Add Security Considerations

selfissued · selfissued · commit c7bd14d5d47d · 2026-02-15T11:31:45.000-08:00
diff --git a/connect/openid-federation-wallet-1_0-05.html b/connect/openid-federation-wallet-1_0-05.html
@@ -1365,35 +1365,38 @@ <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
             <p id="section-toc.1-1.9.1"><a href="#section-9" class="auto internal xref">9</a>.  <a href="#name-implementation-consideratio" class="internal xref">Implementation Considerations for Offline Flows</a></p>
 </li>
           <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
-            <p id="section-toc.1-1.10.1"><a href="#section-10" class="auto internal xref">10</a>. <a href="#name-iana-considerations" class="internal xref">IANA Considerations</a></p>
+            <p id="section-toc.1-1.10.1"><a href="#section-10" class="auto internal xref">10</a>. <a href="#name-security-considerations" class="internal xref">Security Considerations</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
+            <p id="section-toc.1-1.11.1"><a href="#section-11" class="auto internal xref">11</a>. <a href="#name-iana-considerations" class="internal xref">IANA Considerations</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.1">
-                <p id="section-toc.1-1.10.2.1.1"><a href="#section-10.1" class="auto internal xref">10.1</a>.  <a href="#name-oauth-parameters-registry" class="internal xref">OAuth Parameters Registry</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.1">
+                <p id="section-toc.1-1.11.2.1.1"><a href="#section-11.1" class="auto internal xref">11.1</a>.  <a href="#name-oauth-parameters-registry" class="internal xref">OAuth Parameters Registry</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.1.2.1">
-                    <p id="section-toc.1-1.10.2.1.2.1.1"><a href="#section-10.1.1" class="auto internal xref">10.1.1</a>.  <a href="#name-dcql_queries" class="internal xref">dcql_queries</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.1.2.1">
+                    <p id="section-toc.1-1.11.2.1.2.1.1"><a href="#section-11.1.1" class="auto internal xref">11.1.1</a>.  <a href="#name-dcql_queries" class="internal xref">dcql_queries</a></p>
 </li>
                 </ul>
 </li>
             </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
-            <p id="section-toc.1-1.11.1"><a href="#section-11" class="auto internal xref">11</a>. <a href="#name-acknowledgements" class="internal xref">Acknowledgements</a></p>
 </li>
           <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12">
-            <p id="section-toc.1-1.12.1"><a href="#section-12" class="auto internal xref">12</a>. <a href="#name-normative-references" class="internal xref">Normative References</a></p>
+            <p id="section-toc.1-1.12.1"><a href="#section-12" class="auto internal xref">12</a>. <a href="#name-acknowledgements" class="internal xref">Acknowledgements</a></p>
 </li>
           <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13">
-            <p id="section-toc.1-1.13.1"><a href="#section-13" class="auto internal xref">13</a>. <a href="#name-informative-references" class="internal xref">Informative References</a></p>
+            <p id="section-toc.1-1.13.1"><a href="#section-13" class="auto internal xref">13</a>. <a href="#name-normative-references" class="internal xref">Normative References</a></p>
 </li>
           <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14">
-            <p id="section-toc.1-1.14.1"><a href="#appendix-A" class="auto internal xref">Appendix A</a>.  <a href="#name-notices" class="internal xref">Notices</a></p>
+            <p id="section-toc.1-1.14.1"><a href="#section-14" class="auto internal xref">14</a>. <a href="#name-informative-references" class="internal xref">Informative References</a></p>
 </li>
           <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15">
-            <p id="section-toc.1-1.15.1"><a href="#appendix-B" class="auto internal xref">Appendix B</a>.  <a href="#name-document-history" class="internal xref">Document History</a></p>
+            <p id="section-toc.1-1.15.1"><a href="#appendix-A" class="auto internal xref">Appendix A</a>.  <a href="#name-notices" class="internal xref">Notices</a></p>
 </li>
           <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.16">
-            <p id="section-toc.1-1.16.1"><a href="#appendix-C" class="auto internal xref"></a><a href="#name-authors-addresses" class="internal xref">Authors' Addresses</a></p>
+            <p id="section-toc.1-1.16.1"><a href="#appendix-B" class="auto internal xref">Appendix B</a>.  <a href="#name-document-history" class="internal xref">Document History</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.17">
+            <p id="section-toc.1-1.17.1"><a href="#appendix-C" class="auto internal xref"></a><a href="#name-authors-addresses" class="internal xref">Authors' Addresses</a></p>
 </li>
         </ul>
 </nav>
@@ -2375,30 +2378,40 @@ <h2 id="name-implementation-consideratio">
 <p id="section-9-5">Using short-lived Trust Chains ensures compatibility with required revocation administrative protocols, such as those defined in a legal framework. For example, if a revocation must be propagated in less than 24 hours, the Trust Chain should not be valid for more than that period.<a href="#section-9-5" class="pilcrow">¶</a></p>
 </section>
 </div>
-<div id="iana-considerations">
+<div id="security-considerations">
 <section id="section-10">
+      <h2 id="name-security-considerations">
+<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
+      </h2>
+<p id="section-10-1">The security considerations in
+<span>[<a href="#OpenID.Federation" class="cite xref">OpenID.Federation</a>]</span>, <span>[<a href="#OpenID4VP" class="cite xref">OpenID4VP</a>]</span>, and <span>[<a href="#OpenID4VCI" class="cite xref">OpenID4VCI</a>]</span>
+apply to this specification.<a href="#section-10-1" class="pilcrow">¶</a></p>
+</section>
+</div>
+<div id="iana-considerations">
+<section id="section-11">
       <h2 id="name-iana-considerations">
-<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
+<a href="#section-11" class="section-number selfRef">11. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
       </h2>
 <div id="oauth-parameters-registry">
-<section id="section-10.1">
+<section id="section-11.1">
         <h3 id="name-oauth-parameters-registry">
-<a href="#section-10.1" class="section-number selfRef">10.1. </a><a href="#name-oauth-parameters-registry" class="section-name selfRef">OAuth Parameters Registry</a>
+<a href="#section-11.1" class="section-number selfRef">11.1. </a><a href="#name-oauth-parameters-registry" class="section-name selfRef">OAuth Parameters Registry</a>
         </h3>
