Known issue: OpenID4VP Authorization Request x5c certificate validation through wallet-backend-server

[kkmanos]

In order for the wallet to validate the signed Authorization Request object using the x509_san_dns client_id_scheme, the wallet needs to also validate the chain with the trusted root CAs. Since there is no browser API exposing the hard-coded trusted root CAs, the current implemented alternative is to use the wallet-backend-server to fetch the trust chain and then to cross-validate the last certificate with the one on the x5c header of the signed Authorization Request.

As stated in another open github issue of the wwWallet project, the main goal of wwWallet is to prevent the wallet-backend-server from gaining information related with the transactions that wwWallet frontend is having with other actors (issuers, verifiers) to maintain user's anonymity.

Even though OpenID Federations would eliminate this requirement, there must be way to authenticate the verifier when the x509_san_dns client_id_scheme is used.

One possible solution is to provide the root CA certificates as hard-coded to the wallet-frontend, but this open issue targets to open the discussion for alternative approaches.