download this information as a text file,
* skip to bypass.

Within the OIDC4VCI flow, the wallet proposes to display or download the data received from:

- the token endpoint,
- the credential endpoint.

## Display of errors

In case of an error response from issuers or verifiers, users have an access to the `error_description` data returned.
48 changes: 48 additions & 0 deletions docs/wallet/getting_started.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# Getting Started

Download the Talao or Altme wallet from the Apple store or Google Play Store.

The links to download the wallets are:

* [Altme Google store](https://play.google.com/store/apps/details?id=co.altme.alt.me.altme&hl=en-US&pli=1)
* [Altme Apple store](https://apps.apple.com/fr/app/altme-wallet/id1633216869)
* [Talao Google store](https://play.google.com/store/apps/details?id=co.talao.wallet&hl=fr)
* [Talao Apple store](https://apps.apple.com/fr/app/talao-wallet/id1582183266?platform=iphone)

Setup the PIN code if it is the first install.

## Get a proof of email

Let's get a proof of an email address:

1. Open the wallet app,
2. From main screen clic on **DISCOVER** in the bottom bar,
3. Clic on **Proof of email**, clic on **GET THIS CARD**,
4. Follow the process, enter your email, enter the secret code received by email,
5. Choose the wallet installed Altme or Talao,
6. **Allow** access to domain talao.io,
7. **Select** the credential you consent to collect,
8. Clic on **MY WALLET** in the bottom bar

You have now your first verifiable credential, if you clic on the "card" you will get an access to the data of the credential. This credential has been issued by an issuer managed by Talao. The set of data has been signed by Talao after checking the value of the code. It is a proof of the ownership of an email address as a verifiable credential signed by Talao.

## Get a proof of age (over 18)

Let's get a proof of age with an instant pictrure:

1. From main screen clic on **DISCOVER** in the bottom bar,
2. clic on **Proof of over 18**, clic on **GET THIS CARD**,
3. clic on **Quick photo of you (1 min)**
4. follow the process,
5. clic on **MY WALLET** in the bottom bar

You have now a proof of age. The age verification has been provided by our partner [Yoti thanks to an AI](https://www.yoti.com/business/age-verification/). This credential has been issued by an issuer managed by Talao. It is a proof of age as a verifiable credntial signed by Talao.

## Present a proof age

Let's now present this proof of age to the age verification tool setup by our partner [Werify](https://werify.eu/):

1. Clic [here]([https://staging.werify.eu/#/werify_point_kiosk/attempt+ideology+glamorous+varsity+spelling](https://staging.werify.eu/#/werify_point_kiosk/attempt+ideology+glamorous+varsity+spelling)),
2. scan the QR code with the wallet scanner.

You have used your credential to prove your age. This tools is a verifier managed by Werify.
3 changes: 0 additions & 3 deletions docs/wallet/overview.md
View file

This file was deleted.

10 changes: 5 additions & 5 deletions docs/wallet/setup_wallet.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Wallet the setup
# Wallet setup

The wallets Talao and Altme can be directly downloaded from the Google or Apple stores but they can also be installed and configured in different ways for extended services.

Expand Down Expand Up @@ -33,14 +33,14 @@ In this case users must first download the wallet from the store then scan the Q
* standard users : they have a login/password and they are managed through the wallet provider backend. They can be suspended or even revoked if needed. They also have a personal access to the wallet provider backend to manage their own account,
* guest: they have no login/password, it is a public access to your onboard unknown users

**It is the best solution to deploy your wallet to employees or to a limited and known group of people.**
**It is the best solution to deploy your wallet to a group of known people.**

### Download and configure the wallet in one step with an installation link

In this case the link allowed your users to install the wallet to their device with a specific configuration defined in the wallet provider backend. The installation link is in the form of:

* https://app.talao.co/install?password=guest&login=guest@identinet&wallet-provider=https://wallet-provider.talao.co or
* https://app.altme.io/install?password=guest&login=guest@identinet&wallet-provider=https://wallet-provider.talao.co
* `https://app.talao.co/install?password=guest&login=guest@identinet&wallet-provider=https://wallet-provider.talao.co `or
* `https://app.altme.io/install?password=guest&login=guest@identinet&wallet-provider=https://wallet-provider.talao.co``

The installation link is only available for guests.

Expand All @@ -51,7 +51,7 @@ The installation link is only available for guests.
Like any other smartphone app, user must initialize their wallet first. 2 options are proposed:

* import an account : users have previously saved their private keys through a passphrase in this app or in another wallet. they can recover their private keys,
* create an account: for new users
* create an account: for new users.

They will be then asked to choose their mean of authentication as a PIN code, a biometric or both to get a more secure 2 factors authentication. If a PIN code is chosen, confirmation will be requested.

Expand Down
Loading

0 comments on commit a92c53d

Please sign in to comment.