-<p id="section-10.1-1">This specification registers the following parameter in the IANA "OAuth Parameters" registry <span>[<a href="#IANA.OAuth.Parameters" class="cite xref">IANA.OAuth.Parameters</a>]</span> established by <span>[<a href="#RFC6749" class="cite xref">RFC6749</a>]</span>.<a href="#section-10.1-1" class="pilcrow">¶</a></p>
+<p id="section-11.1-1">This specification registers the following parameter in the IANA "OAuth Parameters" registry <span>[<a href="#IANA.OAuth.Parameters" class="cite xref">IANA.OAuth.Parameters</a>]</span> established by <span>[<a href="#RFC6749" class="cite xref">RFC6749</a>]</span>.<a href="#section-11.1-1" class="pilcrow">¶</a></p>
 <div id="dcql-queries">
-<section id="section-10.1.1">
+<section id="section-11.1.1">
           <h4 id="name-dcql_queries">
-<a href="#section-10.1.1" class="section-number selfRef">10.1.1. </a><a href="#name-dcql_queries" class="section-name selfRef">dcql_queries</a>
+<a href="#section-11.1.1" class="section-number selfRef">11.1.1. </a><a href="#name-dcql_queries" class="section-name selfRef">dcql_queries</a>
           </h4>
 <ul class="compact">
-<li class="compact" id="section-10.1.1-1.1">Name: <code>dcql_queries</code><a href="#section-10.1.1-1.1" class="pilcrow">¶</a>
+<li class="compact" id="section-11.1.1-1.1">Name: <code>dcql_queries</code><a href="#section-11.1.1-1.1" class="pilcrow">¶</a>
 </li>
-            <li class="compact" id="section-10.1.1-1.2">Parameter Usage Location: authorization request, client metadata, and in <code>openid_credential_verifier</code> entity metadata as defined by this specification.<a href="#section-10.1.1-1.2" class="pilcrow">¶</a>
+            <li class="compact" id="section-11.1.1-1.2">Parameter Usage Location: authorization request, client metadata, and in <code>openid_credential_verifier</code> entity metadata as defined by this specification.<a href="#section-11.1.1-1.2" class="pilcrow">¶</a>
 </li>
-            <li class="compact" id="section-10.1.1-1.3">Change Controller: OpenID Foundation AB/Connect Working Group - openid-specs-ab@lists.openid.net<a href="#section-10.1.1-1.3" class="pilcrow">¶</a>
+            <li class="compact" id="section-11.1.1-1.3">Change Controller: OpenID Foundation AB/Connect Working Group - openid-specs-ab@lists.openid.net<a href="#section-11.1.1-1.3" class="pilcrow">¶</a>
 </li>
-            <li class="compact" id="section-10.1.1-1.4">Reference: Additional OpenID Credential Verifier Metadata Parameters section of this specification<a href="#section-10.1.1-1.4" class="pilcrow">¶</a>
+            <li class="compact" id="section-11.1.1-1.4">Reference: Additional OpenID Credential Verifier Metadata Parameters section of this specification<a href="#section-11.1.1-1.4" class="pilcrow">¶</a>
 </li>
           </ul>
 </section>
@@ -2408,23 +2421,24 @@ <h4 id="name-dcql_queries">
 </section>
 </div>
 <div id="acknowledgements">
-<section id="section-11">
+<section id="section-12">
       <h2 id="name-acknowledgements">
-<a href="#section-11" class="section-number selfRef">11. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
+<a href="#section-12" class="section-number selfRef">12. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
       </h2>
-<p id="section-11-1">We would like to thank the following individuals for their comments, ideas, and contributions to this implementation profile and to the initial set of implementations:
+<p id="section-12-1">We would like to thank the following individuals for their comments, ideas, and contributions to this implementation profile and to the initial set of implementations:
 Leif Johansson,
 Stefan Liström,
 Francesco Antonio Marino,
 Eduardo Perottoni,
+Samuel Rinnetmäki,
 Giada Sciarretta,
 and
-Niels van Dijk.<a href="#section-11-1" class="pilcrow">¶</a></p>
+Niels van Dijk.<a href="#section-12-1" class="pilcrow">¶</a></p>
 </section>
 </div>
-<section id="section-12">
+<section id="section-13">
       <h2 id="name-normative-references">
-<a href="#section-12" class="section-number selfRef">12. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
+<a href="#section-13" class="section-number selfRef">13. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
       </h2>
 <dl class="references">
 <dt id="I-D.ietf-oauth-status-list">[I-D.ietf-oauth-status-list]</dt>
@@ -2437,7 +2451,7 @@ <h2 id="name-normative-references">
 <dd class="break"></dd>
 <dt id="OpenID.Federation">[OpenID.Federation]</dt>
       <dd>
-<span class="refAuthor">Ed., R. H.</span>, <span class="refAuthor">Jones, M. B.</span>, <span class="refAuthor">Solberg, A.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Marco, G. D.</span>, and <span class="refAuthor">V. Dzhuvinov</span>, <span class="refTitle">"OpenID Federation 1.0"</span>, <time datetime="2026-01-29" class="refDate">29 January 2026</time>, <span>&lt;<a href="https://openid.net/specs/openid-federation-1_0.html">https://openid.net/specs/openid-federation-1_0.html</a>&gt;</span>. </dd>
+<span class="refAuthor">Ed., R. H.</span>, <span class="refAuthor">Jones, M. B.</span>, <span class="refAuthor">Solberg, A.</span>, <span class="refAuthor">Bradley, J.</span>, <span class="refAuthor">Marco, G. D.</span>, and <span class="refAuthor">V. Dzhuvinov</span>, <span class="refTitle">"OpenID Federation 1.0"</span>, <time datetime="2026-02-15" class="refDate">15 February 2026</time>, <span>&lt;<a href="https://openid.net/specs/openid-federation-1_0.html">https://openid.net/specs/openid-federation-1_0.html</a>&gt;</span>. </dd>
 <dd class="break"></dd>
 <dt id="OpenID.Registration">[OpenID.Registration]</dt>
       <dd>
@@ -2485,9 +2499,9 @@ <h2 id="name-normative-references">
 <dd class="break"></dd>
 </dl>
 </section>
-<section id="section-13">
+<section id="section-14">
       <h2 id="name-informative-references">
-<a href="#section-13" class="section-number selfRef">13. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
+<a href="#section-14" class="section-number selfRef">14. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
       </h2>
 <dl class="references">
 <dt id="IANA.OAuth.Parameters">[IANA.OAuth.Parameters]</dt>
@@ -2543,6 +2557,8 @@ <h2 id="name-document-history">
  different situations.<a href="#appendix-B-3.8" class="pilcrow">¶</a>
 </li>
         <li class="compact" id="appendix-B-3.9">Added IANA Considerations registering the dcql_queries parameter.<a href="#appendix-B-3.9" class="pilcrow">¶</a>
+</li>
+        <li class="compact" id="appendix-B-3.10">Added Security Considerations.<a href="#appendix-B-3.10" class="pilcrow">¶</a>
 </li>
       </ul>
 <p id="appendix-B-4">-04<a href="#appendix-B-4" class="pilcrow">¶</a></p>
diff --git a/connect/openid-federation-wallet-1_0-05.md b/connect/openid-federation-wallet-1_0-05.md
@@ -840,6 +840,12 @@ The Entity that receives the data object including the JWT `trust_chain`, such a
 
 Using short-lived Trust Chains ensures compatibility with required revocation administrative protocols, such as those defined in a legal framework. For example, if a revocation must be propagated in less than 24 hours, the Trust Chain should not be valid for more than that period.
 
+# Security Considerations
+
+The security considerations in
+[@!OpenID.Federation], [@!OpenID4VP], and [@!OpenID4VCI]
+apply to this specification.
+
 # IANA Considerations
 
 ## OAuth Parameters Registry
@@ -860,6 +866,7 @@ Leif Johansson,
 Stefan Liström,
 Francesco Antonio Marino,
 Eduardo Perottoni,
+Samuel Rinnetmäki,
 Giada Sciarretta,
 and
 Niels van Dijk.
@@ -994,7 +1001,7 @@ Niels van Dijk.
           <author fullname="Vladimir Dzhuvinov">
             <organization>Connect2id</organization>
           </author>
-          <date day="29" month="January" year="2026"/>
+          <date day="15" month="February" year="2026"/>
         </front>
 </reference>
 
@@ -1040,6 +1047,7 @@ The technology described in this specification was made available from contribut
      OpenID4VP) so verifiers can publish multiple authorized queries for
      different situations.
    * Added IANA Considerations registering the dcql_queries parameter.
+   * Added Security Considerations.
 
    -04
 
